IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

States, Counties Switch Up Cyber Defenses as Threats Build

During the recent Beyond the Beltway event, state and county CISOs and CIOs talked through the process of evaluating vendor cybersecurity, safeguarding elections, managing federal grants and adopting new defense strategies.

Illustration of a computer circuit board with a closed lock in the middle.
Cybersecurity has been steadily climbing on state and local governments’ priority lists, and now Russia’s invasion of Ukraine has made the issue impossible to ignore. Cyber experts warn that U.S. organizations could potentially be targeted by Russian cyber attacks or impacted by the accidental spillover of malware unleashed in Ukraine.

New Jersey saw a 12 percent uptick in attacks from Belarus- and Russia-based actors during the two weeks before March 3, said state chief technology officer Chris Rein during last week’s Beyond the Beltway* event. Most of these were low-level threats, fortunately, but the attempts have spurred government officials to embrace cybersecurity more wholeheartedly.

“The government across the state — we [have] had no tolerance for what used to be seemingly viable excuses [like], ‘Well, the reason we don’t want to put multifactor authentication on is because it’s been an inconvenience as to X, Y and Z,’ or ‘We don’t want to pay for that extra thing because…’ Now [the response is] ‘Nope. It’s security, you’re doing it,’” Rein said.

Of course, many states and localities were working to level up their cybersecurity approaches even before Russia’s invasion upped the stakes. At Beyond the Beltway events, CIOs and CISOs explained their cybersecurity focuses and concerns.

EVOLVING CYBERSECURITY


For Prince George’s County, Md., improving defenses has meant reviewing any new procurements with cybersecurity in mind, said county CIO Wanda Gibson during the second day of Beyond the Beltway. Sacramento County, Calif., CIO Rami Zakaria said his office is also pouring back over existing vendor and developer contracts and reaching out to these partners to understand their security readiness.

More governments are also seeing cybersecurity — and privacy — as big enough issues to require their own dedicated officials.

“[Cyber] is too important to make that one of the things I care about, so it’s the only thing that [New Jersey CISO] Mike Geraghty cares about,” Rein said.

States like North Carolina are seeing cybersecurity and privacy go hand in hand. State CIO Jim Weaver said his state hired its first chief privacy officer in 2021, and she works closely with the CISO on reviewing proposals.

The inclusion of a privacy review alongside a cybersecurity one “is starting to revolutionize a little bit about how we approach certain contracts, how we look at data a little bit differently, things of that nature,” Weaver said. “[For] some of the things, the cyber side said, ‘Hey, that’s okay,’ and then the privacy side said, ‘No, it’s not.’”

MONEY AND NO ONE TO SPEND IT?


Designated federal grants are plumping out budgets — if states can get the rest of the pieces in place to spend the money.

Weaver said that states’ long-running struggles to recruit and retain enough tech talent can prevent them from taking full advantage of the money. States may lack the workforce to make the kinds of updates the grants support before the funding period ends.

“For the first time, I think states can honestly say, ‘It’s not a money issue; it’s a people issue,’” Weaver said.

Using grants also may require IT and cyber staff to stretch beyond their usual skill sets. State auditors will want to see a careful documentation proving the money was well-spent. But providing this tracking and complying with other stipulations attached to the grants can be complicated work, especially for tech leaders unused to handling such sizable grants.

“Most state CIO organizations or state CISO organizations aren’t grant managers,” Weaver said.

SECURING THE MIDTERM ELECTIONS


Midterm elections are fast approaching, and officials are fixated on ensuring they’re cyber-secure and that the public knows they’re cyber-secure. Maricopa County, Ariz., is still dealing with attempts to dispute the 2020 election results despite its many security efforts, and officials are also already preparing for protecting this year’s elections, said Ed Winfield, CIO of the county.

The county’s IT team works closely with the elections department, he said. They provide cybersecurity reviews of elections-related projects and conduct tabletop exercises together that model responses to hypothetical cybersecurity issues like data leaks.

Cyber staff also conduct penetration testing on all elections network equipment.

As another security measure, the elections network on which votes are counted is isolated from the rest of the county’s network in both cyber and physical space, Winfield said.

“Literally, they run the cables along carriers in the room where you can actually trace the wires and all that. We have the official election server in a glass booth … only selected people can get in the room,” he said.

Cyber and elections officials have also been coming together in a “war room,” where the latter oversee elections processes while the technology staff monitor for cyber threats and indicators of dis- or misinformation forming on social media. The cyber team provides hourly updates on any detected threats and their potential impacts.

CYBER FOCUSES


As CIOs and CISOs look to keep tight cyber defenses, they’re turning eyes to a variety of strategies.

Winfield said his organization is looking into adopting deception networking strategies. These see organizations create decoy versions of their databases and other technology assets. The idea is that hackers who breach the network will be tricked into accessing these faked resources — rather than ones that actually harm the organization — and that the targeted agency can watch what the attackers do, to learn their methods and goals.

Widespread use of penetration testing is also of growing importance, as is securing endpoints like mobile devices, Winfield said. Governments are increasingly adopting employee time management apps and other phone and tablet-based tools and so must ensure these devices have the latest software updates before allowing them to connect to official networks.

Rein also highlighted “defense in depth,” a cybersecurity approach that sees organizations rely on multiple layers of defenses — not just one — so that if any one protection fails the other(s) still stand in the way.

*Beyond the Beltway is hosted by the Center for Digital Government, which is owned Government Technology’s parent company, e.Republic.
Jule Pattison-Gordon is a senior staff writer for Governing and former senior staff writer for Government Technology, where she'd specialized in cybersecurity. Jule also previously wrote for PYMNTS and The Bay State Banner and holds a B.A. in creative writing from Carnegie Mellon. She’s based outside Boston.