Each day in America, state, and local governments create, use, and store millions of sensitive pieces of data: tax records, driver’s licenses, real estate records, special assessments, water bills, legal documents, and hundreds of others. Each record is stored, has a legal requirement for the duration it is to be stored and is housed in a potentially porous network that can be compromised easily in a matter of minutes by forces around the world that want to commercialize that data.
The practical reality of this situation is this: if you’re not making a significant investment in cybersecurity/ information security (InfoSec) you’re losing the battle! In fact, you may not even really be in the battle. It may be unfolding in front of you while you stand by helpless to do anything against an enemy that has more firepower at their disposal than you can imagine.
What you don’t know is that hackers aren’t some acne-laden teen-aged kids drinking gallons of Mountain Dew and living in their parents’ basement. They are nation-states or professional hacking “businesses” that exist in countries around the world with no extradition treaties. They come to work each day to breach your defenses, invade your network, and either lock up and ransom your data back to you or set up shop inside your network and soak up customer/constituent data that they can commercialize and turn into millions of dollars.
Your staff may be doing everything they can do to prevent this, but without tools, a plan, appropriate funding, and outside help, the best you can expect is a “when we get breached, we hope it’s not awful” statement. As an elected official or appointed official, you can either be part of the solution, or what’s slowing the solution down. The minute you debate whether the office renovation at City Hall, or the new carpet in the State office building, or dozens of new employees for some agency is more important than securing your data and your network, you have become the problem of the politics of cybersecurity.
Why Is This So Hard?
As a citizen lawmaker, you come to governance from a wide array of vocational experiences. Most of you are not security professionals, nor do you work in the IT community. That’s okay. In fact, it can be really good. Not being an expert, you recognize the value of professional expertise, rely on it in your elected capacity, and willingly accept it from folks like attorney’s, engineers, auditors and many other people who provide services for your organization on a contracted basis.
The difficulty for cybersecurity or information security is that too many organizations are relying on an IT generalist that already works at the organization. In 2016 the International City/County Management Association (ICMA) conducted a survey of its members asking several questions about cybersecurity at the county and municipal level. What they found is that roughly 89% of the “ownership” for cyber resides within the IT department and that 61% of the cities and counties actually keep this function in-house with existing non-cyber security IT staff. From personal experience and from the responses to the survey we know that the IT professionals inside the departments are typically IT generalists who are tasked with providing a wide array of service to their organizations. The ICMA study said that the barrier towards hiring a dedicated cyber-staffer is the inability to provide competitive salaries for such a person and thus rely on existing staff. Nearly 58% of responses indicated funding as the main barrier, while also commenting that 30% similarly recognize that there is a lack of specific training for their staff.
At the state level, there is a slightly different approach to cyber/InfoSec. And while perhaps more defined from a staffing perspective, more dedicated to fighting the fight, the base problems are at their core the same as counties and cities: money and people. In my experience as a state representative and vice chair of the state government committee, I know that my fellow legislators have a precursory understanding of InfoSec, and a significant amount of that information has come from me lobbying them and talking about InfoSec to them whenever there is a free moment in committee or on the floor of the House.
The politics of cybersecurity, sadly, sometimes makes spending subject to partisanship. Bills are often sent through full votes in the House and Senate, which can be more about scoring political points with a member in a district than doing the right thing. That, or they can die at the hands of ideologues who hate spending money on anything. This is the frustrating part. I have gone through it in several attempts when trying to get funding for cyber/InfoSec for four years.
The first attempt was to do a lump appropriation in a funding bill. It was ultimately negotiated away to fund more employees for a department that was advocated for by the party of the governor.
The second attempt was to programmatically peel off 3.5% of all agency IT spend to help improve security. It too was vetoed for partisan reasons.
The last was to fund the Secretary of State for a matching grant from the federal government to bolster election data integrity. This also was vetoed in a larger bill format, but my own colleagues resisted offering it as a standalone bill.
This unfortunate result has corollaries to state and local government in that an ideologue city council member, mayor, or county commissioner who simply doesn’t like spending any money on anything may be inclined to vote against an appropriation of any kind. This is shortsighted, yet prevalent when it comes to budgeting and the politics of cybersecurity.
