WIXLIB

An Elected and Agency ExecutiveMUST-READ: How to Be anExecutive Cybersecurity ChampionBy being a well-informed and vocal advocatefor cybersecurity initiatives, the executivecybersecurity champion sets the tone for theentire agency. Furthermore, when elected andagency executives take on a leadership role insupporting their technical and security teams,they help build public and legislative awareness, a requirement for obtaining appropriatefunding. “It really makes the job easy whenyou’re working with a leader who understandsthe importance of cybersecurity,” says DavidBehen, CIO for the State of Michigan. “Whenleadership gets it, they fight for it, and whenthey fight for it, there will be budget for it.”5Here’s how leaders in the executive branchcan fight for cybersecurity.1. Ensure security is integrated into theagency’s overall risk management strategy,and adopt the NIST Cybersecurity Framework. Increase the importance of cybersecurityacross the agency by requiring all departmentsto participate in ongoing planning andmanagement activities and ensuring theircompliance with appropriate mandates andparticipation in the risk management process.2. Use the NIST Framework to measurethe maturity of the agency’s existingcybersecurity program. Perform a riskassessment by inventorying the agency’s mostcritical digital assets, information and systems.The inventory, which should include all data sets,will document data confidentiality and applicable security and privacy laws, enabling securitypros to create a tailored plan for prioritizing dataand protecting each data set, including the mostappropriate breach response for each one.3. Implement tools and technologiesthat provide constant measurement ofcapabilities such as the Department of6Cybersecurity as Risk ManagementKey Actions:Apply risk-based managementto cybersecurity planning. Theprimary recommendation of this guideis to apply risk-based managementto cybersecurity planning. Therisk-based approach is driven bybusiness requirements and will helpleaders identify, assess and prioritizecybersecurity spend and strategies.Adopt the NIST CybersecurityFramework. This risk-based,best practice-focused model can becustomized according to businessneeds, risk tolerance, and availablefunding and resources.Collaborate internally andexternally. Agency executives andlegislators should collaborate closelywith each other, government chiefinformation officers (CIOs) and chiefinformation security officers (CISOs),third-party organizations and the privatesector to address the public sector’scybersecurity challenges.Homeland Security’s (DHS) ContinuousDiagnostic and Mitigation (CDM) program(see page 23) or software applications thatcommunicate security posture via dataanalytics-based dashboards. Continuousanalysis of its security posture helps anagency monitor the security of technology,networks and applications as they evolve.4. Develop and maintain a strongcybersecurity team, starting with the CIOand CISO — a challenging task given theongoing scarcity of qualified cybersecurityprofessionals. Support IT and securityleaders by empowering them with clear

authority and responsibility for cybersecurityplanning and management. Work with them todevelop a plan for recruiting, hiring andmaintaining cybersecurity talent throughcross-training programs and hiring initiativessuch as targeted recruitment campaigns andcollege internships. Given the shortage ofcybersecurity experts, it may be necessary tooutsource some parts of cybersecurity tocompanies or experts.5. Propose budgets that prioritizecybersecurity programs. Via the risk-basedcybersecurity planning process, CIOs andCISOs can identify top cybersecurity prioritiesand programs. Collaborate with them andwith your fiscal staff to develop appropriatebudgets, and be a vocal advocate whenpresenting them to legislative bodies,committees and councils.6. Vigorously promote a security cultureby requiring all employees to undergoregular cyber-awareness training. Sharing8. Create an incident response teamand ensure a response plan is queuedup in the event of an attack. An incidentresponse plan goes into effect when an attack isconfirmed. The response plan should defineroles and responsibilities, outline how to recoversystems to their pre-attack state, identify wheredata is backed up and determine a communication plan, among other essential activities. Likethe business continuity plan, the incidentresponse plan should be routinely tested toensure its continued relevance and effectiveness.9. Work hand-in-hand with legislativecounterparts to increase the visibility ofcybersecurity in your jurisdiction. Thisincludes educating lawmakers, citizens andthe private sector on the need for funding toimplement security programs. Communicatethe likelihood of a security breach to keystakeholders, including constituents, andassure them that appropriate containmentand response plans are in place.relevant risks, threats and challenges withemployees is effective because it gives theman active stake in protecting the agency.Cyber-awareness trainers can work with youto provide dynamic training that’s customizedaccording to employees’ roles, business needsand current threats.10. Collaborate with the private sectorto create a secure, technology-friendlyculture for conducting business. Support and7. Ensure business continuity plansencompass cyber incidents. Cybersecurity11. Require dashboards that showprogress on cyber program maturity andtypes of threats identified. Direct stakeholdersbreaches can bring down entire networks.This was the case with the Sony hack, whichleft the company with no network orcomputer access. Sony relied on phone trees,mobile devices, personal email accounts, andpen and paper to communicate.6 Considerdifferent continuity scenarios based on typeof attack, and ensure the plan’s effectivenessis tested in scheduled simulations. Manystates are wrapping the cybersecurityscenario into their disaster recovery plans.promote risk-based cybersecurity managementamong private sector partners, and evaluatehow the two sectors might work together toimprove security across the jurisdiction.to report from external collaborative workinggroups, incident response centers and internalresources to understand and prioritize actionsto minimize exposure.12. Review procurement processes.Procurement of any technology solution hasrecently become more complex with theemergence of cloud and “as-a-service” solutionmodels that change where data is stored, howCybersecurity as Risk Management7

