Last month, ransomware attacks disabled critical government systems in Atlanta and Baltimore. City employees in Atlanta had no access to their own data, and citizens lost their ability to pay water bills or traffic tickets online, use airport WiFi and report problems to the 311 system. In Baltimore, the 911 call center was hacked.
“What happened in Atlanta [and Baltimore] has happened in many organizations. It’s not unique. Even the specific type of ransomware is well-known" says Oren Falkowitz, a cybersecurity expert who is a former senior analyst for the National Security Agency and the United States Cyber Command.
Ransomware encrypts a victim's files and then sends a digital ransom note demanding money to decrypt them.
As a co-founder of Area 1 Security, Falkowitz works with public- and private-sector clients to boost their cybsersecurity. The way Falkowitz sees it, there are a lot of cities, counties and states spending money to prevent cybersecurity attacks in misguided ways.
“Governments are spending an exorbitant amount of resources that have no impact on future cyberdamages,” he says.
They rely too heavily, he says, on cybersecurity training programs for employees. Almost all states have one, but he says training doesn’t "provide tangible results in making organizations safer.”
“It only takes one person to click,” he says. “Training isn’t a practical solution. It’s a hope strategy.”
If governments really want to prevent cyberattacks, Falkowitz says they have to stop thinking of themselves as victims and start taking a more preemptive approach. That includes scoping out the vulnerabilities of their systems, analyzing likely threats, building in protective software solutions and carefully -- and publicly -- charting the results of their efforts.
"Accountability is the most important thing," says Falkowitz, and the lack of it is "the scarlet letter of the industry."
According to the most recent survey from the National Association of State Chief Information Officers (NASCIO), only 57 percent of CIOs measure the effectiveness of their cybersecurity programs. What’s more, many of these efforts are only at the beginning stages. Only 12 percent of respondents said their cybersecurity metrics program is fully operational.
Many state and local governments “don’t have baseline data and can’t measure their results. But you can’t measure improvement unless you know where you are today,” says Falkowitz.
Falkowitz also believes governments need to build and improve their cybersecurity leadership. This doesn’t just mean hiring a chief security officer but hiring one who can speak in nontechnical terms, as well as devolving cyber-responsibilities down so that managers throughout government understand their own systems and vulnerabilities.
Cybersecurity isn't just the IT department's problem. Falkowitz says it's as much a political and social issue as protecting citizens from crime or homelessness.
Still, he says “I have yet to see a candidate campaign on cybersecurity issues.”
This appears in the Management & Workforce newsletter. Subscribe for free.