IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Mass. CISO Anthony O'Neill on Changing the Cyber Landscape

Massachusetts' cybersecurity chief describes how the state supports counties and cities, what new threats AI introduces to government, and how his legal background impacts public-sector work.

Massachusetts CISO Anthony O'Neill
Government Technology/David Kidd
Massachusetts CISO Anthony O’Neill has been the state’s top cyber official for nearly three years, bringing a background as an attorney to the position. As new technologies like artificial intelligence have rapidly developed, so too have the cyber threats they pose. O’Neill and leaders across Massachusetts are working hard to keep the state cyber safe.

Legal education has given me an ability to look at every issue from a research perspective. Research and analysis are some of the greatest skills you get from law school and practice. Those skills have allowed me to take a deep dive into understanding the regulatory environment for different data classifications and for understanding what federal and state regulators or audit bodies are looking for.

As an antitrust lawyer, I also understand the nuances of the vendor community. We rely so heavily on our security partners, and we have a robust third-party risk program. Being able to delve deeper into those details as well has been inspired by my legal background.

2. How is Massachusetts reducing its known exploitable vulnerabilities?


A little over a year and a half ago, we started to focus on investing our time, resources and people in what I call bending the curve of vulnerabilities — specifically critical and high vulnerabilities that pose the greatest threats to the applications and infrastructure we manage. The governor’s cabinet and all the cabinet secretaries reinforced their messaging about how important it is for their technology teams to work with our office on this. We were really able to formulate an organized approach to reducing critical vulnerabilities across the enterprise.

Our Secretary [of the Executive Office of Technology Services and Security] and CIO Jason Snyder really set the tone at the top. We took a whole-of-state approach, incorporating the legislative and judicial branches as well. Then we created a CISO Council populated by risk- and security-minded professionals across the state government landscape, as well as quasi-government agencies. We wanted to open the door to get as many people that are doing this work together to think it through, talk about it, and advance our strategy to reduce risk and critical vulnerabilities.

3. Do you work with local and county governments?


What we did with our CISO Council across the executive branch we also did region-ally with a body we call the Municipal CISO Council. It brings together all of the security- and risk-minded professionals in our state at the local levels, and they meet on a fairly regular basis. We’ve also started holding annual — and possibly now even biannual — conferences that bring together municipalities to focus on success stories, threat intelligence and where we think proper cyber investments need to be made over the coming years.

We also have the MassCyberCenter, which focuses heavily on the municipalities. That has really made a difference and allowed them to work more on where they should be focusing their time, dollars and resources. One of the new developments we’re trying to work on through another organization called the CyberTrust Massachusetts is a security operations center that will then allow these municipal organizations to have access to 24/7 endpoint detection and response, network discovery, vulnerability assessments, software and asset inventory, and more. The idea is to extend out as best we can to bring services that smaller organizations might not be able to afford on their own.

4. What new threats are states facing?


There are now more AI-enabled threats. There’s an internal risk, and that is employees that are downloading any kind of AI tools without those tools having been approved for their use, despite our best efforts to provide guidance and policies around that practice. There’s a risk of government data being used or collected by these third-party AI tools that may not have been approved by an organization’s leadership.

The other AI-enabled threats are on the external side. It’s becoming easier for threat actors to utilize ChatGPT, for example, and to develop some type of campaign that gives a step-by-step road map on what to do to try to exploit a victim organization. That information is getting into the wrong people’s hands, and it’s becoming more accessible. And then, certainly, we’re looking around the corner to how quantum computing can escalate cybersecurity threats.

This story originally appeared in the Spring 2025 issue of Government Technology magazine. Click here to view the full issue online.
Associate editor for Government Technology magazine.
Sign up for GovTech Today

Delivered daily to your inbox to stay on top of the latest state & local government technology trends.