Five years ago, 22 small towns in Texas were simultaneously hit with a widespread, coordinated ransomware attack, apparently originating from a compromised managed service provider. Cybercriminals shut down city services including payment processing operations and printing of identity documents. Fortunately, the State of Texas invested in centralizing incident response so these municipalities knew exactly who to call for help and eventually restored these important services.
Today we are witnessing an even greater frequency of such public sector attacks, especially at the state, local, and educational (SLED) levels. A recent report from the Center for Internet Security documented a 148% increase in malware attacks and a more than 50% increase in ransomware incidents from 2022 to 2023.
What is the current status of state and local IT? What are the challenges technology leaders face in maturing their organizations’ security infrastructure, and what resources are available to help?
These are the topics I recently discussed with three CXOs from the states of Oklahoma, Wisconsin, and Arizona at the Zscaler Executive Connect Live “Digital Transformation Strategies for the Public Sector.”
The state of state-level cybersecurity
As security leaders, our panelists articulated the concerns shared by most state and local government cybersecurity leaders. Michael Toland, CISO of the State of Oklahoma, affirmed that staying ahead of the evolving threat landscape is an ongoing challenge. He also observed that the sheer scope of state government – encompassing everything from healthcare and criminal justice to transportation and education – makes it essential to have a dedicated security team on point.
For J.R. Sloan, CIO of the State of Arizona and President of StateRAMP, an important area of focus is empowering and protecting people, both state employees and citizens. “People are our greatest defense and our greatest vulnerability. That’s why we invest in education, training, and awareness for employees – so we can enlist them as our cybersecurity workforce,” he said.
David Cagigal, former CIO of the State of Wisconsin and Zscaler advisor, pointed to the shortage of skilled cybersecurity professionals as a major hurdle faced by many state and local government security programs: “There is a tremendous dearth of cyber professionals. We could use more women in the cyber workforce – in fact, half of the staff should be made up of women. I think they can really do a great job in terms of assisting us in staffing an incident response team.”
Governments are an interconnected ecosystem
Our panelists emphasized how state governments and their local counterparts are closely intertwined and how critical it is for them to harmonize security policy, best practices, education, and solutions. As Sloan pointed out, “All of us as government entities are interconnected. We are part of a larger ecosystem. There are dependencies between us. A bad day for our municipalities and counties is a bad day for all of us.”
Cagigal emphasized the need to cultivate trust and a collaborative spirit among state and local cybersecurity teams to respond to and remediate evolving threats. “There are no boundaries respected by the hackers once somebody gets hit, whether it’s a partner or whether it’s the state next door,” he said.
The role of trust in a whole-of-state approach
Part of that trust building is removing the stigma associated with cyber incidents so that state-level security operations center (SOC) teams can be involved in incident response early. Local governments often lack the resources to effectively deal with attacks and should draw on the expertise of state-level cybersecurity agencies to counteract and remediate incidents more quickly.
“The faster we can get the professionals involved, the better chance we have of a quick recovery,” Sloan remarked. I have personally noticed a culture shift in that direction in the technology industry as a whole.”
Toland pointed to the value in practicing response and mitigation processes before they become necessary in real life. “Before you have an incident, you need to start bringing people together and talk about the what-ifs,” he said. He also highlighted Oklahoma’s cybersecurity grant program that helps smaller government entities afford “best-of-breed tools of the trade.” Through outreach and building trust, he explained, “We’re trying to make sure that everybody has access to the same grade of tools even if we don’t all choose the same vendor.”
Cagigal noted that, in Wisconsin, the diversity of products in use by local governments sometimes makes it difficult to staff incident response teams because they first have to understand the local entity’s security products and then find the matching skill sets on their incident response team. He also suggested that aligning with the National Institute of Standards and Technology (NIST) Cybersecurity Framework would improve the speed and efficiency of the SOC response.
StateRAMP seeks to unify cybersecurity strategy
StateRAMP was created in 2021 as a non-governmental public-private sector collaboration program to help state and local governments enhance their cybersecurity and manage third-party risk. It is an early-stage maturity assessment tool for cloud products coordinated by a non-profit organization consisting of both government and industry leaders.
The goal of StateRAMP is to define policy and harmonize across solutions and technologies to create a unified cybersecurity strategy that will modernize and protect SLED agencies in the most efficient and effective way possible. Like FedRAMP, a similar initiative at the national level, StateRAMP uses NIST cybersecurity standards in its scoring methodology for assessing vendors and cloud providers.
Before launching StateRAMP, Sloan witnessed the time, effort, and expense involved in assessing cloud-based offerings while he was standing up cloud programs in Arizona. He recognized that most of his peers were trying to solve the same problem. “The value proposition of cloud-based offerings are so compelling that we, as stewards of tax dollars, cannot ignore them,” he emphasized.
In managing that change, he pointed out, it’s important to protect the huge volumes of sensitive citizen data migrating to those cloud environments. “There’s a shared responsibility when we engage these third-party cloud providers,” said Sloan. The objective of StateRAMP is to help mitigate those risks by providing assessment and continuous monitoring to ensure that partners have strong security controls and data protection practices in place.
There are products and vendors that are currently not part of FedRAMP but provide value at the state and local level. StateRAMP brings efficiency to the vendor assessment process by providing a rigorous set of standards for vendors to comply with. Zscaler was the first cloud-based SaaS company to achieve StateRAMP Authorized status, and other vendors have since followed suit.
Cybersecurity is a collaborative effort and a shared responsibility
“One of the wonderful things I see in state government is that we are not in competition with one another, so we’re happy to share what’s working with each other – whether that’s processes, products, or programs – all of that is really open to be shared within the state or across states,” Sloan explained.
Whether sharing through forums such as Information Sharing and Analysis Center (ISAC) and National Association of State Chief Information Officers (NASCIO), or programs like StateRAMP that engage both public and private sectors, collaborating to protect critical infrastructure and sensitive data is in everyone’s best interest.
“We can look at StateRAMP as being a governing body for us. It’s voluntary today, but it has tremendous value, and I’m glad Zscaler is part of that and was involved very early on,” said Sloan.
What to read next
Whole-of-state cybersecurity: What it means and why it matters
The cyber safety of our infrastructure plays a critical role in the health of our democracy
Fed CISO: Securing critical infrastructure a group project that involves everyone [podcast]