The new $1 trillion Bipartisan Infrastructure Deal is the largest federal investment in infrastructure in more than a decade. In addition to providing significant new federal funding for roads, bridges, water systems and more, it also has new funding for cyber investment.
The funding has the potential to make real impact – if it is deployed in a manner that allows state and local governments to leverage their existing infrastructure to truly improve their cybersecurity postures.
Along with the recent Executive Order on Improving the Nation’s Cybersecurity, these investments, including $1 billion for modernizing state and local networks to defend against cyberattacks and $100 million for a new cyber response and recovery fund accessible to private entities that own critical infrastructure, signal the importance of cybersecurity as a critical national security priority.
So where should state and local agencies start in effectively investing these new funds? It depends on the maturity of your cybersecurity strategy and where you are on your journey to implement it. To help with this, I’ve outlined some key steps that will help agencies deploy this funding effectively.
1. Assess your cybersecurity risk profile
Agencies need to understand where their organization fits within the cybersecurity threat landscape. As an example, A 2019 ransomware attack on a major US city had a devastating impact across the city’s services. It also effected business outside the city’s control. One example is that the hack halted real estate transactions. Sometimes the victim of an attack provides essential services to the intended target.
The bottom line: We’re all connected, and it’s essential that, when it comes to cybersecurity, agencies know where they are in any risk chain. This information won’t help you buy anything, but it will help put any investments into context so that anything you do procure can be deployed to help address your risk.
2. Discover all your assets
A baseline cybersecurity goal should be to know where all of your assets are and what they’re doing at any given time. Teams should take inventory of what they have, clearly identify what’s in an environment, what’s on, what’s off and assess the overall health of the environment – we call this defining the protect surface.
As an exercise, cybersecurity leaders should be able to pick five assets at random and three dates, also at random, and pinpoint who used the asset, what the users did and whether any software was installed or removed. If you can’t do that, invest in infrastructure and endpoint monitoring software, stat.
3. Examine your service accounts
Service accounts are essentially accounts created by computers to perform functions on other computers or on themselves. They have escalated privileges to perform certain tasks. When installing software, root credentials create these accounts for the software, which means the programs inherit permissions and rights that are much higher than necessary. What’s worse, these accounts are usually created with default usernames and passwords and with admin rights they shouldn’t have.
Many of the recent major breaches leveraged service accounts by using the same credentials moving from machine to machine to machine within a network. As the organization moves to multi-factor authentication (MFA) don’t neglect the management of service accounts. Do your existing cyber tools have privileged access management capabilities? If not, plan to change that immediately.
4. Invest in security incident and event management
The worst thing that can happen in a cyber breach is to not know what happened. So, agencies without a dashboard that can tell them should invest in security incident and event management (SIEM), the ability to monitor and manage your existing tools in a single location.
As an example, if your website goes down, the reason could be because of a cyberattack or faulty hardware. Without SIEM, you’re starting an investigation into what happened from zero. You’re flying blind. The resolution is different depending on the cause of the issue, but effective, continuous monitoring will find it and identify the cause quickly.
5. Leverage automation
Automation, specifically, artificial intelligence-based Security Orchestration Automation Response (SOAR), can give agencies greater capacity and agility in responding to cyber threats. With it, they can rely on software to detect anomalies and deploy human to created responses, essential in a market facing a shortage of talent, as cybersecurity is.
Of course, SOAR doesn’t work without SIEM, so agencies with a mature SIEM are well positioned to now leverage the variety of available automation tools to enhance their cybersecurity strategies.
6. Embrace a zero trust model
Agencies on solid ground on each of the items above are now in a position to embrace a Zero Trust model. In zero trust, data is the central consideration and access to it is protected based on the business-critical nature of that data.
As an example, when I work remotely, I cannot access company financial data. When I’m in the office, I can. I’m the same person, but I’m on a different network and sometimes on a different device when I work from home. Agencies should begin to develop and deploy their zero trust strategies in order to protect their mission-critical data and services.
Today, GDIT is having conversations with IT leaders at the state and local level to help them deploy their limited resources in the most effective and efficient ways possible. Certainly, this new funding will be welcomed at all levels, and the role of systems integrators is to help customers at every stage in their cybersecurity journey. Across federal, state, and local agencies this is the kind of mission-enabling collaboration that GDIT teams bring to the table for our customers.