Cybersecurity: A Holistic Approach

Sharing information across all levels of government, regardless of how far they are in cybersecurity efforts, could help all IT officials in protecting their networks.
by | April 3, 2012

Jessica Mulholland

Jessica Mulholland is the associate editor of GOVERNING, and is also the associate editor of both Government Technology and Public CIO magazines.

Cybersecurity is an issue all levels of government must address, and their response to potential threats has varied. Congress has introduced the Cybersecurity Act of 2012. Each state has enacted laws aimed at protecting itself and businesses from cyber-intrusions. Even the smallest localities are aware of the risks that their networks face, especially since they may store information that is shared with state systems.

Utah's Chief Information Security Officer Boyd Webb says that states are "light years ahead" of localities. Michigan's Chief Security Officer Dan Lohrmann cautions against saying that states are ahead, as cities can be leaders in cybersecurity as well. He suggests that it may be better to group big states and cities together, and smaller cities and counties as another group.

Does that mean that small, local governments are lagging on cybersecurity? Maybe questioning who's ahead (or inferring who's lagging) isn't the right approach.

"What I don't normally do is rate [what level of government is leading] because I think we're all in this together," says Will Pelgrin, previously an official in New York State's cybersecurity department and currently president and CEO of the Center for Internet Security (CIS). CIS houses a consortium of 50 state governments and almost 100 local governments that share information on cyber threats. "If we believe that we can do this on our own, we all lose."

Local governments may struggle with protecting their networks because they may lack the financial or personnel resources to take preventative measures. But Pelgrin hopes to include more local governments in the consortium this year, because the only way each level of government is really successful, he says, is collectively working together. "Cybersecurity doesn't know geographic boundaries," Pelgrin says, "so what I see may not be important unless I see it in context of what's going around the country as well."

As for the cost of cybersecurity, it almost certainly costs more to respond to an incident than it would be to detect and protect against it in the first place -- not just in dollar amounts, Pelgrin says, but also in non-quantifiable losses in trust and credibility. "We are there to provide the citizenry with the comfort level, especially in emergencies," he says.

It's difficult for all types of IT officials to keep sensitive data under control. "Data is present everywhere with all the mobile devices. It's constantly on the move as you are on the move," Pelgrin says. As a result, data protection at all levels of government has evolved from just securing the network to observing behaviors -- knowing how your systems function on a day-to-day basis and examining a system that's not acting the way it should.

Utah's Webb says that they've started monitoring up to 400 social networking feeds and their networks in real time to watch for sketchy behaviors. Michigan's Lohrmann says that his department is logging more events and patterns (like logging into a server with the wrong password numerous times). Both Webb's and Lohrmann's strategies rely on the "outside world" -- other governments and their servers -- to "connect the dots" and discover any potential threats. This makes the type of collaboration Pelgrin is seeking through the consortium all the more important.

"The behaviors review is somewhat new -- we relied a lot more on just the technology side of the house in the past," says Pelgrin. "That can't be the case anymore. We really need to look at it from a holistic approach."


More from Columns