State and local governments need to to adopt a more “whole-of-state” approach to cybersecurity, involving all levels of government in policy and strategic planning in order to better protect critical infrastructure, according to a report published Thursday by the Multi-State Information Sharing and Analysis Center.
The report urges state and local governments, which are often responsible for managing critical infrastructure assets, such as water treatment facilities and transportation systems, to focus on building trust in public institutions through communication, strengthening cybersecurity in small and rural communities through information sharing and workforce development, and addressing internal security threats such as limiting access to system controls.
Robert Beach, chief technology officer for the City of Cocoa, Florida, told StateScoop that government agencies of all levels need to shift their perspectives.
“We got to stop looking at [cyberattacks] as just an attack on the city or county, you know, what they did wrong?” Beach, who is a member of the MS-ISAC’s executive committee, told StateScoop in a recent interview. “It needs to be looked at at the federal level because an attack on these communities, on the critical infrastructure that’s providing services to American citizens, is an attack on the nation.”
The Cybersecurity and Infrastructure Security Agency defines 16 sectors as critical infrastructure, where systems and networks are considered so vital to the United States that any disruption to their operations would have crippling effects on national security, economics, public health and safety.
Terry Loftus, chief information officer for the San Diego County Office of Education, said robust communication and information sharing networks that include all levels of government are essential in a whole-of-state approach to cybersecurity.
Loftus said that in his experience, education institutions without dedicated cybersecurity experts or strong cyber policies often don’t discover attacks right away.
“The most common way a school district knows that they have been a victim or have been attacked is via the threat actor calling up or emailing and saying, ‘By the way, I have ransomed your data,’ or ‘We have stolen or exfiltrated your data,’” said Loftus, who also sits on the MS-ISAC committee. “If that’s the first time you’re getting a warning that something’s wrong, it is way too late.”
Both CISA, and the Center for Internet Security, which houses the MS-ISAC, have seen cuts in recent weeks. CISA has dozens of staff in its elections security division transferred or fired, while CIS lost part of its cooperative agreement with DHS. The MS-ISAC has so far been unaffected.
Loftus said the Center for Internet Security and its MS-ISAC serves as an important cybersecurity resource for the country’s state and local governments, and that it should continue to be funded.
“The mission has always been that cyber security is not political in any way. It’s about serving and protecting Americans and our communities,” Loftus said, in reference to Kristi Noem. “The fact of the matter is we are separate and distinct. This is an organization that, in a way, is outside of all of that.”
The report says state and local governments must reduce their security vulnerabilities, such as by reexamining who has access to their networks and system controls and ensuring that when someone leaves, their credentials are disabled.
“An insider threat could also be a disgruntled employee who’s not happy with what’s going on and say, ‘I’m going to get back to the at the organization’” Beach said. “They could go out to the dark web and get a ransomware as a service to try to attack the organization.”
Loftus said internal threats don’t have to be malicious, because they can also happen by accident, such as employees clicking on phishing emails or unknowingly deleting critical data.
“We commonly at MS-ISAC think about how are we setting up systems and structures so that folks, whether they’re have good intent or not, and are really limited in the damage or harm that they can do,” Loftus said.
MS-ISAC plans to release a second volume of the report in early March with more detailed findings.