Who Owns This Mess?
Ownership of InfoSec is where the conversation should really heat up. It’s also where the more nuanced aspect of the success or failure of the organization’s treatment of InfoSec/cyber becomes very, very real. In the ICMA survey, we see that the “ownership” of InfoSec has fallen into the IT department (89% ICMA study) where it doesn’t belong!
Think about the level of interaction that your organization has with their constituents, or customers. An overwhelming amount of financial transactions take place electronically. That means that the personally identifiable information coursing through your network each day is getting larger and larger as time progresses. A poorly secured, or virtually unsecured network is going to be a target-rich environment for hackers, and those hackers will use your employees as a weak point to compromise your data, and your business. This makes cyber/InfoSec a business problem, not an IT problem and should drive ownership of the issue out of the IT department and into the boardroom.
If we go on the assumption that InfoSec is a business problem, we should treat it the same as we would for any other critical infrastructure issue. For example, if you had a warehousing problem, you would bring the full weight of the business to address the problem. Delivery issues, sales issues, and production issues would all be addressed as things critical to the health of the business, become an issue tackled at the board level, and delegated to sales, operations, finance, and IT. Simply suggesting that InfoSec is an IT issue makes it less likely to make it past the chopping block of funding proposals. If we look at it as a critical business issue, we are far more likely to see it treated on equal footing with all other business issues.
I Hate Spending Money On Something I Can’t See
I’ve always said that there is no ribbon-cutting ceremony for InfoSec. There is nothing you can point to and claim that you “did that” and it is a hard message to get across to constituents and voters. However, a five-minute conversation with a constituent explaining why you spent money strengthening InfoSec is better than the 30-minute conversation you have with an angry constituent who has had their information sold on the dark web or has had their credit rating ruined because their identity was stolen from within your network.
You are ultimately responsible to the constituent for protecting any personally identifiable information you use while providing them services. I hate spending money as much as the next person, but if you don’t spend the money on protecting the data you’ve been entrusted with, you risk spending much more than that in the long run. Here is an example I’ve shared with the State of Minnesota.
Imagine a massive Target-like breach at the State of Minnesota. Somehow a dedicated hacker has drilled and drilled, eventually tapping into the motherload of databases. They steal data from 5.5 million Minnesota residents. The breach is eventually detected, but the damage has been done. Now you are talking about providing monitoring services to all those impacted.
Here’s the math on that.
Monitoring a person’s credit costs between $50 and $75 per person per year. Multiplying that by 5.5 million and you have $275M to $412M for a year of monitoring. That excludes any fines, lawsuits, or damages that you are also now on the hook for. My question for you now is: does spending money to proactively reduce the ability to compromise your organization become a priority now?
The Cost of Not Spending
The reality is that spending money isn’t unwise if it forces the organization to take a regimented approach to treat InfoSec seriously and ultimately make the organization’s data more secure. It will never remove all risk, but the risk will continue to decrease as you adopt your security framework.
I’ve been in your chair as a city councilor, mayor, and now state representative. Debating the final levy, looking at bonding issues, and deciding what you spend and don’t spend on is a decision that is difficult, for sure. But as you decide what you should invest in, think of the end goal as if it were loss prevention.
You certainly invest money to make sure that people don’t slip and fall in the workplace, and you certainly try to create a safe work environment. You would undoubtedly invest to mitigate those situations without reservation. The InfoSec/cyber issue is not any different. You must take the security of your data seriously. Realize that the consequences of a data breach can actually be more severe than a slip-and-fall accident for an employee, or if a resident tripped on an uneven sidewalk and sued for damages. A breach could impact thousands, cost millions, and create a reputational loss that is staggering. Your decision to ignore the politics of cybersecurity, and to invest in a structured program around information security will not make the front pages of the local paper. But getting breached because of your decision to not invest in information security most definitely will. Ask questions, research solutions, and choose wisely.
To learn more about building a proper information security program for your local government, so that you can prevent your constituents’ data from being compromised, visit frsecure.com.