Across the United States, state and local governments are making significant investments in information technology so that they can take advantage of the same efficiencies that are powering the private sector’s charge towards the Fourth Industrial Revolution. This is creating fresh opportunities, but also new risks. US state governments have been targeted at an alarming rate by adversaries that are increasingly sophisticated and driven by broader motives. Consequently, state governments find themselves on the frontlines because of the role they play in the delivery of essential services or their administration of industry and commerce. Indeed, state agencies may hold vulnerable troves of personal data, making them desirable targets for cyber attackers. Perhaps the most concerning threat comes from nation-state attackers who are eager to exploit state government networks.
Naturally, state policymakers are anxious to find ways to protect their systems. They face challenges as they adopt new technologies, grapple with limited budgets, and push to keep pace with rising threats, all the while providing critical services for their constituents. To address these challenges, states must think holistically and adopt comprehensive, risk-based cybersecurity strategies, rather than simply responding to the most recent cybersecurity incident or headline. This requires taking the long view and instilling best practices that are flexible and capable of adapting to an evolving threat landscape.
In July 2018, Microsoft detailed seven best practices that every state should implement to protect its government and constituents from cybersecurity threats. These principles are based upon Microsoft’s expertise and experience in combating threats in cyberspace globally.
1. Ground cybersecurity policy in established guidelines and standards
State governments should adopt federal frameworks (such as the NIST Cybersecurity Framework) to help lay the groundwork for strong, effective state cybersecurity policy. The framework provides a high-level, strategic view of the lifecycle of cybersecurity risk to help states better understand their cybersecurity risk, and it enables them to apply the principles and best practices of managing risk to improve the security and resilience of critical infrastructure and services.
2. Establish an ongoing cybersecurity advisory council with industry and academia
In many states, most cybersecurity expertise lies across industry sectors and academic disciplines, and many of these experts would likely be eager to contribute to state cybersecurity policy. Each state should utilize these assets and create a cybersecurity advisory council. These councils can bring together industry experts, academics, and public sector leaders to develop cybersecurity strategies for state governments and help respond to ongoing threats.
3. Create a culture of cybersecurity
In many cases, the weakest point of security for an organization, including state governments, is its personnel. Reversing this phenomenon requires empowering employees with the skills they need to stay ahead of and be prepared to protect against increasingly sophisticated threats. However, only eighteen states today require cybersecurity training for all of their employees. We believe it is essential to develop a knowledgeable, cyber-literate workforce to reduce cyber risks to the state. To create a culture of cybersecurity and reduce the risks from cyberattacks, state governments should implement a robust cybersecurity training program for all state employees.
4. Leverage new resources to enhance election integrity
Since 2016, new resources designed to enhance the integrity of elections have been made available to states. Among them are federal funding for securing elections, free election security programs coordinated by the Department of Homeland Security (DHS), technologies to help protect political campaigns (e.g.,Microsoft AccountGuard) and support robust post-election audits (such as risk-limiting audits, or RLAs), and new election security best practice guidebooks.
5. Integrate cyber resilience into every step of strategic planning
As state governments develop and implement strategies to protect their IT assets and data from cybersecurity threats and other disasters, they must also focus on making these services data resilient. In other words, ensuring state networks can adapt, recover, and continue to operate if and when an attack happens. Embracing cyber resilience can not only help to ensure that states are more secure; it can create opportunities for states to build comprehensive, long-term strategies that set them on a path toward digital transformation. Moreover, it can promote a culture of innovation, generate new avenues for investment, and contribute to a vibrant and economically competitive state.
6. Consider cyber insurance to help protect state assets
Cyber insurance can help states complement their cyber risk management process by providing financial protection against risks that cannot be fully mitigated. The benefits of cyber insurance are not just financial—cyber insurance is, of course, no substitute for a robust cybersecurity strategy and practice. To qualify, insurance companies typically require that states meet a certain set of cybersecurity standards such as regularly training staff, encrypting sensitive data, and keeping servers up to date. It therefore forces state governments to implement strong cybersecurity practices, increasing the overall health of their technology systems and protection of their data.
7. Strong procurement policies and compliance are essential
As data being created and stored by states has increased, so too have states’ legal and regulatory obligations. It has become increasingly important that states examine their compliance and procurement policies, and ensure that their vendors can demonstrate that they will enable compliance through their tools and services.Advancing state government cyber resilience
Policymakers today must continuously make thoughtful, multidisciplinary decisions to respond to the challenges of their growing populations, increased interconnectivity, changing expectations of government services, and the uncertainties of security in cyberspace. Implementing cybersecurity and policy frameworks to better protect state governments can help meet those challenges while enabling state employees to better protect their systems. Following the recommendations and strategic approach laid out in these seven principles can help states innovate, advance their security goals, and better protect their information technology systems and their citizens.