Despite budget squeeze, state and local governments must shore up cyber posture

Eight months ago, state and local governments (SLG) faced hard technology and budgetary choices when they were forced to support the pivot to remote telework by most or virtually all of their employees as the coronavirus pandemic took hold. Work typically performed from relatively secure, in-office enterprise networks had to be undertaken remotely and from home networks, straining security infrastructure.

The challenge was in getting these workers up and functioning, often while the IT staff itself was working remotely. The focus was on establishing connectivity and access to the needed data and computing assets, leaving myriad possibilities for user error or misconfiguration to expose data — or for attackers to target these new business practices and less secure home network infrastructure.

According to information compiled by the National Association of State Budget Officers, many states have already directed agencies to plan for possible budget reductions —with many governors cautioning that the full fiscal impact of COVID-19 is not yet known and that there will be more tough funding decisions ahead.

Governments have to be extra savvy and nimble in making everything work — and to ensure that security is not lost in the process. Back in March, it was all about making sure employees could work remotely and to ensure that digital citizen services continued uninterrupted.

Numerous IT and cybersecurity officials, however, were seen as valuable team members and, in some cases, even the heroes in enabling the successful pivot to remote work. As a result, IT and cybersecurity may be understood and appreciated by leaders across government and recognized as more mission relevant than ever before.

This has implications for the role of cybersecurity in digital transformation within state and local government. NASCIO noted that nearly half of all US states do not have a dedicated cybersecurity budget – and that in most states, cybersecurity budgets are between 0-3 percent of their overall IT budget, compared with an average of more than 10 percent in the private sector. That presents a risk, but the recent pivot created a window of opportunity for IT and security leaders to capitalize on in identifying secure digital solutions for their agencies and in strengthening collaboration between IT and cybersecurity.

Next steps for SLGs

Many governments are still in a highly reactive mode due to the pandemic, but the new risks that popped up when many of their workforces had to shift home offices haven’t gone away —and attackers are finding them.

Now is the time to develop a sustainable security posture going forward. The best way to get started? Look at the decisions made back in March when adjustments had to be made quickly and with a singular focus on keeping work flowing. While it was necessary to get remote operations up and running as quickly as possible when coronavirus hit, the situation also increased risk, opening new opportunities for exposure and targeting by cybercriminals and nation states

One of the biggest challenges with spinning up remote work so quickly is that the remote user’s IT environment — typically a home network with weaker cybersecurity — became part of the infrastructure connected to the government office network too, vastly increasing risk. On top of that, government IT teams had to adequately and rapidly connect large numbers of remote users to enterprise data in March, often while making the transition to working off-site themselves.

Encrypting data in transit from the remote user’s location to the enterprise network or data center is a best practice. However, many organizations struggle with having bandwidth and throughput needed to inspect this encrypted traffic, due to the latency many legacy commercial firewalls introduce when performing real-time inspection at scale. As a result, network operations staff may have turned off SSL inspection to cope with the increased demand for bandwidth and performance. However, this should have been viewed as a short term fix, since it comes at the cost of blinding the organization to malicious activity that may have compromised the remote user’s device.

Now is the time for organizations to examine the field expedient measures they took to implement the pivot to remote telework last Spring. Cutting through red tape to expedite solutions was good, but it might have meant cutting corners on security as well. To the extent that the current IT posture achieved through the pivot becomes the baseline for ‘new normal’ operating procedures, it is worth looking for holes and weaknesses that were acceptable as short term compromises but which may pose an unacceptable level of risk over the long term.

Another area to look at is the use of chatbots. While they became a critical storefront for digital services and resources in government during the pandemic as citizen demand soared, they do present some risks as well. When governments rapidly rolled out chatbots, they likely didn’t have either the time or expertise to see if an attacker could enter the network through the chatbot, which has to access stored government information for its responses. IT teams should validate that chatbots are staying in their lane.

Similarly, browsers have become a more prominent attack vector with the rise of remote work. Our August threat report shows that web-based malware used in phishing campaigns and other scams overtook email as the leading vector for exploitation and successful of compromise in early 2020. This demonstrates that cybercriminals are targeting individuals when they’re most vulnerable — while doing their work on the internet or using web-facing application at home.

The path forward

Taking these steps will help ensure state and local governments are exercising due diligence in doing the basics of cybersecurity for remote users but moving forward their broader security posture should be part of any broader initiatives to further digital transformation within government. The current funding and public health crises present an opportunity to leverage transformational technologies such as software-defined wide area networks (SD-WAN) as a long term strategy, especially since at least some of the workforce will stay mobile even after the pandemic ends.

SD-WAN can transform a government’s capabilities by leveraging solutions that offer cash-strapped organizations cost savings and increased operational flexibility, and offer better performance for users. SD-WAN can pair with multi-cloud connectivity to deliver high-speed performance and security at the edge — where many remote work problems occur.

A secure SD-WAN solution is explicitly designed to operate as an integrated suite of capabilities, each element running the same operating system and able to be managed using a single interface. The networking and connectivity functionalities of SD-WAN aren’t bolted onto existing security solutions, they are engineered to comprise an integral whole. This allows for greater visibility into the traffic coming in and out of the network, even when it travels through a remote VPN.

And that’s the key. Visibility. If we don’t know what’s moving through our networks, we’ll never learn how malicious actors are taking advantage of vulnerabilities — let alone be able to stop them before an attack happens.

Addressing compromises made during the hurried pivot to mass telework and deploying SD-WAN are two steps in the right direction for IT and security teams as they take a long view of government computing needs in the wake of the pandemic. Those moves will, at the very least, set governments on a path to more secure networks and services.

These are difficult times for state and local officials and they have to work more efficiently than ever. Agencies are getting squeezed between tight resources and soaring demand and will have to be creative if they are to rise to the challenge of providing the level of digital service citizens deserve while staying within available budgets.

Jim Richberg is the Field CISO at Fortinet Federal.