Halloween and Cybersecurity Awareness Month—More trick than treat?
The month of October starts with Cybersecurity Awareness Month and culminates with Halloween. So, as we enter another Halloween season and Cybersecurity Awareness Month, youngsters will be traversing neighborhoods with cute and imaginative costumes ringing doorbells innocently saying, “trick or treat.” They will do so without a thought as to what that term actually means. In fact, the origins go back some 2,000 years where over time the “trick” could be rather menacing.
Outside of this one night of merriment, many view October as just another opportunity to further promote better awareness and increased cyber hygiene. Despite all the warnings, some 90 percent of cyber incidents are still due to human error and varying degrees of carelessness. The problem is cyber criminals don’t observe any holidays unless they are presented with an atmosphere of laxity, as one mind find late at night or over a weekend—especially a holiday weekend. Cyber criminals are always seeking vulnerabilities in systems and in people. And this month, like every month, they will be looking to “trick” us adults. Cyber criminals entice us with a “treat” using deceptive and deceitful disguises through seemingly innocent messages or emails, preying on innocent workers and citizens alike. Virginia’s state CIO recently stated that they received more than 43 million cyber threats in all of 2021, which is equivalent to one attempt every minute of every day.
This year, cities and counties expected a “treat” through the passage of an historic four-year $1 billion Federal Cyber Grant Program that was passed in November 2021 as part of the bipartisan Infrastructure Bill. In late September of this year, CISA and FEMA published the rules that govern the program. The program calls for 80 percent to go to local governments and of that, 25 percent is to go to rural localities. This historic legislation marks the first time the federal government has initiated such a broad and focused program to state and local governments. The “trick” is in navigating the 90+ pages of rules and supplemental materials and trying to determine how localities can apply for assistance and for what types of projects and expenditures. Who is eligible and for what? Despite the seemingly long wait, CISA and FEMA require states to develop state-wide plans that sets priorities and directs states to coordinate key cyber priorities and programs with local governments. The other “trick” (and there are many) is communicating with local governments in a meaningful way. Except for a few sparsely populated states, most state governments and state agencies have little to no formal relationship with local governments.
Some state officials have privately baulked at the seeming red tape and matching fund requirement—and in some instances saying they may forgo the first round of funding. Entities are required to show in their applications that they will implement projects that will further the following four core objectives. Each project must include a project schedule with clearly defined milestones that also clearly aligns with each entity’s cybersecurity plan. The four core objectives are:
Cyber incident response
Develop and establish appropriate governance structures, as well as develop, implement, or revise cybersecurity plans, to improve capabilities to respond to cybersecurity incidents and ensure continuity of operations.
Testing and evaluation
State, local and territorial agencies must seek to understand their current cybersecurity posture and areas for improvement based on continuous testing, evaluation and structured assessments throughout their programs.
Cyber risk protections
Implement protections commensurate with cyber risks, through the adoption of fundamental cybersecurity best practices and assessment and planning processes that will identify the needed security protections.
Workforce initiatives
Ensure organization personnel are appropriately trained in cybersecurity through workforce development initiatives and adoption of the National Initiative for Cyber Education (NICE) Cybersecurity Workforce Framework.
Beyond the four core objectives there are 15 required elements where each entity must show in their applications that they will clearly address the following application objectives:
1. Information systems/IT management 9. Critical infrastructure and risk mitigation
2. Network traffic monitoring 10. Cyber threat information sharing
3. System resilience and response 11. DHS cyber services implementation
4. Cyber vulnerability and threat assessments. 12. Technology modernization efforts
5. Safe online service delivery 13. Coordinated cyber risk strategies
6. Continuity of operations after incidents 14. Rural cyber services and programs
7. Cybersecurity workforce development 15. Funding distributions across local entities
8. Continuity of communications
Finally, there are seven tactical areas that need to be addressed in each local government application:
- Implement multi-factor authentication capabilities.
- Implement enhanced logging capabilities.
- Data encryption for data at rest and in transit.
- End the use of unsupported/end-of-life hardware and software.
- Prohibit the use of known/fixed/default passwords and credentials.
- Ensure the ability to reconstitute systems through backups.
- Complete migration to the .gov internet domain.
There are clearly a lot of bases to be covered and so much to digest with all the requirements, stipulations and matching funds. Much planning will need to occur before any meaningful funding can be awarded. Smaller and medium-sized local governments, in desperate need of cybersecurity help (now), may find themselves on the sidelines due to lack of in-house expertise and capacity. Many don’t realize that as many as 35 percent of local governments operate with three or less IT staff. Let it be said, no one is trying to “trick” anyone. Yet, this October, local governments will innocently have their goody bags out going agency to agency, hoping for a “treat” and that they will actually get something out of the $1 billion cyber funds.
Dr. Alan R. Shark is the vice president public sector and executive director of the CompTIA Public Technology Institute (PTI) in Washington D.C. since 2004. He is a fellow of the National Academy for Public Administration and chair of the Standing Panel on Technology Leadership. He is an associate professor for the Schar School of Policy and Government, George Mason University, and is course developer/instructor at Rutgers University Center for Government Services. He is also the host of the popular bi-monthly podcast, Comptia Sharkbytes. Dr. Shark’s thought leadership activities include keynote speaking, blogging and Sharkbytes. He is the author or co-author of more than 12 books including the nationally recognized textbook “Technology and Public Management,” as well as “CIO Leadership for Cities and Counties.”