"The view that everybody pretty much adopts nowadays is, it’s not whether or not you’ll have a penetration, but how are you going to respond to it?” said Texas Chief Information Officer Todd Kimbriel at the Texas Digital Government Summit earlier this year. IT leaders in government are universally challenged by this and other questions about cybersecurity, like how to develop an effective cyberstrategy and how to find the budget to pay for it.
To make this defense easier, in July the Texas Department of Information Resources launched what it’s calling a Managed Security Services (MSS) contract in collaboration with AT&T. What the MSS does, in the simplest of terms, is give state agencies, local governments, school districts and other public entities the ability to opt into a broad and comprehensive selection of cybersecurity services, essentially using and also paying for them as needed.
The list of available services includes security monitoring for breaches, device management, risk assessments and much more. With the MSS system, governmental organizations within Texas can access those services on an individual pay-as-you-go basis via the state’s master contract, rather than having to build their own cybersecurity expertise and infrastructure from scratch. The state, rather than individual users of services, is also responsible for tracking vendor performance.
The new pact with AT&T will also enable agencies to comply with House Bill 8, the Texas Cybersecurity Act, approved during the last legislative session. The bill requires state agencies to do a cybersecurity assessment every two years. But DIR, which typically funds around 15 of these assessments through administrative fees, received additional general revenue from the Legislature — and will now fund as many as 40 assessments per year through the new contract.
“We are absolutely focused on injecting a risk mitigation evaluation strategy, so that every dollar that we invest is really targeting the high-probability, high-impact risk that we have,” Kimbriel added.
All indications are that the MSS concept will likely spread to other states, with independent cybersecurity experts saying the cost-efficient nature of the system — as well as the searing importance of guarding against cyberthreats — indicates this move will be worthwhile.
The MSS’ offerings can be split into three major components: security monitoring and device management, incident response, and risk and compliance. Each of those areas then includes a subset of more specific cybersecurity-related services for jurisdictions to choose from, wrote Nancy Rainosek, Texas’ chief information security officer, in an email.
Security monitoring and device management include services such as Web application firewalls, intrusion detection and prevention, and end-user device management. There is also a threat research component. Basically, this is the most practical of the three areas, containing the tools that keep actual threats at bay.
Incident response, meanwhile, is made up of a subset of services that jurisdictions can use to prepare, and respond to an attack after it has occurred. These include security incident management and digital forensics to identify in detail what happened. Risk and compliance is the final category, and it includes testing and assessment tools that jurisdictions can use to evaluate the maturity of their cyberposture.
Texas officials reported that roughly six weeks into the life of the MSS contract system, the state had almost 30 state agencies participating so far, as well as five universities, one community college and one local government entity. All told, there had been 55 requests for cybersecurity services, several of which have already been completed.
Cybersecurity experts are bullish on this new system, citing its seeming ability to make better protections affordable for public agencies, as well as its potential to eventually be tailored for and adapted by other states.
Cory Fleming is a program director with the International City/County Management Association. Fleming said that for smaller organizations, jurisdictions or agencies, cybersecurity is just as important as it is for larger counterparts, yet smaller entities often have fewer resources with which to defend themselves.
With that in mind, the MSS model’s inherent ability to foster the sharing of resources has the potential to be a major benefit for individual agencies, said Fleming, who noted this was a new and unique approach.
Strength-by-sharing benefits are certainly a consideration for Texas and its corporate partners at AT&T. Texas has noted that some of its agencies have the resources to manage cybersecurity in-house but others do not. The ones that don’t can trust that the state has already vetted the services available through the contract.
In addition, those handling the services can take a holistic view of the cyberthreats Texas faces. If one service detects a threat to one agency, that becomes instant intel about that same threat elswhere.
Another benefit is that it all leads to a better price for protection. The agencies using the MSS system need only pay the costs for the individual services they use, rather than paying a larger bill for a holistic cyberdefense infrastructure.
For the agencies, simplicity of use is a benefit too. Staff and officials from public organizations who use MSS just have to go to the DIR portal, select the services they need and place an order. This has the ultimate result of freeing individual organizations of the need to focus as much energy or expertise on cybersecurity, returning instead to their primary mission and business functions.
The potential for this to be adapted in other states is high, according to stakeholders and outside experts.
Fleming said the public sector has a long and ongoing history of sharing ideas and services, given that the challenges and threats faced by one entity are often the same or similar to those faced by others.
“I can see this being something that pops up all across the public-sector radar screen,” Fleming said.
Officials from AT&T echoed as much, noting that while no two jurisdictions or public agencies are exactly alike, they all tend to face the same landscape of threats. George Spencer, AT&T public sector assistant vice president for Texas, said that even the size of the agency is relatively immaterial, given that smaller agencies tend to have less expertise while larger agencies tend to face a higher volume of attacks. Both face challenges this system can alleviate.
Chris Roy, AT&T’s vice president of government education client group, agreed, saying the company believes this is a solution that can and will spread to other states.
“There’s no reason to think the states wouldn’t share this, and that other states wouldn’t see this idea and grab onto it,” Roy said. “The discussions we’re having with several other states, frankly, are in the discovery stage. They’d like to understand what the state of Texas is doing.”
As Kimbriel shared in May, a new spirit of transparency has made its way into public-sector cybersecurity — a major shift from the status quo when he first came to the state’s Department of Information Reources in 2008. Within Texas and beyond its borders, people now accept that organizations are “stronger by sharing.”
Reporting from Staff Writer Theo Douglas contributed to this story.