The level of understanding many state and local agencies possess about their cybersecurity capabilities is disturbing. We asked why they knew so little, and the answers we received made us cringe with despair.
First Published 31st January 2022 | Latest Refresh 1st September 2022
"Everything is fine."
5 min read | Reflare Research Team
Local government attacked (yet again)
In the United States, the Maryland Cybersecurity Coordination Council has released a report examining the number of state government agencies that have not run internal cyber security assessments. In an era where government agencies are becoming an increasingly attractive target for attack, their findings are - to say the least - concerning.
The Council’s research found greater than 60% of surveyed agencies had not conducted any form of cybersecurity assessment to understand or evaluate their ability to deal with cyberattacks. Furthermore, 40% of agencies surveyed reported they were running at least one legacy IT system, of which half had no recovery time objects in place.
The timing of this report is somewhat ironic, given that the Maryland State Health Department is currently grappling with the fallout of a successful ransomware attack. This attack not only seized the Health Department’s system, but also had a direct knock-on effect on the systems of at least two dozen government partners.
Speaking of timing, ‘when’ a hacker chooses to launch an attack is an incredibly powerful way to maximise the damage, disruption, and ROI of their efforts. For example, the Maryland attack was conducted on 4 December 2021 - precisely when Maryland’s COVID-19 omicron spike was on a vertical trajectory. One of the many very visible impacts of the attack was Maryland’s Health Department was unable to process and issue death certificates. This lack of data subsequently knocked on to their official Covid-19 information dashboard, which in turn could not provide the public death statistics for the region for almost a month.
You're not alone
Unfortunately, we have also seen first-hand what the Maryland Cybersecurity Coordination Council is reporting.
The Reflare Research Team have spoken to numerous leaders of state government agencies (various sizes, various states, and various countries) to help understand why cybersecurity assessments are not a critical priority for their agencies, even though the need is blatantly self-evident.
Furthermore, these leaders kindly agreed to us anonymously sharing the ‘headline findings’ from these discussions in the hope that lessons can be learnt about the internal realities government agencies must deal with when it comes to their cybersecurity.
As we did so repeatedly during our discussions, we again sincerely thank these leaders for their time and insights. We remain incredibly grateful for their candid honesty.
Somewhat unsurprisingly, the lack of leaders’ understanding of their agency’s cybersecurity capabilities has little to do with technology, and everything to do with a) psychology, and b) political risk.
The headlines
Our findings can be divided into three groups.
1) Not on my watch
“If we statistically quantify how bad things are, it’s just going to be another thing that I need to fix, along with the thousands of other things I need to fix. And even worse, if we do quantify it, and then there’s a breach, it will be in my neck on the chopping block”.
“I’m two years away from retirement. Why would I take this on now?”
“I would rather deal with a breach than deal with being responsible for improving our ability to stop a breach and fail. Even if I outsource this, I know it will come back to me. Being mid-career as a public servant, I don’t need this risk.”
This line of thinking was disturbingly common. For many agencies, the leaders who shoulder the ultimate responsibility of cybersecurity have a relatively clear understanding of their SWOT, even though their perspectives and beliefs are built on their own set of personal assumptions. The fear of turning those assumptions into evidence-based facts by evaluating their cybersecurity brings a ‘burden of responsibility' many are simply not willing to carry.
This is a perfect representation of “culture eats strategy for breakfast”.
Within the wider government agency structure, the reputational and political risks associated with “trying, but failing” are perceived to be significantly greater than a cybersecurity breach itself. If there is not a culture of decoupling personal risk from organisational risk in place, then it is human nature to protect oneself from the ridicule, scrutiny, and political fallout of potential failure.
Therefore, the psychological trade-off in the individual says it’s better not to try. This logic is further reinforced when the agency has yet to experience a security breach. “If the risk hasn’t materialised, is this a risk that really needs my urgent attention?”
This leads us to our second headline.
2) It won't happen to us
“We are a very small agency looking after a community of 1,500 people. Who on earth wants to hack us?”
“I’ve spent 41 years here, and I remember the arrival of the first computer. We’ve never had a problem with being hacked.” (This was a very difficult discussion to listen to).
“All of our technology is outsourced, so if something ever were to happen, it wouldn’t cripple us because we don’t own the physical infrastructure. So, from my agency’s perspective, the way we are set up protects us from the vast majority of cybersecurity risk.”
Now, if you work in IT security and are still reading, you’re probably leaning back in your chair thinking exactly what this writer is thinking while typing this very sentence. ‘Legacy biases’ and ‘false equivalencies’ are incredibly well-trodden paths to danger. Just because something hasn’t happened in the past most certainly does not guarantee it won’t happen in the future. However, when a leader has spent their entire working life watching these things “not happen”, it is quite a psychological ‘heavy lift’ to disprove your lived experience or suspend your disbelief to think the contrary.
Furthermore, many smaller agencies do not consider that they are the perfect targets for hackers to practice on. A significant number of the systems and processes used within smaller agencies are closely (if not identically) replicated across other agencies. ‘Practicing’ on smaller agencies can give hackers the knowledge needed to perform attacks on larger agencies with greater proficiency and confidence. We have reported on this phenomenon in the past, and recommend you review the dynamics of what small government agencies and critical infrastructure means to hackers.
3) I don’t have the resources
“I have to work within the budget we’ve got. If there ever was a big enough breach, I’m sure we’d get support to help fix the fallout. But getting funding before it happens? Forget it!”
“I barely have time for this conversation let alone doing anything about it. And if I did have more resources, there are more important things that need addressing first.”
“I can’t even conceptualise what fixing Cybersecurity here would look like, let alone paying for it.”
This is the age-old paradox of ‘funding versus priorities’. It’s a well-known secret that many agencies (particular the smaller ones) struggle to deliver to meet the demands of their jurisdictions within the budgets they have available. This challenge becomes more emphasised when you look at the departmental and functional budgets within each agency - there is simply insufficient funding to do everything the department wants/needs to do.
However, this undercurrent of “if there’s a breach, we’ll get support” appears to be the resourcing stopgap of choice. “If funding and headcount show up when our systems are being held to ransom, then that is how (AND when) we will deal with improving our cybersecurity.” This is a mortifying strategy, but one that some feel is their only option to improve their security.
All hope is not lost
Improving your cybersecurity without fully understanding the maturity of your current capability it’s challenging, but not impossible. It has been proven time and time again that is one of the weakest links in an organisation’s cyber resilience is in its people. Capability development for technical staff and security awareness training for non-tech is accessible, even with limited resources. But the key to cybersecurity talent development is its applicability to workflows.
Leaders often possess an incredibly strong understanding of the operations and processes of the agencies (think of our 41-year career gentleman). Delivering hands-on (not death-by-powerpoint) IT security training that maps to user workflows can yield a very strong bang-for-the-buck without spending exorbitant amounts of cash on pulling out the legacy systems that pose a great risk. That’s not to say that your systems, networks, and infrastructure don’t need urgent attention. However, if you know you have a problem, and you need to do something about it today, starting with talent development can help you move the needle in the right direction.
Furthermore, you should also consider staying abreast of the latest IT security trends, cybersecurity developments and data breaches. Conveniently, we can help you do this at no cost - Subscribe to Reflare's email newsletter.