This newsletter visits the recent Colonial Pipeline shutdown and raises important questions about our nation’s approach to cybersecurity, especially for state and local governments. The next commentary will offer some creative organizational strategies for preventing—or at least mitigating—the next crisis—one that could be far more pervasive, damaging and deadly than the Covid-19 pandemic.
There are few issues more boring—and important—than cybersecurity. Most of us have heard or read the word, but quickly dismissed it…until this month’s Colonial Pipeline shutdown.
There is something about running out of gas that gets our attention. The Colonial Pipeline shutdown primarily impacted the nation’s Southeast, where gas supplies dried up and gas pumps were disabled for days. Still, the ensuing panic was a sharp reminder of our national vulnerability to cyberattacks. Since 2019, we have not only endured Covid-19, we have entered a chilling new phase of cybercrime, one for which we are woefully ill-equipped.
Cyberattacks skyrocketed in 2020. Public sector attacks alone rose 50 percent and an estimated 2,400 state and local governments suffered ransomware attacks. The average extortion demand has soared from hundreds to millions of dollars. Cybercrime is no longer just another economic nuisance. As the FBI has proclaimed, it is a national security threat. The bigger story, however, may be the public’s unwillingness to face it and demand a sensible, far-sighted response from their political leaders.
There are many troubling questions about cybersecurity, but one getting far too little attention involves our 90,000 state and local governments. Given their political and jurisdictional fragmentation, how can they protect their services and facilities from cybercrime?
Cybercrime is one of the world’s fastest-growing enterprises. Criminal gangs of all sizes, including cartels, have embraced it. Email phishing, malware, ransomware and denial-of-service attacks can be launched from anywhere. Huge profits, coupled with nominal risk and accountability, are too alluring to ignore.
The cybersecurity industry is growing in response. Cyber-insurance resources. Cybersecurity consultants, law firms and NGOs. Ransomware attack negotiators. Federal agencies and private businesses are boosting their cybersecurity budgets. More entities are scrambling to improve cybersecurity. Given our digital interconnectedness and the growing sophistication of cybercriminals, we can only hope that such actions will suffice.
There are many questions. Is the Colonial Pipeline shutdown the tip of the iceberg? Will the next major cyberattack be even worse? Will our interconnectedness be our downfall? Will the current enterprise-by-enterprise approach save society from the kinds of breakdowns we witnessed this month? If not, how can we improve cybersecurity collaboration and coordination, especially among the nation’s 90,000 state and local governments?
To protect our critical public infrastructure, we need a new organizational model for promoting joint cybersecurity measures from our state and local governments.
There is no dearth of cybersecurity advice. In fact, the menu of best practices is well-established. Better information sharing. Tighter access controls. Improved data management. Segmented networks. Reliable backup capabilities. Continuous performance monitoring. More effective incident response and recovery.
What this menu typically overlooks, and cybersecurity experts are only beginning to recognize, is the importance of organizational strategy. Virtually every recommended cybersecurity measure calls for greater collaboration. It is one thing to improve collaboration within a single enterprise, but it is a far more daunting challenge to improve coordination across many entities, especially state and local governments.
State and local government is too tempting a target. While its political structures are fragmented, its services are wide-ranging and its networks increasingly linked. We need a new organizational model for protecting our infrastructure from cyberattacks, one that overcomes the inherent limitations of our balkanized state and local government structure. We will present this strategy in more detail in the next commentary. Our other commentaries can be found at Civic Way.
- North Dakota state government, with a unified network, is implementing a statewide cybersecurity strategy for all governments, including a multi-agency security operations center, cyber-information sharing, free anti-malware tools and a coordinated threat prevention, detection, investigation & response system
- Texas, under the leadership of its statewide cybersecurity coordinator, is pushing a statewide cybersecurity strategy, including the creation of Texas ISAO (a cyberthreat information sharing and analysis organization), a centralized incident management system and cybersecurity resources for small localities
- Center for Internet Security, Inc. (CIS), a nonprofit cybersecurity leader, supports several cybersecurity initiatives, including MS-ISAC and EI-ISAC
- Multistate Information Sharing and Analysis Center (MS-ISAC) analyzes and shares cyber threat prevention, protection, response and recovery data for state, local, tribal and territorial governments
- Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC) provides cybersecurity support to election administrators throughout the US
- Information Sharing and Analysis Organization Standards Organization (ISAO SO), an NGO created in 2015 at the University of Texas at San Antonio, promotes voluntary cybersecurity guidelines and initiatives
- Combatting Ransomware: A Comprehensive Framework for Action: Key Recommendations from the Ransomware Task Force, Institute for Security and Technology April 2021
- 2020 Deloitte–NASCIO Cybersecurity Study, States at Risk: The Cybersecurity Imperative in Uncertain Times
- Harnessing the Power of Collaboration: How State and Local Governments Work Together to Strengthen Cybersecurity, Government Technology and IBM, 2020
- Ensuring the Cybersecurity of the Nation, Government Accounting Office, March 2021
- US Grid at Rising Risk to Cyberattack, The Hill, March 18, 2021