Protecting Citizen Data in a Zero-Trust World: Cybersecurity for State and Local Governments
In this Q & A, Peter Romness, Cybersecurity Principal, US Public Sector CTO Office, Cisco Systems, and Steve Caimi, Public Sector Cybersecurity Specialist, Cisco, describe how zero-trust strategies can guide how leaders think about securing citizen data.
We learned of a significant intrusion into federal systems at the end of 2020. What should state and local governments take away from this event?Caimi: A lot of times, we think of cyberattacks coming from the outside, like nation-states, or from insider threats. But it is easy to lose sight of all the trusted relationships that state and local governments have with vendors, suppliers and service providers. We have known that trusted relationships and supply chains are ways organizations can be breached. This attack brought that to the surface.
Romness: For a long time, state and local governments focused on how they can protect their networks through technical means and by training their employees. There has always been the need to ask the same questions of their suppliers, and that has bubbled back to the top now. State and local governments rapidly shifted to remote work and digital service delivery last year. What will be the lasting impacts of these shifts on their overall cybersecurity posture?
State and local governments rapidly shifted to remote work and digital service delivery last year. What will be the lasting impacts of these shifts on their overall cybersecurity posture?Romness: Citizens are getting used to the idea of doing things online. The more state and local governments can accommodate that, the better they will look to their constituents. But they must think about how they are going to secure these services.
Caimi: When we talk about the basics of security — confidentiality, integrity and availability — all these things need to be the same regardless of where employees work or how citizens access government services. It is worth looking at new trends in cybersecurity, including zero trust.
How do governments’ best practices for cybersecurity need to change?Romness: A colleague called zero trust a “lifestyle choice”— something that helps guide your decisions. When you start applying it to all the things happening in the world, it tends to fit very well.
Caimi: We all know there is not much of a perimeter anymore and we should not associate something being inside as being secure. But we must also secure things on a per-session basis — each time you access a network, you must prove yourself trustworthy with authentication and authorization. It must be dynamic. When you look at the principles of zero trust against the backdrop of the cybersecurity challenges of today, there is a lot for governments to learn.
What questions do government leaders need to ask their vendors and partners to ensure their systems are — and remain — secure?Caimi: You want to get to the heart of how the organization protects its own data when you hand over a lot of important information about your agency. Any technology in your environment is impacting citizen data. You have to understand how they build in security. Put the pressure on vendors and suppliers to be upfront with you about how they treat data and how they go about making things right when things go wrong.
Romness: Whenever you do business with a cybersecurity vendor, it is up to them to provide clear answers — even before you ask, they should be saying “this is our trust and security policy, and this is how we handle things.” And they need to be a strong enough vendor to stand up when something happens.
To view more videos like these, click here.