State and local government can learn from practices currently taking hold in the private sector and at the federal level about the future of their own practices related to cybersecurity.
SAN FRANCISCO — At two separate panels during the 2018 RSA Conference April 17, law and cybersecurity experts seemed to reach a consensus: Everyone everywhere is lagging behind when it comes to defending against cyberthreats. Everyone.
This everyone, obviously, includes state and local government agencies.
The evolving nature of technology, and the ways bad actors use it to commit crime, simply outstrips any way we have to defend against it. There are, however, places where one can glimpse the future of preventive techniques. The private sector and federal agencies provide key pieces that help to crystallize a vision of what state and local government can do to prepare.
One of the RSA panels included legal minds from a private firm that works with chief information security officers (CISOs), as well as counsel from the National Security Agency (NSA), the U.S. Department of Homeland Security (DHS) and the U.S. Department of Justice (DOJ).
Glenn Gerstell, general counsel for the NSA, compared today’s cybersecurity threats to the global influenza pandemic of 1918, wherein nearly every human being on the planet was exposed to infection.
“In this case, I would say what we’re facing is a global cyberpandemic,” Gerstell said. “It’s just about as severe as that disease 100 years ago.”
No one is immune, from private companies to individual citizens to state and local government agencies. This, of course, has massive implications given the changing nature of cybercrime. Whereas many years ago the primary threat was posed by criminals hoping to steal things like credit card information, the ecosystem has now evolved, with the biggest threats often posed by hostile nation states — the four most common being Russia, Iran, China and North Korea, Gerstell said. All told there are now 30-some countries capable of inflicting cyberdamage.
Gerstell repeated the same set of adjectives several times in describing cyberthreats: “ubiquitous, insidious and consequential.”
Surely there are city governments that can attest to the accuracy of those words. Atlanta, for example, suffered a major ransomware cyberattack that saw the mayor urging any who had done business with the city to monitor their online and financial information. The FBI and DHS were called in to assist, and recovery from the incident extended well into the following month. Oakland and Baltimore have also fallen prey to hackers in recent years.
In a separate panel discussion, Lucy Thomson, a principal with Livingston PLLC who has experience as a prosecutor with the DOJ and as an engineer with private tech companies, discussed Russia’s propaganda-based cyberattack on the integrity of the 2016 U.S. presidential election. Part of that attack also saw the targeting of voting systems run at the lower levels of government.
“As you all know, the voting system is decentralized in the U.S.” Thomson said. “The pro is that it’s hard to hack local voting systems, but it also means that local officials who may not have the training and expertise to run complex technologies are in charge. It’s almost like a clash of cultures. There’s all this technology we’re all working on, and then these local officials who are responsible.”
Steven Chabinsky, a partner with White & Case LLP in Washington, D.C., advises businesses on data and network security compliance, as well as on risk management. He described our current system of expecting the users of technology — including major private entities — to shore up their own cyberdefenses as “absurd,” calling for the government to take a more active role in protecting its citizenry from hostile nation states. He said this is akin to expecting the people of Flint, Mich., to invest in their own home filtration systems, rather than attempting to fix water toxicity at its source.
Chabinsky also gave advice to CEOs and private company board members that is potentially applicable to members of state and local government agencies as well. Years ago, he said, it was enough for CEOs to put a CISO in place and deem the risk handled. Then, it was enough to make sure the CISO had all the people and resources he or she needed. Now, however, executives must be aware of the nuanced details of cybersecurity, of industry standards and of taking the proper risk mitigation steps.
Some more guidance and help from the feds may be on the way, though. Leonard Bailey, who is special counsel for national security with the DOJ, said he has been working in law enforcement and cybersecurity for 18 years, and he is currently optimistic that the U.S. Congress will pass data breach legislation, something that has been under discussion for many years, but hasn’t come to fruition just yet.
After last year’s Equifax data breach, Bailey said there has been a surge in public interest passing legislation related to data breaches, be it related to notifying, preventing or responding to one.
“The elements are here, but we’ll see,” Bailey said. “I think there’s some reason for optimism there.”