it is accessed and how it is protected. Makesure agencies are procuring adequate securityservices around data and infrastructure forthese new as-a-service models.A Legislator MUST-READ:How to Be a LegislativeCybersecurity ChampionA legislative cybersecurity championwill support and empower agency executivesand technical and security teams by collaborating closely with them to understandbusiness needs and risks, educate citizensand fellow lawmakers on the importanceof cybersecurity, promote security andtechnology as key economic drivers, andsecure appropriate funding and otherresources. Here’s how lawmakers can bea part of the cybersecurity effort.1. Support and promote risk-basedcybersecurity management in both the publicand private sectors, including the adoption ofthe NIST Cybersecurity Framework.2. Collaborate closely with agencyexecutives, CIOs and CISOs. Invite them toappropriate legislative meetings to educateyourself and fellow lawmakers on the organization’s cybersecurity philosophies, strategiesand needs, and to help elevate their department and mission.3. Be a vocal advocate for strongcybersecurity public education programs.As a lawmaker, you can draw on increasedpublic awareness of the importance of securegovernment technology infrastructure to passlegislation and secure funding.4. Prioritize cybersecurity funding.Work with the executive branch, agency headsand security experts to understand fiscalrequirements. Do they have the appropriatelevels of funding, staffing and other resources?8Cybersecurity as Risk ManagementIf not, can they partner externally to supplement internal capabilities? Collaborate withagency experts and allies in the legislatureand private sector to identify and supportappropriate cybersecurity funding.5. Promote cybersecurity as akey economic driver and a criticalcomponent of a thriving business andtechnology culture. Develop business-friendly programs to understand communityneeds; provide education, training opportunities and job fairs to strengthen the cybersecurityworkforce; and showcase security bestpractices and innovation.6. Facilitate inter-governmental (i.e.,executive, judicial, legislative, federal,state and local) communication andcollaboration about cybersecurity threats,issues and plans.7. Propose and/or support legislationthat enables easier sharing ofinformation about cyber threats amongfederal, state and local government agenciesand with the private sector.8. Work to toughen laws that protectcitizen and government data. For example,evaluate breach notification laws that determine when a breach has occurred, or thestate’s definition of personally identifiableinformation (PII). (See PII definition sidebaron page 11.)9. Promote cybersecurity in schools.A top hiring challenge nationally is findingqualified individuals with cybersecurity anddata analytics talent. Promoting theseprograms in all levels of public and privateeducation will not only help create a moreeducated society, but also will help solve acritical talent shortage and drive economicdevelopment in this emerging industry.

