The State of Cybersecurity in the States

State and local agencies are some of the most attractive and vulnerable targets for cyber criminals. In 2023, malware attacks increased by 148%, and ransomware incidents increased by 51%. These agencies are targeted because they hold valuable personal data on citizens and control critical services--yet their security efforts have historically been underfunded and under-resourced. However, the tide may be changing.

A report on the ransomware experiences of state and local government in 2024 showed a dramatic decrease in the number of those organizations that were impacted this year. The report found ransomware attacks impacting 34% of state and local governments, marking a sharp decrease from the 69% affected in 2023. Let's take a look at some of the trends and activities that are fueling the improvement in state and local cybersecurity. Continue reading

Zero Trust Passes Key Milestone

In January 2022, the Zero Trust Federal Strategy set a deadline of September 30, 2024, for agencies to adopt some level of zero trust architecture. Based on early indications, agencies have largely met zero-trust goals. The Federal CIO reported in early September that the 24 CFO Act agencies were all over 90% of the way to meeting the zero-trust goals. Beyond that group, the federal government as a whole was at 87% goal completion.

What's Changed?

The shift to zero trust is a response to the way government and citizens are using technology. With the increased use of cloud-based solutions, the traditional "castle and moat" security that protected on-premise infrastructure no longer supports the way applications are being deployed. Zero Trust focuses on continually verifying that users have permission to access the data and systems they are using. Gaining access requires coordination among a number of technologies that all work with a common set of user identification and access policies. Continue reading

The Changing Identity of Identity Management

A key element of the move to zero trust is the use of "strong multi-factor authentication (MFA) throughout their enterprise." While identity management has been indicated by many as the "low hanging fruit" of a zero-trust journey, it is by no means easy. In fact, recent guidance from the Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) called it "notoriously difficult."

Key challenges to implementing MFA include:

  • Lack of standards - the CISA/NSA guidance pointed to confusion over MFA terminology and vague policy instructions as primary challenges to implementing more secure access. A joint committee of European Union (EU) and U.S. experts addressed this same issue in the Digital Identity Mapping Exercise Report, which aimed to define specific digital identity technical terminology. For example, the group found some definitions, such as "authoritative source" and "authentication factor," are identical between the U.S. and EU, whereas others, like "identity" and "signature," remain only partially matched.
  • Phishing - bad actors do not always hack the system; they hack the process, gaining entry through social-engineering tactics that grow more sophisticated by the day. The CISA/NSA report called on the vendor community to provide MFA services with additional investments and greater defenses against sophisticated attacks.
  • Rise of Generative AI - The Department of Homeland Security (DHS) is working to ensure technologies can determine if a submitted image is legitimate or a hacker's spoof. This "liveness detection" is needed to ensure that a submitted selfie is really a photo of a person, not a mask, photo of a photo, or other technique to try to get past the check.

Continue reading

FITARA Goes to the Cloud, Grades Come Down to the Ground

The 17th edition of the Federal Information Technology Acquisition Reform Act (FITARA) scorecard featured a revamped list of measurements to illustrate federal agency progress against current modernization goals. This latest scorecard introduced two new categories - Cloud Computing and CIO Investment Evaluation - while dropping the measurement of compliance with data center modernization, something all agencies have completed.

This reshuffling of measurement criteria resulted in lower grades for 11 agencies. Twelve agencies saw their grades unchanged. The Department of Defense (DoD) was the sole group earning a higher grade, rising from a C to a B. These drops are not necessarily a concerning indicator, but rather a re-baselining of where agencies stand in terms of modern digital government goals. Continue reading

National Cybersecurity Strategy: Building a More Secure Future

In March, the Biden Administration released the latest guidance aimed at improving the cybersecurity practices of Federal agencies. The National Cybersecurity Strategy builds on the Executive Order for Improving the Nation's Cybersecurity that makes cybersecurity a strategic focus of every agency. This latest guidance drills further into the actions needed to ensure that government systems and citizen data are protected against the ever-evolving threat landscape.

The goal of the strategy is to "rebalance the responsibility to defend cyberspace" and "realign incentives to favor long-term investments." To do this, the responsibility for cybersecurity must be shifted to the organizations that are most capable and best-positioned to reduce risks. It points out that, "a single person's momentary lapse in judgment, use of an outdated password, or errant click on a suspicious link should not have national security consequences." While security is the responsibility of everyone, small businesses, small localities, and individuals simply do not have the resources to support the security needed to protect systems and data. Instead, the guidance proposes new incentives to favor long-term investments in security, resilience, and new technologies. Continue reading