I spoke recently with Srini Subramanian, a principal in Deloitte & Touche LLP’s Cyber Risk Services practice. He leads cyber for the firm’s state, local, and education segment of Deloitte’ Risk & Financial Advisory practice. In this role, it makes sense that Subramanian serves as a member of the National Association of State CIOs (NASCIO) Security and Privacy Sub-committee. He was one of the main forces behind the 2018 Deloitte-NASCIO Cybersecurity Study, “State governments at risk: Bold plays for change.”
From his perspective, state governments are seeing significant escalation in the volume and seriousness of attacks on their infrastructures. As the report reveals, though, while these governments are investing in cybersecurity in response to these attacks, the efforts may not be adequate to address the threat.
State governments are good targets for cybercriminals. States tend to carry cyber insurance. As the NASCIO report highlights, the number of states carrying insurance has gone up in recent years. So, hackers can get an immediate payoff. This is concerning to almost everyone involved in state cyber defense. “It may be simpler to pay the ransom and get back to work,” said Subramanian. “No one likes rewarding crooks, but the alternative, which may be a massive, time-consuming restoration project, costs more. These governments have a duty to provide services and not overspend public money.”
The problem, as Subramanian points out, however, is the insurance carriers. “How long will they put up with this? If history is any guide, we are likely to see changes in coverage and requirements for the insured.” An insurance company might require a state to establish a cyber risk program, for example. It may expect a state to operate certain kinds of continuous monitoring and have incident response plans and resiliency programs in place.
“They are almost certainly not going to keep shelling out money for hapless governments that don’t defend themselves.” As Subramanian notes, however, it is not entirely fair to blame state governments for their predicament. “These are risks they never thought they would have to contend with,” he said. “And, they have the same money and personnel problems faced by the private sector, but worse.” The NASCIO report reveals that state governments have fewer cybersecurity employees than financial services company, when comparing organizations of similar size.
The attacks on state and local governments are non-trivial, from a national security perspective. They are a critical front in the United States’ cyberwar with other nation states. If a foreign government wants to disrupt American life, shutting down the local fire department will have more impact than, say, hacking the US Government’s Fish and Wildlife Service. Americans live at the state and local level.
This national security angle may lead to state governments getting some federal help for improving cybersecurity. There are also now many new options for making state governments more secure. Some states, like Texas, are enabling its State CISO department to offer Managed Security Service Provider (MSSP) services to city governments. Outsourcing arrangements with firms like Deloitte can also help. “We have the people on staff to monitor a state government infrastructure,” Subramanian said. “It’s more efficient, in most cases, than hiring and retaining state employees. We can augment the state’s team.” In Deloitte’s case, they can notify the state IT department of security issues to fix on a daily basis.
Deloitte’s services also include resiliency planning and implementation for states. “The best response to a ransomware attack is to say, ‘No thanks. We already backed it up somewhere else.’” Subramanian also encourages state governments to collaborate. “This works best as a team sport,” he said. “If one state has an issue, chances are, so do others. Threat intel sharing and shared best practices are a good way to go.”