This week, Congress reintroduced the State Cyber Resiliency Act, which encourages state and local governments to strengthen their defenses against cybersecurity threats and vulnerabilities. The bill, originally introduced in 2017, would create and authorize the Department of Homeland Security to run a grant program for states to develop, revise or implement cyber resiliency measures — including efforts to detect, protect, respond to, and recover from cyber threats.
This legislation is good news for local government leaders, businesses and civilians who have been victims of ransomware and other forms of cyberattacks targeted at major cities. Local governments are an attractive target for malicious actors, including the massive cyberattack on the city of Atlanta last year and the recent ransomware attack in Albany, NY. As attacks increase in frequency and sophistication, increased funding at the local level is needed for cyber training and enhancing recruitment and retention efforts, ultimately helping ensure public safety.
Hyper-local attacks, wide-ranging consequences
Just because a cyberattack is focused on one city — or even smaller, one sector of infrastructure within a city — does not mean the consequences are minor. In the example of the SamSam ransomware attack in Atlanta, the more than week-long event caused major disruption in five of the city’s 13 local government departments and ultimately cost the city $17 million. Impacting citizens, the system shutdown crippled the court system, limited vital communications involving critical infrastructure requests and forced the Atlanta Police Department to file paper reports. Empowering officials at the state and local level to easily detect and deter such preventable breaches like ransomware could save millions of dollars in damages.
Legislation: The first step in the right direction
According to a 2018 study from Deloitte and the National Association of State Chief Information Officers, nearly 70 percent of states report they lack adequate funding to develop sufficient cybersecurity. Lack of resources is a common challenge faced by the private sector as well. However, private sector CIOs and CISOs often have more flexibility to request and attain additional resources, whereas states are often forced to stay within preapproved budgets. By providing grants, local jurisdictions are more likely to have the financial assets required to invest in the areas or skill sets they need most.
In addition to sharing the common issue of insufficient funding, industry and local governments both grapple with a lack of talented cybersecurity professionals. This legislation addresses the existing workforce gap by ensuring states that receive grants will enhance their own recruitment and retention efforts.
Strategies for state and local security ramp-up
While this bill remains on the House and Senate floor, there are some ways that state and local governments can begin securing their systems. The first step should be an audit, allowing key decision-makers to get on the same page about the status of their security. This audit should include secretaries of state, members of the academic community and all cybersecurity staff. Everyone should review the cybersecurity controls and the threat vectors that have been exploited in local systems. Improperly informed stakeholders are the greatest vulnerability.
U.S. election security needs greater state-by-state alignment. These systems are managed by a hodgepodge of systems that vary from state to state, including paper ballots, electronic screens and Internet voting. Before local elections, midterms and the 2020 presidential election, state officials need to meet with their Boards of Elections and document their end-to-end election process with all of its systems, dependencies and interfaces.
This legislation also addresses the resiliency of critical systems such as power utilities, transportation infrastructure and hospitals. Attacks on these systems can cause major problems for local cities and municipalities. These industries deal with a host of sub-contractors, vendors and partners whose cybersecurity readiness, if not up to standards, can create vulnerabilities for everyone involved. To ensure cyber resiliency, states must think about the impact from top to bottom and require all their vendors and IT organizations to conduct security audits.
The State Cyber Resiliency Act lends needed support to local governments as they continue to ward off attacks. In the interim, states should begin the cyber hardening process. This includes written guidelines and security standards and educating government employees and local communities through the power of public/private partnerships. Regardless of whether the bill is ultimately passed, the federal government must focus on local and state security: we must have resilient infrastructure at all levels of government — and especially at the state and local level, which are most vulnerable to malicious actors.
John DeSimone is vice president of cybersecurity and special missions at Raytheon Intelligence, Information and Services.