IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Recovery, Risk and Ransomware: NASCIO Kicks Off in Nashville

The National Association of State Chief Information Officers is holding its annual conference — and celebrating its 50th anniversary — by convening state CIOs to crowdsource the most pressing concerns in government IT.

NASHVILLE, Tenn. — The 50th annual conference of the National Association of State Chief Information Officers (NASCIO) Monday brought together IT leaders from across the country to share lessons learned and best practices that can help drive government forward.

Following a morning welcome from NASCIO president James Collins and a series of speed-networking meetings among the record number of attendees, a series of afternoon breakout sessions covered concrete issues that CIOs grapple with each day, including the opioid epidemic, ransomware attacks and reducing risk in gov tech.

Data vs. The Opioid Crisis

The practice of data analytics continues to mature in government, with many in state and local IT turning to visualization tools like dashboards to make the information they hold as useful as possible within agencies, and to the residents and businesses they serve.

Esri Government Strategist Pat Cummens underscored the importance of sophisticated analytics work in an afternoon session on “Dynamic Dashboards: Surfacing Need-to-Know Data Now.” For sectors like transportation, strategic planning, and perhaps most importantly of late, disaster preparedness and response, access to the abundant data streams that are now available can inform situational awareness in real time, leading to better policy decisions.

Lt. Jason Piotrowski of the New Jersey State Police updated attendees of the session on multi-agency efforts in the state to combat the opioid crisis. Piotrowski heads up a unit within the New Jersey Office of Drug Monitoring and Enforcement, but despite his law enforcement role, he shares the view of many fighting the opioid epidemic that arresting addicts won’t stem the tide of opioid-related overdoses. More than 3,000 deaths in New Jersey in 2018 were caused by opioids, which equates to more than eight people every day. “It’s an all-encompassing, pervasive threat,” he said.

In response, the State Police in New Jersey formed partnerships with a number of agencies, not only in law enforcement, but with various health and human services organizations and other groups to form as complete a picture as possible of the situation. All told, more than a million data points were gathered.

“Now you have all this data,” Piotrowski said, “what do you do with it?” The answer was an information sharing program built by SAS with the capability to do advanced analytics. Among the findings was a discovery of two suburban counties that the data revealed had opioid problems. The information on suburban Monmouth and Ocean counties surprised officials, but allowed them to pursue additional funding to fight its spread. And that’s just one example of the data uncovering information that was previously unknown.

“We’re really pushing targeted intervention — data can help us understand who’s most at risk,” he said.

De-Risking IT

Robin Carnahan called herself a recovering lawyer and politician in a Monday afternoon session titled “(Non)Risky Business: Leveraging 18F’s State Software Budgeting Handbook.” The one-time Missouri Secretary of State now runs the state and local practice for 18F, a team of technologists within the federal government that work on helping public-sector entities get better at delivering tech projects. 

Making a strong case for some fresh thinking in how tech projects are done in government, Carnahan pointed to stats from The Standish Group’s CHAOS database, which concludes that large government projects valued at more than $6 million are only successful 13 percent of the time. Data from the same group reveals that projects valued at under $1 million are successful 57 percent of the time. Not perfect stats, but by all accounts, much improved.

The group at 18F put out a handbook in August to help states transform their processes to help boost their chances for success on big projects. Recommended best practices include human-centered design, open processes that others can re-use and iterative development that breaks big challenges into smaller pieces. “You can’t predict the future,” Carnahan said, “so you need to be able to change along the way.”

In addition, she offered a series of practical tips to those involved in tech modernization efforts that can help practitioners be heard and understood by budget staff and policymakers making the decisions. One key point to convey is the importance of viewing software as an operating expense, not a one-and-done capital expense. “It needs constant care and feeding; technology is never static and is always going to be changing,” Carnahan said. 

Procurement — a critical element of making IT projects less risky — needs to be simplified in order to attract more vendors into the process. A spirit of openness and collaboration should permeate the culture and everyone involved in it. And that extends to the code used as well. Open source tools can easily be shared and reused. In that spirit, Carnahan offered some additional resources to those who want to explore the practices outlined in the handbook, available on Github.

Rapid Response in Texas

Ransomware attacks have loomed large in 2019, hitting state and local government with increasing frequency and generating bigger headlines and costlier payouts.

Texas has not been immune to the epidemic, and on Aug. 16 saw one targeted attack take data hostage across 23 government organizations in the state. In a session called "CYAssets: Preventing and Responding to Ransomware Attacks," state CIO Todd Kimbriel and CISO Nancy Rainosek explained how they went from early morning panic mode to incident resolution in just seven days.

Kimbriel credited the state’s years-long cyberefforts with its ability to resolve the ransomware attack in those 23 jurisdictions so quickly. He said it boils down to two key elements: being prepared and having good cyberhygiene.

Since cybersecurity is now a “not if, but when” necessity, he said, “the plan didn’t happen overnight.”

Texas spent two years building its cyber-response plan, Rainosek said, which when enabled allows the Department of Information Resources (DIR) access to the state security operations center (SOC), originally put in place to handle natural disasters. Even further back, Kimbriel said he spent four or five years getting the state’s emergency management chief on board with putting cyberattacks in the same category as floods and hurricanes.

On the day of the coordinated attack this August, the first reports of the issue came in around 2:30 a.m. By 10 a.m., when more organizations had reported the same issue, including a critical water system, DIR informed the governor’s office, who declared it an official disaster, a decision supported by the Legislature.

That access to the SOC, Kimbriel believes, is what set Texas’ experience apart from other more damaging cyberincidents, like those in Baltimore, Colorado and Florida.

While the response work was complete after seven days — and as far as DIR knows, no one paid the ransom — that did not mean that everything was fully restored to the affected agencies. The ransomware attack was initially made on a single shared services provider, and while not all organizations using that provider were affected, the 23 that were lacked good cyberhygiene practices, Kimbriel reiterated.

Because the state was able to move so quickly once the incident was reported, there was enough forensic evidence available for the FBI to open an investigation into what happened; Kimbriel reports that they are close to finding the culprit. 

Lauren Kinkade is the managing editor for Government Technology magazine. She has a degree in English from the University of California, Berkeley, and more than 15 years’ experience in book and magazine publishing.