GOVERNMENTSHUTTERSTOCK.COMTHREATS,ASSETS& ENEMIESElected officials must understand theeconomic impact of a cybersecuritybreach. According to one study, theaverage cost to an organization for a databreach in the U.S. is 5.85 million, whichincludes costs associated with mitigation,fines, litigation, business disruption andlost productivity.7A high-profile breach at the South CarolinaDepartment of Revenue in 2012 exposed thetax records of 70 million people, and costthe state 41 million.8 In Utah, the theft of750,000 Medicaid records cost the state atleast 9 million.9 The total fiscal impact of suchbreaches across the U.S. economy is enormous.The loss of public trust and reputation isan even greater risk for government, whichThe average cost to the organization for adata breach in the U.S. is 5.85 MILLION,which includes costs associated withmitigation, fines, litigation, businessdisruption and lost productivity.Cybersecurity as Risk Management9

is responsible forsafeguarding criticalassets, infrastructureand data, and notifyingthe public in the eventtheir privacy or safetyis compromised.Governments ignorethis responsibility attheir own peril. “There’sa great degree of angerand frustration over [the2012 security breach],”says Tom Davis, a state senator from SouthCarolina. “This is information you’ve got togive the government; if you don’t, they putyou in jail. There’s a real sense of betrayal.”10Federal agenciesreported slightlyless than 30,000information securityincidents, both cyberand non-cyber, tothe U.S. ComputerEmergency Readiness Team (US-CERT)in 2009 and over61,000 incidentsin 2013.Know the Threat:The Age of the Targeted AttackThe chances that you’ll have to deal witha cyber-attack are steadily increasing. TheGovernment Accountability Office (GAO)found that federal agencies reported slightlyless than 30,000 information securityincidents, both cyber and non-cyber, to theU.S. Computer Emergency Readiness Team(US-CERT) in 2009 and over 61,000 incidentsin 2013.11 Recently, the Office of PersonnelManagement (OPM) announced that thepersonal data of 21.5 million federal employees,contractors, applicants and family memberswas stolen in a cyber-attack. This was after aprevious breach earlier in the year exposed4.2 million federal personnel records.12What You Need to KnowWho poses a threat to cybersecurity? Scammers and thieves seeking information and planning advanced persistent threats (APTs), which aresophisticated, well-resourced attacks, usually backed by political or financial motivation Individual hackers or hacker collectives seeking fame, profit or publicity for activist agendas State-sponsored criminals who want to disrupt operations, create an atmosphere of fear and uncertainty,or steal sensitive information for profit or espionage Disgruntled employees, contractors and other insiders who aim to leak, steal or sell classified information Employees that inadvertently aid cyber thieves by falling for scams Organizations practicing poor security management, leading to non-malicious attacks or data leakageWhat are the biggest targets/risks? Sensitive public safety information Intellectual property and security intelligence Constituent PII (see PII definition sidebar on page 11) Individually identifiable health information, often called protected health information (PHI) Critical infrastructure systems such as traffic management, utilities, governmentnetworks and even social media sites Confidential communications Vendors, suppliers and users of the above who are part of the supply chain10Cybersecurity as Risk Management

