Like cybersecurity forces in states across the nation, Oklahoma’s team has been adjusting over the past 13 months to new realities caused by international tensions and the risks inherent to a digitally dependent public workforce. For the Sooner State, that’s meant adopting new defensive technologies as well as forging new threat intelligence collaborations and communication practices, CISO Matt Singleton told Government Technology.
“People are buying into the thought that cybersecurity is community effort,” he said.
Sharing threat intelligence
Oklahoma started issuing regular cybersecurity briefings through Microsoft Teams — alongside ad hoc emergency briefings like the one sent Tuesday — in January 2020 as U.S.-Iran tensions rose, and the effort drew strong interest, Singleton said.
“From the first brief to the second brief — which was just a couple of weeks — our attendance doubled,” he said. “We started having folks coming out of the woodwork saying, ‘Hey can we get in on this? What do we need to do to participate?’”
That led Oklahoma to launch a threat intelligence sharing organization in October 2020, the Oklahoma Information Sharing and Analysis Center (OK-ISAC). The entity reaches across sectors to provide cybersecurity support and foster information sharing among members. Participants range from K-12 schools to private corporations and law enforcement, something Singleton says is rare for ISACs, which tend to be industry-specific.
Over the past 13 months, the state also built out an intelligence unit within Oklahoma’s Cyber Command to analyze threats and create products that it can push out to ISAC members in real time. The ISAC’s broad membership not only means the state can reach further with those supports, but participants also are starting to actively share their own threat intelligence as well, enabling greater visibility across the landscape.
“Before we had the Oklahoma-ISAC in place, you had a few organizations that had some idea of threat intelligence, but it was very siloed,” Singleton said.
Those divisions are now being broken down and data sharing can help all members’ security. Supports like these can be especially appealing to public school systems and other smaller-scale government agencies that tend to lack the IT and cybersecurity staff and resources to mount strong defenses.
Oklahoma’s energy companies, too, may particularly benefit, given that Singleton said hackers often regard those firms as lucrative targets. Still, he had initially been concerned that private firms might be reluctant to join the ISAC and open up about their own cybersecurity situations.
“I thought there might be some hesitancy because if you’re sharing problems that you’re having from a cybersecurity standpoint, you might be giving up a competitive edge or you might be giving a competitive edge to somebody else,” he said. “But we haven’t really seen that.”
OK-ISAC is also now looking to interstate collaborations, with plans to soon conduct regular cybersecurity intelligence and resources sharing sessions with neighboring states Arkansas, Colorado and Texas through a program dubbed Operation TACO.
Safeguarding remote work
The past year also has forced Oklahoma to refresh its approach to cybersecurity and the tools it leverages. That included rethinking how to safeguard systems once the shift to remote work moved staff outside of the state’s on-premise protections.
“The big work-from-home push hit us mid-March of 2020 and really caused us to have to reconsider how we were doing our cyber defenses in general,” Singleton said. “We basically changed our entire cybersecurity posture.”
The state now needed to secure each endpoint, and one serious worry was that staff logging on from home were no longer protected by the enterprise’s proxy server.
“[Without it] when end users go to sites, there’s nothing to say, ‘This is a known good or known bad site,’” Singleton said.
The state has recently been finalizing implementation of a proxy that is host-based, meaning that it no longer matters where employees are connecting from. He noted that this new approach could also smooth the return of staff to the office as they will not need to refresh themselves about on-site security approaches.
