It\u2019s become an industry truism that cybersecurity threats are growing more sophisticated, but the last few years have sped the pace of work to a hurried rate.<\/p>\n\n\n\n
State technology officials told StateScoop that the recent advances in generative artificial intelligence<\/a>, along with the shift to zero-trust security models and more frequent service outages have their departments hustling. Alan Fuller, Utah\u2019s chief information officer, summarized the state of cybersecurity today by saying it\u2019s \u201ca very, very dangerous world,\u201d in which hackers in China<\/a>, Iran<\/a>, North Korea<\/a> and Russia<\/a> exhibit diligence and creativity as they continually wield new tools.<\/p>\n\n\n\n \u201cWe\u2019re way past the days when people think cybercrime [is] like this teenage kid who hacks into the national defense system or something like that,\u201d Fuller said. \u201cIt\u2019s not that. We\u2019re talking about sophisticated, professional, well-funded organizations where they have hundreds, if not thousands of people who show up to work every day in a nearly corporate-like environment to do cybercrime.\u201d<\/p>\n\n\n\n But government\u2019s not yet being overwhelmed: State officials also said that a heightened sense of danger has government, industry and the general public taking cybersecurity more seriously, an invaluable asset in a digital environment where bad actors are searching for any opening formed by carelessness or apathy.<\/p>\n\n\n\n \u201cWe\u2019ve had these big oceans that protected us from physical attack,\u201d Fuller said of traditional warfare. \u201cIt\u2019s just hard to get here, and you take a place like Utah, especially, an interior state, we don\u2019t think much about advancing armies, but with the rise of the internet and the rise of this cybercrime, a small town in rural Utah can get hammered by criminals from Russia or Iran or North Korea.\u201d<\/p>\n\n\n\n A report<\/a> from the nonprofit Center for Internet Security unsurprisingly showed that cyberattacks on state and local governments rose 148% between 2022 and 2023. Fuller said he\u2019s noticed recently that email phishing campaigns, a common way bad actors try to steal credentials, have grown harder to detect, likely a result of generative AI\u2019s capacity to rapidly draft unique texts that are convincingly human.<\/p>\n\n\n\n \u201cWe saw an attack that had over 400 emails. No two emails had the same subject, no two emails had the same body,\u201d Fuller said. \u201cAnd these phishing emails used to look like they were written by Nigeria or something \u2014 you know, bad grammar, they were off. Nowadays, phishing emails are good. It\u2019s all too easy.\u201d<\/p>\n\n\n\n Government agencies aren\u2019t only busy scanning their email inboxes. Virginia CIO Robert Osmond told StateScoop that everything about his job has become more complex as technology has advanced in recent years.<\/p>\n\n\n\n \u201cI think IT in general is getting harder,\u201d Osmond said. \u201cIt’s either hard or it’s very hard or impossible. And those are your three choices.\u201d<\/p>\n\n\n\n Part of the heightened difficulty, he said, has been the state\u2019s move away from the once widely used \u201cdefense in depth\u201d security model, to zero-trust<\/a>. If defense in depth is like locking up a house by installing alarms and putting bars on the windows, zero-trust is like installing cameras in every room.<\/p>\n\n\n\n And though the switch to zero-trust has proven a necessary change, Osmond said one troublesome upshot of the new paradigm is that there\u2019s way more stuff IT teams must track.<\/p>\n\n\n\n \u201cIt’s a way of thinking about the problem, it’s a business process of how to approach cybersecurity, it’s a mentality,\u201d Osmond said. \u201cAnd so it’s a pivot, and it’s very common in many places, particularly banking. They’ve been leaders in terms of understanding that, and I think there’s a lot of things we can learn in the state government to do that more effectively.\u201d<\/p>\n\n\n\n When CrowdStrike last July pushed out a faulty update<\/a> to users of its Falcon security software, it disabled many computer systems around the world, grounding airplanes and halting news broadcasts. It wasn\u2019t the world\u2019s first major IT outage, but its breadth, owed to Crowdstrike\u2019s large customer base, was noticed<\/a> by state and local technology officials, who are tasked with forming plans that ensure their agencies can continue providing basic services to residents under conditions of all sorts.<\/p>\n\n\n\n Illinois CIO Sanjay Gupta was among those who couldn\u2019t help notice the outage, which is part of a trend he judged to be \u201ca little scary.\u201d<\/p>\n\n\n\n \u201cI think we\u2019re seeing a little bit more of the larger service providers having unplanned outages \u2014 and it\u2019s not just cybersecurity, it\u2019s across the board \u2014 and then tend to cause quite a disruption,\u201d he said. \u201cThe idea was to rely on the service providers and they have reliable and robust services, and resilient services, but it turns out that\u2019s not necessarily the case.