Can local governments’ cyber flaws be fixed?
- By Stephanie Kanowitz
- Sep 14, 2020
With Nov. 3 fast approaching, city and county officials recognize the importance of securing elections, while struggling to ensure they can, an expert says.
“Everybody is so resource-constrained right now,” said Mike Hamilton, chief information security officer at CI Security, a cybersecurity firm specializing in protecting local governments. “Budgets are tightening, people are losing staff…. For the most part, the larger ones are in better shape financially, but there are a lot of counties in the United States, and as things are contracting, they have even less access to qualified people that know how to deal with security.”
Support is available from the federal government, but it’s not enough, he said. For instance, the Homeland Security Department’s Multi-State Information Sharing and Analysis Center (MS-ISAC) provides real-time network monitoring, threat analysis and early-warning notifications through a round-the-clock security operations center. Similarly, the Cybersecurity and Infrastructure Security Agency (CISA) offers free Cyber Resilience Reviews to assess enterprise programs and practices across 10 domains, including risk and incident management. But if a locality lacks a security point person, that assistance could be moot.
“There’s not a lot of information security officers in local government,” Hamilton said. “In my experience … there’s nobody that’s been assigned to be responsible and accountable for security” at smaller governments.
High-profile cyber incidents such as the ransomware attacks that shut down Baltimore and Atlanta have made localities more aware of the threats, but without staff and budgetary resources, their ability to take action is limited.
A regional monitoring project is one solution to these challenges, said Hamilton, who started one when he was CISO for Seattle from 2006 to 2013. That project involved the real-time monitoring of nine cities and counties, six maritime ports on the Puget Sound and several hospitals. All the results were presented on one dashboard, and the team was able to alert their homeland security fusion center – a state-owned and -operated center that received, analyzed, gathered and shared threat information -- to particularly worrisome data.
CI Security, which Hamilton co-founded, replicates this idea by monitoring small cities and counties for free in return for collecting data from their networks and using it as real-time curriculum for universities. It works with with the Public Infrastructure Security Cyber Education System, DHS’ Science and Technology Directorate and CISA.
“There are two problems we are trying to address here,” he said. “No. 1 is local governments don’t have a lot of money, and they’re easy to knock over,” he said. Moreover, they’re involved in critical areas such as water purification, waste treatment, 911, elections, traffic management, communications for law enforcement and public safety, and they aren’t getting help, he said. “But if we can go out and monitor them for free, we get infrastructure protection [data], and if we bolt all that onto universities, university students are getting this live-fire training. And when they roll off the assembly line, they are much more prepared to go out and do the work that we need them to do.”
There are two steps that governments can take immediately to improve their cybersecurity posture, Hamilton said. The first is to implement multifactor authentication, which is underused at local levels. One reason why is that not all county and local governments use the dot-gov domain, which would require the use of multifactor authentication.
The second step is to rescind the de minimis use policy that states that government workers may use government technology for personal activities as long as it doesn’t cost more, cause a security problem or affect productivity.
“I can prove it does all three,” he said. “If they would … rescind the policy of de minimis use and make all personal use on a personal device, a whole bunch of problems would be driven off a cliff.”
Hamilton pointed to Microsoft as a bright spot in terms of county and local government security. Many agencies use the company’s technology, which includes monitoring products such as Microsoft Defender Advanced Threat Protection. “That gives good telemetry to distributed endpoints,” he said. “That’s a real help.”
Ultimately, he said, the onus is on the federal government to support state and local agencies. A standard reporting structure on local government attacks would bring insight into the breadth of the cyber issues.
“If there was some kind of clearinghouse that was focused on events in local government -- specifically, sharing with local governments -- I think that would really help to move the needle,” Hamilton said. “Their inability to properly resource these kinds of things becomes very much more obvious when you see what’s happening around you and to you.”
Stephanie Kanowitz is a freelance writer based in northern Virginia.