A Holistic Approach to Cybersecurity Risk

Information Technology (IT) enables government and private sector services at all levels to deliver healthcare, treat wastewater, facilitate the administration of government and emergency services, and more. It is difficult to find a facet of modern life that IT does not enable. Therefore, securing these technologically enabled processes is critical to operating business and government. Unfortunately, some may consider cybersecurity an “IT thing” rather than a core business process that involves the entire organization.

Cybersecurity may conjure thoughts of a room down the hall with the servers in it. General awareness about not clicking on phishing links seems to be increasing. However, those in leadership may not think about the consequences of the network going down. For example, consider the impact of a disruption at the local Public Safety Answering Point. Effective processes may or may not be in place to continue this critical function. This example is not merely theoretical. In 2016, Henry County, Tennessee, hackers shut down their computerized dispatch system, requiring all emergency calls to be tracked manually until the system could be restored. This was among the first known attacks on a 911 center, but others followed, including an attack that disrupted several 911 centers across the country.

Similarly, effectively delivering on an agency or department’s mission would be challenging if ransomware locked up all records, data, and systems. These systems provide access to Internet Protocol-based cameras, communications devices, and access control devices. In one of the costliest cyber incidents to hit a municipality, the City of Atlanta experienced a ransomware incident in 2018 that disrupted utility payments, traffic tickets, business licenses, and several law enforcement functions, including writing incident reports, processing inmates, and issuing warrants.

Addressing Challenges

Federal, state, and local governments have established more robust cybersecurity postures to address these concerns. They are helping safeguard national, state, and local critical infrastructure from cyberthreats that could disrupt essential functions. However, as technological innovation and change advance, they must continue to advance their cybersecurity efforts proportionate to the risk. As a global challenge, vulnerabilities are increasing as communities continue to add network infrastructure, applications, Internet of Things devices, medical devices, industrial control systems, and other items on the network. These applications, devices, and systems may be layered on top of older, outdated, or more vulnerable technologies. Investments must continuously advance to keep up.

One of the primary challenges confronting state and local governments is that resources dedicated to cybersecurity often face significant competition for funding amid tight budgets. Despite having support sources like federal grants for state and local governments, states and localities often report having insufficient funding to keep up with the changing cybersecurity risk landscape. There are many ways to address these challenges, and many innovative approaches have been implemented. For example, the State of Texas Department of Information Resources provides cybersecurity services, including setting state information security policies, standards, and best practices, assisting with the improvement of cyber incident preparedness, and facilitating information sharing, among other resources. Similarly, the Cybersecurity and Infrastructure Security Agency (CISA) maintains the CISA Resource Hub and provides cyber and physical security assessments, cybersecurity workshops, and guidance on prioritizing vulnerabilities via the Known Exploited Vulnerabilities Catalog.

Asking the Right Questions

In an environment of limited resources, prioritization is essential. One key aspect of this prioritization is creating a collaborative environment where leadership and IT understand what cybersecurity efforts are integral to the continuing delivery of the most critical services. Following are some non-technical questions for leaders across jurisdictions to ask when prioritizing cybersecurity:

• Interdependencies – What IT-enabled business processes and services would most impact our mission if disrupted? What data is most critical to protect? What IT systems do that data reside on? Is there a complete inventory?
• Security efforts – How do we protect those processes, services, and data? Are the security controls we have in place working? Have we assessed them? How many of my systems and business services are currently vulnerable to disruption? Are we engaged in any “Bad Practices”?
• Response capabilities – How would we respond in case of a disruption? Do we have a cyber incident management plan? Have we tested it, and is it up to date? Does our continuity plan account for a cybersecurity disruption?
• Preparedness – Are we ready for ransomware? Do our backups meet our restoration needs? Are they securely stored offline?
• Budget – Given any identified gaps, is our budget adequate for the task of securing our most critical services? Where should we invest more?

Answering these and other questions provides a better understanding of the mission-critical disruption risks from a cybersecurity event. Prioritizing the most critical processes can assist in effectively leveraging services from sources like the Texas Department of Information Resources, the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the CISA.

Cybersecurity challenges for governments in the United States are complex and multifaceted. Overcoming these hurdles requires a concerted effort focusing on prioritization, collaboration, and effectively leveraging resources from partners. As governments continue to adopt new technologies to serve their communities, safeguarding against cyberthreats becomes necessary to ensure the resilience and security of critical infrastructure and core services. By working together, decision-makers can better understand, strengthen, protect, and sustain essential services that impact daily operations.