When President Joe Biden signed an executive order requiring all federal agencies to ramp up and improve their cybersecurity efforts, it immediately raised the question about whether these requirements would trickle down to state and local governments. Although the order covers only federal agencies, IT organizations across the public sector should expect this to prompt changes in security requirements and strategies.
The implications of this executive order were the focus of a recent Center for Digital Government (CDG) webinar. CDG Senior Fellow Mark Weatherford led the discussion with Helen Patton, advisory chief information security officer (CISO) for Duo Security (part of Cisco), and Joe Morris, deputy chief innovation officer for e.Republic, serving as panelists.
What cybersecurity changes might be coming?
For many state and local government IT teams, the first question is whether the executive order will lead to more stringent compliance requirements for their organizations. According to Patton, the more likely change is an increased focus on system availability due to cyberattacks.
“In the past, federal requirements focused mostly on privacy and data confidentiality. But recent ransomware and supply chain attacks have prompted regulators to recognize that security is also about system availability and integrity,” she said. “A lot of existing regulations don’t address those aspects of security to the same extent as privacy.”
Patton noted it is helpful for agencies to look at the executive order as an outline of what risks should be on their radar, which modern practices they should adopt to improve security responsiveness, and how they should monitor supply chain security. In most cases, the new requirements emphasize implementing core security technologies such as encryption and multifactor authentication.
Another aspect of the executive order will impact many rural and municipal jurisdictions. Weatherford pointed out that critical infrastructure organizations, including public utilities, will need to improve their cybersecurity protections.
Where will the funding come from?
New mandates can be frustrating for government organizations when they arrive without funding to effectively implement them. However, there are multiple federal programs with designated funds to assist state and local governments in improving their cybersecurity posture.
“Everyone’s been saying that cybersecurity is their number one priority, but now we’re getting the funding for it, which has been a big challenge before,” said Morris. “There’s a lot of funding available today and there’s a lot more coming. It’s encouraging to see the connection between the policies and making sure there is funding available to implement them.”
Most recently, the American Rescue Plan Act includes funds to improve cybersecurity within governments. Local school districts and higher education institutions can benefit from security-focused funding in federal pandemic relief programs for education. At the time of this webinar, the major infrastructure bill making its way through Congress, along with other proposed federal legislation, may also provide funding and other resources for cybersecurity improvements in states and localities.
Public utilities will need to explore how to cover the costs associated with cybersecurity improvements mandated for critical infrastructure. As one opportunity, Morris said that public utilities with an established cybersecurity plan may be eligible for grants from the U. S. Department of Energy to help with cyberattack response and recovery.
Patton reminded the webinar audience that technology investments made to improve operational efficiency often improve cybersecurity as well.
How can a federal executive order improve security at the state and local level?
“Now is the time to have conversations with executive leaders and finance staff to make sure they understand that security requirements won’t be optional anymore, and that citizens will expect this level of compliance as well,” said Patton. “Show leaders that you have a plan to improve security, but help them understand that you won’t accomplish everything overnight.”
One area of growing concern among security teams is the risk of unknown vulnerabilities in the software supply chain — the sub-developers and code components a vendor uses to create a software solution. In most cases, government IT teams don’t have the resources to identify all potential sources of supply chain risk across all software in use. IT will also struggle to keep pace as those risks evolve.
Patton noted the executive order will partially alleviate this burden as vendors meet requirements to strengthen their software development life cycle to reduce supply chain risk. However, given the scale and complexity of software, governments will still need to prepare for a major, disruptive cyberattack on core applications.
“We need to double down on our business resiliency plans, especially for public safety. How will they continue to serve citizens if their access to email or voice over IP is disrupted? We need to do a better job of thinking through all of these scenarios,” she said.
Another reason to strengthen internal security capabilities is to reduce reliance on cyber insurance. Many government leaders have perceived this insurance as a strategy to deal with attacks, especially ransomware. However, insurance may become too expensive or simply unavailable as attacks and payouts increase.
“Instead of putting more money into rising insurance premiums, put it into better cybersecurity controls because I think you’ll see a better return on that investment,” recommended Patton.
What is the outlook for the future?
The Biden administration’s attention to needed cybersecurity improvements is expected to benefit all levels of government.
“We are now reaching an alignment of policy, priority and funding around the understanding that cybersecurity is part of core infrastructure,” said Morris. “So, I’m very optimistic about the future.”
For more information on this topic, view the on-demand webinar here.
Sponsor Content
The Trickle-Down Effect of Renewed Federal Attention on Cybersecurity
Shutterstock