\u201d<\/p>\n\n\n\n Adam Meyers, CrowdStrike\u2019s senior vice president of counter adversary operations, last month apologized<\/a> for the outage before Congress, where he said the company is willing to cooperate with the federal Cyber Safety Review Board. He also outlined steps the company will take to mitigate future burps in service, including rolling out updates gradually, and giving customers more control over how they install updates.<\/p>\n\n\n\n Just the same, Gupta said, recent outages have led him to think more carefully about his assumptions regarding technology, and he expressed hope other policymakers will also. He noted that it\u2019s not tenable for state governments to purchase redundant products for all their services.<\/p>\n\n\n\n \u201cI think we all as an industry should be questioning that,\u201d he said of companies\u2019 service delivery models. \u201cI’m not suggesting the models are wrong, [but] I think the industry at large needs to look at that and see what can be done to ensure the resiliency of those. When you become a large player and you\u2019re a large service provider, I think it behooves you to have a more resilient service delivery model.\u201d<\/p>\n\n\n\n \u201cIt\u2019s no longer hard for threat actors to do bad stuff,\u201d New Jersey Chief Technology Officer Chris Rein told StateScoop.<\/p>\n\n\n\n But he said the constant pressure placed on government by its adversaries hasn\u2019t been all negative \u2014 that pressure also brought welcome changes in the industry.<\/p>\n\n\n\n The severity and frequency of attacks has made it normal for technology companies to lace all of their products with cybersecurity features: \u201cIt\u2019s never an afterthought anymore,\u201d Rein said. And with bad actors finding success attacking everything from AT&T<\/a> to the Los Angeles Unified School District<\/a>, cybersecurity professionals have had ample opportunity to contemplate where others went wrong.<\/p>\n\n\n\n \u201cThere\u2019s a recognition in the cyber world that you can\u2019t fix or improve cybersecurity with tech only,\u201d Rein said. \u201cYou can\u2019t just buy this product or buy this feature or buy that add-on, but it\u2019s so clearly now people and process as much as technology.\u201d<\/p>\n\n\n\n The norm of tumult has also upset the nascent industry of cybersecurity insurance, the cost of which continues to rise and in 2022 rose by more than 25%<\/a>, surpassing the premium hikes of all other types of insurance. With rates often reaching into the millions, Rein said he\u2019s seeing more states opting instead to stick their cash in savings.<\/p>\n\n\n\n \u201cWe are not one of the self-insured states, but we are looking harder at it now than we ever have with our treasury department and our risk-management folks,\u201d he said. \u201cThe underwriters and the insurance companies, they\u2019re becoming more and more aware, probably because they got burned more than a few times and started saying, hey this wasn\u2019t an anomaly, this was a trend.\u201d<\/p>\n\n\n\n Rein said he\u2019s also noticed that insurers are being more careful, too. Where they once used to ask whether his state \u201cuses multi-factor authentication,\u201d actuaries now ask a more specific question: \u201cDoes every single user have multi-factor authentication enforced?\u201d<\/p>\n\n\n\n State and local governments may have yet to feel the full force of AI-powered cyberattacks, but IT leaders aren\u2019t out of ideas to defend their networks. They\u2019re using the latest technologies to reinforce their cyberdefenses, too, such as by using AI to passively hunt for threats<\/a>. <\/p>\n\n\n\n Fuller, Utah\u2019s CIO, estimated that the days are numbered for the username and password authentication scheme.<\/p>\n\n\n\n \u201cIt\u2019s just not cutting it,\u201d he said. \u201cIt\u2019s not secure enough. We need to go to a decentralized identity model where the user holds their own credentials. It\u2019s a verifiable, [meaning] the issuer with the credential issues cryptographic codes stored in a verified data registry, there are public keys so a user can scan and verify that credential as both the issuer and the holder of the credential are accurate. Without having that, our online stuff is going to continue to be a big risk for fraud.\u201d<\/p>\n\n\n\n In Virginia, Osmond said that when considering cybersecurity, he reminds himself not to reinvent anything, because there are already lots of sophisticated tools out there.<\/p>\n\n\n\n \u201cI get a tremendous benefit from talking to vendors,\u201d he said. \u201cThis is their business and their livelihood. \u2026 Understanding that no one vendor has all the answers. You’re gonna have to talk to a lot of people, but as you stitch it together you find that everybody has a piece of the puzzle.\u201d<\/p>\n\n\n\n‘Hard, very hard or impossible’<\/h3>\n\n\n\n
\u2018A little scary\u2019<\/h3>\n\n\n\n
\u2018Bad stuff,\u2019 good things<\/h3>\n\n\n\n
\u2018It\u2019s not secure enough\u2019<\/h3>\n\n\n\n