It has become a truism in the industry that cybersecurity threats are increasingly sophisticated, but in recent years the pace of work has accelerated.
State technology officials told StateScoop that recent advances in generative technology artificial intelligenceAlong with the move to Zero Trust security models and more frequent service outages, their services are scrambling. Alan Fuller, Utah’s chief information officer, summed up the current state of cybersecurity by saying it’s a “very, very dangerous world,” in which hackers China, Iran, North Korea And Russia be diligent and creative in continually using new tools.
“We’re a long way from the days when people thought cybercrime was like this teenager hacking the national defense system or something like that,” Fuller said. “That’s not it. We’re talking about sophisticated, professional, well-funded organizations with hundreds or even thousands of people reporting to work every day in a business-like environment to commit cybercrime.
But government isn’t overwhelmed yet: State officials also said a heightened sense of danger is pushing government, industry and the general public to take cybersecurity more seriously, an invaluable asset in a digital environment where bad actors look for any opening formed by negligence or apathy. .
“We had these big oceans that protected us from physical attacks,” Fuller said of traditional warfare. “It’s just hard to get here, and in a place like Utah, especially, an inland state, we don’t think much about armies advancing, but with the rise of the Internet and the rise in cybercrime, a small town in rural Utah can be attacked by criminals from Russia, Iran or North Korea.
A report from the Center for Internet Security, a nonprofit organization, showed unsurprisingly that cyberattacks against state and local governments increased 148% between 2022 and 2023. Fuller said he noticed recently that email phishing campaigns , a common way for bad actors to steal credentials, have become harder to detect. likely the result of generative AI’s ability to quickly write unique texts that are compelling in human terms.
“We saw an attack involving over 400 emails. No two emails have the same subject, no two emails have the same body,” Fuller said. “And these phishing emails looked like they were written by Nigeria or something – you know, bad grammar, they were fake. These days, phishing emails are good. It’s too easy.
“Difficult, very difficult, even impossible”
Government agencies don’t just scan their email inboxes. Virginia CIO Robert Osmond told StateScoop that everything about his job has become more complex as technology has advanced in recent years.
“I think computing in general is getting harder and harder,” Osmond said. “Either it’s difficult, or it’s very hard, or it’s impossible. And those are your three choices.
Part of the increased difficulty, he explained, is that the state has moved away from the once widely used “defense in depth” security model and toward zero trust. If defense in depth is like locking down a house by installing alarms and putting bars on windows, zero trust is like installing cameras in every room.
And while the move to zero trust has proven to be a necessary change, Osmond said one of the troublesome results of the new paradigm is that there are a lot more things for IT teams to keep track of.
“It’s a way of thinking about the problem, it’s a business process on how to approach cybersecurity, it’s a mindset,” Osmond said. “So it’s a pivot, and it’s very common in many places, particularly in banking. They’ve been leaders in understanding this, and I think there’s a lot we can learn in state government to do this more effectively.
“A little scary”
When CrowdStrike last July released a faulty update to users of its Falcon security software, it has disabled numerous computer systems around the world, grounding planes and interrupting news broadcasts. It was not the world’s first major IT outage, but its scale, due to Crowdstrike’s large customer base, was noticed by state and local technology leaders, who are responsible for developing plans to ensure their agencies can continue providing basic services to residents under all kinds of conditions.
Illinois IT Director Sanjay Gupta was among those who couldn’t help but notice the outage, part of a trend he called “a little scary.”
“I think we’re seeing a little bit more of the large service providers experiencing unplanned outages – and it’s not just cybersecurity, it’s widespread – and tend to cause significant disruption,” he said. declared. “The idea was to rely on service providers and they have reliable, robust and resilient services, but it turns out that’s not necessarily the case.”
Adam Meyers, senior vice president of counter-adversarial operations at CrowdStrike, last month I apologized for the breakdown before Congress, where he said the company was willing to cooperate with the Federal Cybersecurity Review Committee. He also outlined steps the company will take to mitigate future service drops, including gradually rolling out updates and giving customers more control over how they install updates.
Regardless, Gupta said, the recent outages have made him think more carefully about his assumptions about the technology, and he expressed hope that other policymakers will do so as well. He stressed that it is not acceptable for state governments to purchase redundant products for all their services.
“I think we should all, as an industry, question that,” he said of the companies’ service delivery models. “I’m not saying the models are wrong, (but) I think the industry as a whole needs to look at this and see what can be done to ensure they’re resilient. When you become a major player and a large service provider, I think it’s incumbent on you to have a more resilient service delivery model.
“Bad things”, good things
“It’s no longer difficult for threat actors to do bad things,” New Jersey Chief Technology Officer Chris Rein told StateScoop.
But he added that the constant pressure placed on the government by its adversaries has not been entirely negative: it has also led to welcome changes in the industry.
The severity and frequency of attacks have made it normal for tech companies to bundle all of their products with cybersecurity features: “It’s no longer an afterthought,” Rein said. And with bad actors managing to attack everything from AT&T At Los Angeles Unified School Districtcybersecurity professionals have had ample opportunity to reflect on the mistakes others have made.
“It is recognized in the cyber world that you cannot fix or improve cybersecurity with technology alone,” Rein said. “You can’t just buy this product, this feature, or this add-on, but it’s now very clear that it’s as much about people and processes as it is about technology.”
The standard of tumult has also upended the nascent cybersecurity insurance industry, whose cost continues to rise and in 2022 increased by more than 25%exceeding premium increases for all other types of insurance. With rates often reaching into the millions, Rein said he sees more states choosing to put their money into savings.
“We are not one of the self-insured states, but we are thinking about it more than ever with our Treasury Department and our risk management officials,” he said. “Insurers and insurance companies are becoming more aware of it, probably because they’ve been burned a few times and started saying, hey, this wasn’t an anomaly, it was a trend. “
Rein said he’s also noticed insurers are being more cautious, too. Where they once asked whether one’s state “uses multi-factor authentication,” actuaries now ask a more specific question: “Is multi-factor authentication applied to every user?”
“It’s not secure enough”
State and local governments may not yet have felt the full force of AI-driven cyberattacks, but IT leaders are not short of ideas for defending their networks. They also use the latest technologies to strengthen their cyber defenses, for example by use AI to passively hunt down threats.
Fuller, the Utah CIO, believes the days are numbered for the username and password authentication system.
“It’s just not enough,” he said. “It’s not secure enough. We need to move to a decentralized identity model where the user holds their own credentials. This is a verifiable item, (that is) the issuer with the credentials issues cryptographic codes stored in a verified data registry, there are public keys allowing a user to scan and verify these credentials because the issuer and holder of the credentials are accurate. Without this, our online content will continue to pose a significant risk of fraud.
In Virginia, Osmond said when it comes to cybersecurity, he reminds himself not to reinvent anything because there are many sophisticated tools already available.
“I get a huge benefit from talking to suppliers,” he said. “It’s their business and their livelihood. …Understand that no provider has all the answers. You’re going to have to talk to a lot of people, but as you put it all together, you discover that everyone has a piece of the puzzle.
And with all the rapid technological changes, Nevada CIO Timothy Galluzi said training staff in the latest cybersecurity practices remains one of its most important initiatives. In this regard, he is in the majority. A recent survey by the National Association of State CIOs showed that training was the most common use federal grants for cybersecurity.
“What we do is really educate our employees to really stick to your processes,” Galluzi said. “Follow your procedures. If someone is trying to get you out of these procedures, you really need to check them out.
