Here in the Sunshine State, policymakers have addressed the challenge of cybersecurity in recent years through a combination of laws, regulations, and best practices. In 2014 Florida’s Information Technology Security Act (F.S. 282.318) originally established a set of requirements for the state, namely the designation of a chief information security officer and establishment of a detailed, annually updated statewide information technology security strategic plan, with responsibilities extending to every state agency. F.S. 501.171 details consumer protection regulations, including legal requirements for notifying citizens in the event of a data breach.
Among other key updates, recently enacted House Bill 821 exempts sensitive information like network schematics from Florida’s broad public records law, closing another security loophole. Other states are passing similar measures to hone in on emerging problems and issues that are specific to their own citizens.
Still, with variations among states and with understanding of the true nature of cybersecurity threats continuing to evolve, do state agencies across the country have the strategies and tools in place to protect themselves and their constituents?
On a national level, the cybersecurity landscape has posed similar challenges. In a 2016 article in the Florida Bar Journal, Kevin Miller described the U.S. cybersecurity regulatory landscape as “a patchwork, consisting of a number of overlapping federal standards aimed at regulated entities in various sectors, state cyber-breach notification laws, state statutes, and caselaw arising from consumer actions against companies.” Challenges to data and network security have not paused for governments to develop effective response, and in many cases both federal and state entities have found it challenging to keep up. But have things improved since for technology leaders seeking to transition their agencies forward into greater security?
Yes and no.
Cybersecurity in 2020 and Beyond
Awareness of cybersecurity has grown exponentially in recent years and is gaining support in state legislative budgets and policies. In 2020, at least 40 states and US territories considered new bills and resolutions to address the latest requirements for cybersecurity, with measures passed and enacted in 19 states. These laws and resolutions include requiring specific best practices within government agencies, supporting training and education initiatives in cybersecurity, assigning penalties for computer crimes, and establishing more specific rules and regulations to guard against breaches across the board.
Cybersecurity is also gaining more support in terms of public sector budgets. At the federal level, the Cybersecurity and Infrastructure Security Agency (CISA) was funded in 2021 with nearly double its original budget request, coming in at about $2 billion to shore up cybersecurity and the protection of civilian networks. An additional $2 billion has been allocated to a variety of other agencies for modernization of federal government systems. As state governments continue to pass funded legislation to improve their states’ security, state budgets reflect this growing concern as well.
In spite of continued support for cybersecurity and increased awareness and best practices in place, precise boundaries of laws, regulations, and guidelines can be hard to nail down. For example, FTC guidelines require website operators to maintain “reasonable security” of information, which is open to interpretation and can leave questions about the precise responsibilities of public sector organizations. Not knowing what your agency could be held responsible for puts you in a vulnerable position in terms of compliance, in addition to the vulnerabilities introduced by evolving techniques used by bad actors.
It’s not just a problem of language, though. Chris Hallenback, former member of the U.S. Department of Homeland Security’s Computer Emergency Readiness Team and contributor to Security Boulevard, notes in a recent article that “The problem is that most of the proposed bills seeking to address ongoing challenges—and so many others that are likely to be proposed in the near-term—do not cover the fundamental problems that have weakened cybersecurity posture, especially at the state and local government level.”
And what are those problems? Specifically, Hallenback identifies two deceptively simple concepts: IT Hygiene and Full Endpoint Visibility. Looking further into these issues, it’s clear that both points bring attention back to the basics:
- While complex tools and strategies can reduce the risk of rare but devastating highly sophisticated attacks, the principle of IT Hygiene targets areas of cybersecurity often overlooked as unimportant: user-level strategies like multi-factor authentication and limiting the permissions granted a specific user profiles to eliminate any unnecessary access to systems and data, which then reduces the scope of potential damage that an unauthorized login can allow.
- Full Endpoint Visibility allows observation of all endpoints in a network, giving your organization early warning of vulnerable points– and not just high-profile endpoints like on-site servers, but also endpoints like employee laptops, which are often under-protected with only antivirus software, or in some cases even with no protection at all. Something as simple as keeping an eye on the software installed on all endpoints can provide your organization with the advance notice you need to thwart a very real attack on your data and your constituents.
Into the Future
With pandemic-related shifts in the technology and networking landscape, in addition to new challenges introduced by the perpetual forward motion of technology development, the future of cybersecurity is happening right now. Concerns abound regarding cyber warfare, the increased use of AI in cybersecurity strategy and process, and legacy system vulnerabilities, and the push to modernize drives agencies forward in terms of both strategy and budget.
Closing security gaps is critical to the security of government into the future. The best thing public agencies can do for stakeholders and constituents in 2021 is to plan and implement cybersecurity strategy with all of these latest challenges and opportunities clearly in view.