What is PII?State and local governments have experienced an increase in the number of breachesas well. In May 2014, officials in Los AngelesCounty discovered a break-in at a countyhealth contractor’s office that led to the theftof computers containing the personal information of more than 342,000 patients.13 Eachyear, the State of Michigan’s cybersecurityefforts result in blocking 2.5 million Webbrowser attacks, 179.5 million HTTP-basedattacks and 5.2 million intrusions.14 Many ofthese are crude attempts, but even with theseprevention activities, threats continue toevolve and risks abound.For many government executives, thethreats to national and regional public safetyand economic stability are uncomfortablyvague. They evolve at an alarming pace, andare complicated by the increase in adoption ofdisruptive technologies such as cloud computing, social networking, mobile computing andmultiple network interconnections. The scopeand sophistication are dizzying, even for themost advanced security teams.Cybercrime encompasses fraud, theft,extortion and more. It includes politicallymotivated crimes such as sabotage and espionage, large-scale network and system disruptionby known terrorist organizations, and even thedigital defacement of government websitesand social media accounts. Cybercrimes occurvia malware, hacking, viruses, denial of service(DoS) attacks, phishing and email scams, amongmany others.15 (See sidebar “Glossary ofCommon Cybersecurity Threats” on page 13.)Know Your Assets:What’s Worth Protecting?Governments maintain a wealth of assetsthat are at risk for being compromised bycybercriminals, including: Government information and systems PII, both for government employeesand citizens (see sidebar to the right) Traditional public infrastructurePII stands for “personally identifiableinformation.” While state definitions may vary,the federal government defines PII broadly.According to federal practice: “Personallyidentifiable information refers to informationwhich can be used to distinguish or tracean individual’s identity, such as their name,Social Security number, biometric records, etc.,alone, or when combined with other personalor identifying information which is linked orlinkable to a specific individual, such as dateand place of birth, mother’s maiden name, etc.”16PII can include: Names Addresses Personal identification numbers, includingSocial Security, passport, driver’s license,taxpayer identification and patientidentification numbers Date and place of birth Mother’s maiden name Telephone numbers Photographs Biometric records Vehicle registration and title numbers Medical records Educational information Financial records, including bank accountand credit card numbers Employment informationOther common subsets of PII can include: Health data Federal tax information Cardholder data protected by credit cardindustry standardsAdditionally, most states now have databreach notification laws. Under these laws, anorganization must notify individuals if their PIIis breached. Typically, these state laws definePII more narrowly than the federal definition.Notification of individuals can be costly andembarrassing. In some states, the state breachnotification law applies to subdivisions of thestate and in others it does not.17Cybersecurity as Risk Management11

Government information and systems.State and local organizations are responsiblefor maintaining and protecting sensitive andclassified information and the informationsystems that keep the government and itsservices open for business. This includes: Preliminary research data Trade and other economicdevelopment information Internal budget or personnel information Network diagrams, InternetProtocol (IP) addresses, and servernames and configurations External vendor and contract information Public safety information abouttransportation systems, utilities,water supply, etc. Protected intellectual property Security intelligence PII of government officials andtheir family membersSome bad actors care little about theinformation as their goal is to disrupt thegovernment by shutting down systems andwebsites. Many state and local governmentshave been on the receiving end of cybervandalism or defacement and DoS attacks. Forexample, protesters recently took the State ofHawaii’s official website offline as part of anenvironmental protest.18 And in 2014, hackersshut down the State of Colorado’s voterregistration system for several hours.19Citizen PII. Government agencies are entrustedwith protecting citizen information collectedin the course of providing services and conducting electronic transactions.PII is an attractive prize for crime ringslooking to commit financial or identity theftand social services fraud. “The escalationof security breaches involving personallyidentifiable information has contributed tothe loss of millions of records over the pastfew years,” warns NIST, which is tasked withdeveloping standards, guidelines, techniques,12Cybersecurity as Risk Managementmetrics and testing programs for securingfederal enterprise data systems and data.20Traditional public infrastructure.Transportation networks, the electricalgrid, the water supply and other physicalinfrastructures are connected via complexnetworks and control systems, includingnetwork-connected traffic managementsystems, speed limit indicators and roadsideinformation boards. In addition, utilities maybe owned and operated by private and publicsector entities that transmit usage informationvia network-connected smart meters.“Today, our traffic lights, our routingsystem for trash pick-up, and so muchmore are electronic. Cybersecuritymeans protecting the basic servicesat the core of city government, andit means protecting our criticalinfrastructure like our port and airport,which we know are top targets.”Eric Garcetti, Mayor, Los AngelesCybercriminals may have the ability toremotely attack hardware, steal administrativecredentials to take over systems andcompromise physical assets with digitalcontrol systems. Hackers can also disruptor undermine government operations viasystems that help manage physical assets suchas building, lighting and HVAC. “Today, ourtraffic lights, our routing system for trash pickup, and so much more are electronic,” says LosAngeles Mayor Eric Garcetti. “Cybersecuritymeans protecting the basic services at the coreof city government, and it means protectingour critical infrastructure like our port andairport, which we know are top targe

security breach is a political flashpoint. Most security experts agree governments should adopt a “not-if-but-when” attitude towards cyber breaches. Cybersecurity specifically refers to the protection of digital information transmitted over networks, computers or other systems. Cybersecur