Local governments are also having to contend with how generative AI tools such as ChatGPT change the threat and defensive landscape. In the hands of government, such tools can help ease strains on public-sector staff, but in the hands of scammers, the tools can make for ever-more convincing phishing attempts, said Rita Reynolds, CIO of the National Association of Counties (NACo), in a conversation with Government Technology about the report.
Reynolds stays in daily contact with county IT leaders via the NACo County Tech Xchange, a 3-year-old network that currently includes 1,003 individual members from 615 counties, or 20 percent of the nation’s total.
INSIDER MISTAKES
SolarWind’s public-sector survey respondents said Trojans, spam and ransomware were “the biggest IT security threats,” facing their organizations. That survey, conducted in January and published Tuesday, queried 200 IT decision-makers from federal government, 100 from state and local entities, and another 100 from K-12 and higher ed.
When naming the top threat actors facing them, 58 percent of state and local governments pointed to insiders who were “careless/untrained,” a separate category different from insiders who are deliberately malicious.
The findings show some consistency over the years: State and local governments taking the survey in 2019 and 2021 also dubbed these three as their top threat sources, although the order has shuffled some. While this year’s respondents were most concerned with insider mistakes, 2021’s respondents were most concerned with the general hacking community.
NATION-STATE THREATS
State and local government’s emphasis on foreign government threats is reflected in another study, too. The National Association of State Chief Information Officers (NASCIO) and Deloitte’s 2022 survey of state CISOs found respondents increasingly concerned about foreign state-sponsored espionage. In 2022, 54 percent of CISO respondents listed this as posing a “very high” or “somewhat higher” threat in the coming fiscal year, up from 33 percent who said the same in 2020.
SolarWinds also found foreign governments rising higher among education entities’ worries, with 56 percent naming this as a top security threat. In comparison, only 25 percent of educational respondents said the same in 2021 and 48 percent said so in 2019.
Brandon Shopp, group vice president of product at SolarWinds, said that threat actors who ultimately have their sights set on federal targets might begin their attack by going after lower levels of government. The latter’s more limited resources can mean weaker defenses, giving attackers easier initial entry points before they then move through intergovernment connections to reach their true targets. Similarly, malicious actors might attack one state or local government with the goal of working their way toward another.
“A lot of these [state, federal, local and educational entities] are still very interconnected,” Shopp told GovTech. “So that state, local or educational agency may not be the primary target; they may be the vessel that gets used in order to go and penetrate other parts of government — either moving up into the federal side or even moving into other parts of that state, local [or] education district or region.”
In other cases, state or local government may be the primary target. Their involvement in critical infrastructure like water and — in the case of Texas, electrical grids — can make them valuable targets for nation-states. Educational entities may also prove tempting for attackers looking to steal their stores of personally identifiable information (PII) or steal research from higher education institutions, Shopp said.
CLOUD TRANSITION AND THIRD-PARTY THREATS
State and local governments have increasingly adopted cloud services, which makes them more reliant on those cloud providers’ security measures, Shopp noted. Using a mix of cloud and on-premise services can also add some complexity to IT setups, and the SolarWinds report found 55 percent of state and local respondents reporting “lack [of] visibility across hybrid environments.”
Cyber insurers are also putting pressure on governments to manage third-party risks, often asking policy-seekers about how they validate their vendors’ security, Reynolds said. NACo recommends its members ensure any new or renewed provider contracts include baseline cybersecurity requirements. Those can include committing vendors to undergoing SOC type II audits (to vet the provider’s security and privacy measures), providing timely breach and incident notifications and offering multifactor authentication.
The SolarWinds report also found that 30 percent of state and local respondents were “requesting or planning to request” a software bill of materials (SBOMs) from their vendors. SBOMs are still a developing area, and stakeholders have yet to settle on common standards for designing SBOMs that make it easy for recipients to find the information they need, Shopp said.
STAFFING AND FUNDING
Limited resources are a recurring challenge for lower levels of government. Reynolds said counties are typically unable to compete against private-sector salaries and have been struggling to recruit and retain IT and cyber staff.
“There seems to be a lot more retirements now,” she said. These departing professionals often take with them a decade or two of institutional knowledge and often are replaced by “someone who might stay three or four years.” Plus, like other local government departments, IT has also been experiencing high turnover rates. All this churn makes it harder to consistently and vigilantly monitor for cyber threats.
MissionSquare Research Institute surveyed 319 state and local government respondents between March and April 2022, and its findings echo these concerns. It found that “the state and local government job opening rate [from December 2021 to February 2022] was the highest it has been in over 20 years,” and 69 percent of respondents said IT positions were hard to fill. Pay appears to be one issue, with 54 percent saying the wage compensation they offered employees was not competitive (in contrast, 85 percent said their benefits compensation was). Deloitte-NASCIO’s 2022 survey found 50 percent of state CISOs listing “inadequate availability” of cyber professionals among their top challenges, up from the 28 percent who said the same just two years before.
Shopp said SolarWinds surveys over the past six years have found some organizations continuing to struggle with the same cyber basics and best practices, such as patching. Entities appear aware of what they need to do but have difficulty acting on it. He suggested that organizations struggle to hire enough cyber professionals to meet their needs, and that they also have an inability or discomfort with automating some of these tasks, which could be reason for the persistent challenges.
Generative AI tools, however, may help ease some of the strain of limited staffing, if used with appropriate safeguards, Reynolds said. She said the tools can bring benefits, but that a lot remains unknown because the technology is rapidly evolving.
GENERATIVE AI
Generative AI tools like ChatGPT can help different government departments reduce burdens on staff by assisting them with tasks like drafting code, emails and policies, Reynolds said. She believes the tool is too useful to give up, but that it also needs to be handled with safeguards.
For example, staff should only use generative AI tools with the approval of their managers or departments. They also should avoid entering PII into it (because the tool can leak information when it's typed), and should fact-check its output, given that the tools can make mistakes.
Government cyber teams also must be alert to the ways that malicious actors can wield generative AI. The tools lower the barrier to entry into cyber crime by making it easy to produce convincing phishing emails, for example.
“Individuals who maybe wouldn’t enter into the hacking world because it was a little bit more complicated now can do so, and we’re starting to see that," Reynolds said. "Phishing emails coming through that are even harder to detect, because those that are sending them are using tools like ChatGPT to fix wording and make [them] even more lifelike. That’s a very large threat and a very large priority for counties."
