The Washington Post revealed this week that several local governments across the U.S. are using a Russian brand of security software that the federal government fears could be leveraged by the foreign country for cyberespionage.
Earlier this month, the federal government removed Kaspersky Lab, a Moscow-based company that sells anti-virus security software, from its list of approved vendors. Meanwhile, nearly all the local governments interviewed by the Post appeared unaware of the controversy. Upon learning about it, most said that they had no immediate plans to stop using the product.
The news is merely the latest development in an ongoing debate about whether local goverments are doing enough to protect themselves from cyber threats.
Cybersecurity experts have long been sounding the alarm about local governments’ vulnerability to cyberattacks and the impact such an intrusion could have. They say most local governments face great barriers to protecting their data and systems, including lack of funding, shortage of cybersecurity professionals and general ignorance about the seriousness of the threat.
“AT&T is not the communication center I care about. 911 is the communication center I care about. [Cyber actors] have the ability to create actual terror in the United States," says Michael Hamilton, the former CISO of Seattle and current founder and president of the managed detection and response firm Critical Informatics, Inc.
However, Hamilton believes it’s premature for local governments to pull out of contracts with Kaspersky Lab, given that there have been no specific vulnerabilities identified and no evidence of malicious intent released to the public. “It’s got to be demonstrated somewhere that this threat is real" before local governments spend money to replace the software, he says.
"It’s expensive [to switch vendors]. When I was in Seattle, I fired McAfee [the security software company] and it was a huge investment. They’re not going to make that investment unless they have to,” says Hamilton.
John Morrisson, systems manager for the Connecticut Division of Public Defender Services, largely agrees. He says his agency likely won't stop using the software unless the feds bar state and local governments from contracting with Kaspersky.
“I don’t want to base it on cost, but we do have a three-year contract with Kaspersky," he says. Still, he clarified, “obviously, if there was a problem, cost would not be an issue."
In Portland, Ore., another city identified in the Post story, a spokesperson told Governing in an email that the city is investigating the feasibility of disabling its Kaspersky products, which one of the city's vendors is currently using to scan for malicious emails. Portland likely wouldn't take a serious financial hit, however, since it doesn't have a direct contract with Kaspersky itself.
For its part, Kaspersky Lab -- which was founded in 1997 by a former employee of Russian military intelligence agencies -- denies the allegations by the U.S. government. Controversy, however, has been following the company since at least 2015: According to the Post, law enforcement urged congressional staff that year not to meet with Kaspersky officials about national security matters. In addition, Michael Flynn resigned as President Trump's national security adviser this year in part because he failed to disclose the money Kaspersky paid him to speak at one of its cybersecurity conferences.
Beyond the Kaspersky controversy, Hamilton says local and state governments are in a deep rut concerning cybersecurity. He warns about the effects of “cultural inertia,” which he says encourages government workers to continue doing things the same way they always have.
“It’s like, ‘We fix potholes and put cops on the street -- we don’t hire cyber people,'” he says of the mentality of officials at the local level.
"Cyber people" are in fact the other big obstacle for local governments trying to protect themselves from cyberattacks: There simply aren’t enough of them working in the public sector. A 2015 survey from the National Association of Chief Information Officers found that 86 percent of IT chief respondents said they struggled to fill vacant IT positions.
Hamilton suggests creative solutions to help fill those gaps, such as internships or apprenticeships that might offer lower pay than private-sector jobs but help people gain experience early in their career.
But at some point, Hamilton says the federal government will have to “bust out the purse and help [state and local governments] with [cybersecurity] funding."
Earlier this year, bipartisan lawmakers in the U.S. House of Representatives introduced a bill that would create a grant program for state, local and tribal governments to protect themselves against cyberthreats. This kind of funding would likely be welcome, especially with the news that Russia targeted election systems in 21 states last year.
The bill, however, has yet to go anywhere.
The other cities identified by the Post as using the program are: Fayetteville, Ga.; San Marcos, Texas; and Picayune, Miss.; which is scheduled to install it in public schools soon.