October is Cyber Security Awareness Month—So what’s new?
October is Cybersecurity Awareness Month. The first question comes to mind is what has happened since last October? The simple answer is plenty—and most was not good news.
Ransomware attacks doubled against public institutions, cyber insurance premiums have risen dramatically while coverage limits have been cut, and we witnessed something almost unthinkable until recently when even local governments were impacted through supply-chain attacks most notably from customers of businesses including Kaysea. This is where cyber criminals find a way to penetrate a cyber service company and surreptitiously gaining access to all its customers most trusted addresses. Adding to this list of challenges is that while the demand for experienced cyber tech employees continues to grow, local governments are having a challenging time attracting such talent. Surprisingly, it has been reported that money is no longer the largest stumbling block as it has been in the recent past. Candidates are increasingly seeking quality-of-life factors that include working from anywhere, working non-standard hours, and more health and wellness benefits. Senior tech staff have expressed their frustration from what many are referring to as pandemic burnout and are simply retiring or moving to completely different jobs and professions.
The backdrop to this is the frightening statistic found in CompTIA’s 2021 State of Cybersecurity Report issued this past September, 95 percent of cybersecurity breaches are caused by human error, suggesting they were likely preventable.
The 2021 State of Cybersecurity points out that tech employees believe things are getting worse as the chart shows, the curve is clearly going in the wrong direction.
At the same time, cybersecurity has been the top concern of IT leaders in the public sector as exemplified through 10 years of PTI Cyber Surveys. But while this year is nearly over, there is good news to report—where at least the promise of help is on the way.
Given the visibility of some high-profile hacks like Kaysea and the Colonial Pipeline it appears the federal government has started to become more actively involved, viewing the cyber landscape as something requiring a whole of government approach. In August, President Biden met with private sector and education leaders to discuss the whole-of-nation effort needed to address cybersecurity threats. The White House statement reinforced the notion that cybersecurity threats and incidents affect businesses of all sizes, small towns and cities in every corner of the country, and the pocketbooks of middle-class families.
Compounding the challenge, nearly half a million public and private cybersecurity jobs remain unfilled. This meeting led to the issuance of an Executive Order aimed at bolstering the cyber defenses of our nation’s infrastructure. As importantly the participating companies each went on record for their contributions, which includes Microsoft pledging it will immediately make available $150 million in technical services to help federal, state and local governments with upgrading security protection. Amazon announced it will make available to the public at no charge the security awareness training it offers its employees. Coalition, a cyber insurance provider, announced it will make its cybersecurity risk assessment and continuous monitoring platform available for free to any organization. IBM announced it will train 150,000 people in cybersecurity skills over the next three years and will partner with more than 20 Historically Black Colleges & Universities to establish Cybersecurity Leadership Centers to grow a more diverse cyber workforce. Google announced it will invest $10 billion over the next five years to expand zero-trust programs and help secure the software supply chain and enhance open-source security. Google also announced it will help 100,000 Americans earn industry-recognized digital skills certificates that provide the knowledge that can lead to secure high-paying, high-growth jobs. And not to be outdone, Apple announced it will establish a new program to drive continuous security improvements throughout the technology supply chain. As part of that program, Apple will work with its suppliers—including more than 9,000 in the United States—to drive the mass adoption of multi-factor authentication, security training, vulnerability remediation, event logging, and incident response.
Congress has also focused on state and local government cybersecurity with the passage of the State and Local Cybersecurity Improvement Act in the House (HR 3138), which would require the Cybersecurity and Infrastructure Security Agency (CISA) to establish the State and Local Cybersecurity Grant Program to address cybersecurity risks and threats to the information systems of state, local or tribal organizations. CISA must also establish a State and Local Cybersecurity Resilience Committee to provide state, local and tribal stakeholder expertise, situational awareness and recommendations to CISA on how to address cybersecurity risks and threats. And finally, CISA must develop and maintain a resource guide for state, local, tribal and territorial government officials to assist with identifying, preparing for, detecting, protecting against, responding to and recovering from cybersecurity risks, threats and incidents. In addition, CISA must develop and make publicly available a Homeland Security Strategy to Improve the Cybersecurity of State, Local, Tribal and Territorial Governments.
The U.S. Senate (S 2520/S 2585) passed its version(s) of the State and Local Cybersecurity Improvement Act that authorizes a new grant program at the Department of Homeland Security dedicated to improving cybersecurity for state, local, tribal and territorial entities. This grant program, which will provide $1 billion over four years, would be administered by the Federal Emergency Management Agency (FEMA), to take advantage of existing grant systems and expertise, while the CISA would provide cybersecurity subject matter expertise. Of course, the bills require final passage in both chambers but there appears to be a genuine desire to help state and local governments—an historic first.
Finally, to help fill the growing skills gap in technology, CompTIA is working closely with the U.S. Department of Labor to actively recruit for high-paying apprenticeship positions in the both the private and public sectors.
Perhaps it takes a crisis to help refocus attention on a growing and costly problem. Local governments are vulnerable to cyber attacks due to shortages in staff and expertise and other resources, plus in many cases, operating legacy equipment beyond its stated useful life. Local governments are the first line of contact for most citizens, and it appears those in Congress as well as the private sector are beginning to realize this significance as they appear to be turning words into meaningful action. So, what is different this year as opposed to last October? The answer is we are beginning to see rays of hope and perhaps less haphazard “trick or treat.”
Dr. Alan R. Shark is the executive director of the Public Technology Institute (PTI) now part of the Computing Technology Industry Association (CompTIA) in Washington, D.C. since 2004. He is a fellow of the National Academy for Public Administration and chair of the Standing Panel on Technology Leadership. He is as associate professor for the Schar School of Policy and Government, George Mason University, and is course developer/instructor at Rutgers University Center for Government Services. Shark’s thought leadership activities include keynote speaking, blogging, a bi-weekly podcast called Sharkbytes, and is the author or co-author of more than 12 books including the nationally recognized textbook Technology and Public Management as well as CIO Leadership for Cities and Counties.