Government Technology

At Issue: Cyberwar Declared, Local Governments Enlist


July 11, 2012 By

Utah Gov. Gary R. Herbert — responding in May to a cyberattack on the state’s health and Medicaid data that accessed some 800,000 records — called cybersecurity the “modern battlefront.” A release on the governor’s site said, “cyberattacks on public information systems have increased 600 percent this year, resulting in nearly a million attempts daily by cyberterrorists or hackers to infiltrate the state IT network.”

Herbert is not alone in his concern. National Security Agency Director Gen. Keith Alexander, who is also head of the U.S. Cyber Command, said in an address at the American Enterprise Institute that these losses from cyberespionage are the "greatest transfer of wealth in history." Alexander cited Symantec estimates that intellectual property theft cost the U.S. $250 billion per year, and McAfee statistics that $1 trillion was spent last year in remediation. “That is our future disappearing in front of us,” said Alexander.

Local governments are likewise under attack, and smaller cities and counties are especially vulnerable, many being short staffed and lacking a chief information security officer (CISO). Seattle CISO Michael Hamilton said he sees an increase in targeted attacks on the city and in the region. “And frankly, we see a lot of countries with very dubious law enforcement controls, knocking on our door all the time.”

Hamilton said that while attacks are increasing, one of the biggest vulnerabilities is the exponential increase of end points. “This bring-your-own-device stuff and the proliferation of consumer devices that are now everywhere around us, we don’t have control over anything resembling a perimeter. … The horse has left the barn.” So now, it’s important to focus resources on assets that are critical infrastructure to city and county government, he said. “We manage transportation, all the signal timing, signage, cameras — that’s a big IP network. We manage communications that tie together different law enforcement organizations. We deliver energy, water, we remove sewage, and those are all control systems.”

Under those circumstances, said Hamilton, “It’s very important for us to quit thinking about ‘How am I going to control every one of those end points?’” Instead, Hamilton is building what he calls “mini-moats” around critical infrastructure, requiring that staff members who use personal devices do so through a mobile device management platform, participating in a regional consortium of local governments, using available federal government resources to monitor and share information on attacks and vulnerabilities. In addition, enforcing standards and making common-sense policy are key. Building a proactive strategy is important, he said because there are no security standards for local government, only what he calls the “stick approach.”

“In local government we don’t have regulatory requirements. Nobody says, ‘Here’s this standard you need to meet.’ The only thing that is in place is the stick: If you lose these kinds of records, you are going to have to pay a lot of money and go fall on your sword. I don’t think ‘stick only’ is a good way to go; I think we could use a few regulatory requirements.”

But Hamilton said there is good news as well. Local governments are doing a lot of things right, such as regionalizing and embracing shared services, which allows pooling of security resources. King County, Wash., for example, has a multifactor authentication system that any of the region’s jurisdictions can use. And jurisdictions in the region have established the Public Regional Information Security Event Management System. “Right now, Seattle, Bellevue, Lynnwood, Kirkland, Redmond, Kitsap County, Thurston County, Seattle Children’s Hospital, Snohomish [Public Utility District], six maritime ports, etc., they all send their logs to one place. So we watch the region, the attack surface of the region, and we’re all connected. We have trust relationships.”

Hamilton gets backup from the federal government, especially from the U.S. Department of Homeland Security, Multi-State Information Sharing and Analysis Center and Center for Internet Security. He recommends the DHS’ Cyber Resilience Review and Cyber Security Evaluation Tool, as well as regional risk assessment tools available to local governments.

Hamilton also serves as a member of the State, Local, Tribal and Territorial Government Coordinating Council (SLTTGCC).  Members of the council work directly with the federal government through DHS' Office of Infrastructure Protection.  Working groups assist DHS in focusing programs and products that are available to local governments such as the Regional Risk Assessment Program (RRAP), which includes an evaluation of risk to critical cyber resources.  "Members sit down directly with the federal government," he said, "and discuss what's working, what could be improved, funding issues, and maintain a coordinated focus on how we protect infrastructure and achieve resilience."

Hamilton said some local governments are making good use of open source security technology such as the Open Web Application Security Project testing tools for website security and low-cost penetration testing services such as Trustwave. “I can’t say lots of local governments are doing this,” he said, “but these are some of the things I’m trying to help promote in my community of local governments up through the [Association of County and City Information Services] and through regional briefings and all the people I work with around here.”

Hamilton thinks that there is a lot of disruptive change occurring now, including cloud computing and the transition to IPv6. “We’re going to have to find out how this is all going to shake out. It’s cloud everything right now. That’s got a different security model with it, which is not fully mature yet.”

He thinks cloud security is going to depend on strong authentication and authorization, auditing and encryption. “You are strongly authenticating and forcing authorization controls around everybody who has access to your data, and all that stuff gets audited, you always get a report on touches to the data. So as this change occurs, it may be making our jobs easier.”

In spite of increasing attacks, disruptive change, the threat of the big stick hanging over potential breaches, Hamilton remains pretty upbeat. “I’m not all gloom and doom about it,” he said. “If I was, I’d go out and grow blueberries.”


| More

Comments

Steve Emanuel    |    Commented July 12, 2012

One key component that is missing as part of many of the security awareness issues is training. We forget, the technology has "fingers touching", the end devices don't access or distribute information alone. We need to make cyber education a part of our routine, not in response to a problem, its too late and quite embarrassing by then. Training and Education of our IT staff, our users and our citizens should be near the top of our agenda, constantly.

Larry Karisny    |    Commented July 15, 2012

Great article Wayne. Sadly I saw cyber theft going on since the beginning of the Internet and worked with a variety of government agencies exposing it. The difference between now and then is now we have reached critical mass in cyber attacks while at the same time we are adding more and more local smart applications that must be secured. Steve, I agree with your comment and think we need to look at human to machine (H2M)and machine to machine (M2M) security very differently. H2M needs authentication while a M2M sensor to a machine in most cases is just suppose to be doing something very specific with no variables. Adding the human element always adds the potential of desired or undesired system security event changes. I will be discussing how these security issues can be addressed with top cyber security experts on August 9th in the Smart Grid Security Virtual Summit 2012.

Michael Hamilton    |    Commented July 15, 2012

Steve, you are so right about the fingers touching the technology (and the brain controlling those fingers). The first start-up that comes with a firewall for stupidity will take over the world! Seriously, I agree that training and education is key to lowering the rate of compromise. It will never be perfect though, and a determined attack will evade even smart people's radar. Gotta watch those network communications for the signs of breach... those (at least today) can't be hidden.


Add Your Comment

You are solely responsible for the content of your comments. We reserve the right to remove comments that are considered profane, vulgar, obscene, factually inaccurate, off-topic, or considered a personal attack.

In Our Library

White Papers | Exclusives Reports | Webinar Archives | Best Practices and Case Studies
Reduce Talk Time in Your Support Center by 40%
As the amount of information available to citizens and employees grows each year, so do customer expectations for efficient service. Contextual Knowledge makes information easy to find, dropping resolution times and skyrocketing satisfaction.
Emerging Technology Adoption in Local Government
In a recent survey conducted by Government Technology, 125 local government leaders shared their challenges, benefits and priorities when adopting emerging technologies such as cloud, mobility and IP. Read how your jurisdiction’s adoption of technology compares to your peers.
Reducing Conflict Among Officials During a Crisis
Conflict among elected and career officials during a crisis can breed distrust to the point where the overall response effort suffers. This is particularly true when the issue is information sharing in a crisis. This paper explores the conflict that can arise among career and
View All

Featured Papers