State and local governments have important roles to play in managing cyber risks
Governments are facing a range of cyber threats: criminal hackers who seek to commit fraud or steal citizens’ personally identifiable information (Social Security numbers, credit card information); foreign companies or government-sponsored groups that hack into American companies to steal valuable research and development data or sensitive business secrets; and, foreign attackers who could seek to disrupt critical infrastructure such as power grids, water utilities or transportation systems as part of an international conflict.
Fortunately, there are steps governments can take to manage these risks. Here are seven key steps state and local governments can take:
Develop a state or city cybersecurity strategy that will help coordinate efforts and focus scarce resources on the most important priorities. Identify the most critical state assets that need protecting, such as critical utilities and emergency response systems.
Empower a state or local Chief Information Officer and convene a government-wide Cybersecurity Committee to coordinate priorities, programs, and resources and promote a government-wide culture of cybersecurity.
Make sure the IT security fundamentals are getting done, for example that government IT systems are kept up to date with patches for known IT vulnerabilities. According to Verizon’s 2012 Data Breach Investigations Report, 97 percent of breaches were “avoidable through simple or intermediate controls,” which can include basic system monitoring and patch management. Requesting periodic reporting on the state of IT security can increase accountability on the IT security fundamentals.
Include cybersecurity requirements in contracts issued by government to vendors. Examples of important provisions include the following: require that vendors put in place minimum cybersecurity provisions; require that vendors get an annual third-party cybersecurity assessment and share the results with the government buyer; and, require that vendors notify the government if they discover that they have been breached. Contract requirements are a cost-effective way to improve cybersecurity and signal to vendors that cybersecurity is a priority.
Practice cyber incident response. Preparing for a cyber crisis, whether an attack on critical infrastructure or an important company or government agency, is key to responding effectively. Practicing cyber incident response can be done cost-effectively through a simple Table Top Exercise rather than a complicated field exercise or full-scale simulation.
Leverage external resources wherever possible. These can include briefings from the Department of Homeland Security, valuable tools and procurement initiatives from the Multistate Information Sharing and Analyzing Centers (ISACs), and resources such as the Small Biz Cyber Planner from the Federal Communications Commission.
Run education and awareness programs to raise understanding of cyber issues and make cybersecurity a priority for government, businesses, non-profit organizations, and individuals.
For more ideas, check out our recent report, “Twelve Steps Governors Can Take to Improve Cybersecurity,” available on our website.
Good Harbor Security Risk Management works with senior corporate executives, investment professionals, and government leaders to assess and develop strategic cybersecurity programs that mitigate organizational risk in the face of advanced cyber threats.
The company’s consulting services include the Executive Cybersecurity Risk Profile and Action Plan as well as specialized services in threat awareness, risk assessment, strategy and governance, crisis management and communications, regulatory and policy analysis, thought leadership and investment diligence.
The firm is led by Chairman Richard A. Clarke, a former, senior White House advisor on cybersecurity, counterterrorism, and national security, and the author of “Cyber War: The Next Threat to National Security and What To Do About It.”
Emilian Papadopoulos is chief of staff at Good Harbor Security Risk Management, a Washington-based cyber risk consultancy.