Every year, we receive the same news: Cyber threats against the United States are on the rise. This year, though, we have some good news: Federal government officials are finally taking these threats seriously. These officials are committed to developing a cyber strategy and working hard to shore up the nation’s virtual defenses. Congress is exploring ways to reorganize its own technology research capabilities. The military is figuring out how to put Silicon Valley to use.
Governments at the state level, however, are lagging.
Cybersecurity suffers from the weak-link problem: Weaknesses in one area can put entire systems at risk. With cyberattacks affecting state and local governments every day, the United States cannot afford to let state-level cybersecurity go unaddressed.
The risks caused by state-level breaches are manifold. States that fail to address their own cyber risks are vulnerable, and one survey found 40 percent of local governments self-reported an increase in attacks in 2016.
We saw this in March 2017, during the alarming ransomware attack on Atlanta. For more than a week, Atlanta was crippled as hackers locked people out of their own systems, demanding money for return access. Atlanta’s government refused to pay, leaving employees to fill out forms by hand and costing taxpayers more than $2.1 million. Although Georgia eventually indicted two Iranian men for the attack, the city required the help of both the Department of Homeland Security and the FBI to get back on its feet.
While federal agencies like the FBI and DHS often step in to address major cyberattacks like the one in Atlanta, they simply do not have the resources to deal with every cyberattack on every city or town. If a similar ransomware attack hits Pierre, South Dakota — population 14,000 — at the same time attacks freeze systems in San Diego and Philadelphia, the smaller town might not receive attention, or at least not immediately. Without a massive expansion of these agencies, the federal government will be forced to make tough choices about whom to assist.
The solution to this problem is clear: To minimize dependence on federal resources, states must shore up their own cybersecurity capabilities.
They can start with cybersecurity-focused procurement. When making technology decisions, cybersecurity must be a priority, and states may need to forgo “cheapest provider” decisions in favor of more secure options.
It’s important to recognize that not all cybersecurity companies are trustworthy, and the federal government should help states determine which providers to trust. For instance, Kaspersky Lab Software, touted as a tool to shore up cyber defenses, has been banned from federal systems since September 2017, after it was identified as a possible tool for Russian intelligence. Similarly, the U.S. government has banned the use of Huawei and ZTE telecommunications equipment out of concern that the companies’ devices could be used to carry out espionage on behalf of the Chinese government. But these bans do not extend to state systems, and local officials may struggle to identify and replace the banned equipment.
With limited resources, each state will need to come up with creative solutions to ward off cyberattacks. Lacking budgets to build standing cyberattack response teams, several states are choosing to develop volunteer cyber forces. Much like military reserve units, cyber forces made up of the best local tech talents volunteer a few weeks each year to prepare in case of a major cyberattack, ready to come to their state’s aid should it need them.
Already, Michigan is experimenting with the Michigan Cyber Civilian Corps, while Ohio is bringing together organizations from the public and private sectors to test, defend and recover networks under attack. These efforts can serve as models for policymakers in other states who want to explore options and adapt them to their respective pools of resources and potential volunteers.
States can decide their own cyber futures. By prioritizing resources and innovating on the ground, states can mitigate risks and ensure that they are no longer the weakest link.