Cyber Risk Report for 19 Apr 2019

This week's important cyber news in 5 minutes

What You Need to Know This Week

  1. North Dakota seizes control of cybersecurity operations from ALL public agencies in the state

  2. State and local spending on cyber is less than 3% of its IT budget—and half have no cyber budgets

  3. White House OMB does not track state or local cybersecurity spending

  4. Cyber may not be prioritized under new DHS Secretary

North Dakota seizes control of cybersecurity operations from ALL public agencies in the state

Background: North Dakota’s governor, Doug Burgum (R), a former entrepreneur who sold his last company to Microsoft before entering politics, has signed into law ND2110, which hands control over all cybersecurity operations across all public agencies (municipalities, counties, schools, special districts, courts, etc.) to the state’s own Information Technology Department. It is the first state in the nation to centralize cybersecurity authorities over all public sector entities.

Why It Matters: This raises considerable questions about the qualification, training, and experience of the IT civil service staff in North Dakota, and risks over political pressures and other factors. But this law deepens North Dakota’s already surprisingly forward-leaning thinking in trying to solve cyber risk. I would argue there’s a slightly-better-than-zero chance small to medium sized local, county, school, and special district governments in a lot of states will be able to recruit and retain extremely expensive cybersecurity talent and master how to solve cyber risk on their own. There is no reason to believe small governments are less likely to be attacked. Yet traditional IT networks are hard enough to do this with. But it is even harder with the far more complex and operationally sensitive OT/Industrial Control networks, commonly used in cities and special districts. It is a steep hill to climb by rural, geographically distributed governments that don’t have the financial horsepower of larger states like California or New York. But even in such wealthy states, there are thousands of cities and special districts who are too small to afford dedicated cybersecurity operations and staff. And with a noticeable lack of MSSPs specializing in public sector security, this type of solution is an intriguing if untested idea. The scope of the bill starts with cyber defense, procurement, reviews/approvals for new equipment to be installed, responsibility for a unified cybersecurity strategy, and other areas. The scope expands in 2023.

Reference: North Dakota Senate Bill #ND2110, “Cybersecurity”

State and local spending on cyber is less than 3% of its IT budget—and half have no cyber budgets

Background: Section 630 of the 2017 Consolidated Appropriations Act requires the White House to provide an analysis of federal spending on cybersecurity, with the latest update showing an aggregate total of $17.4 billion—a 5% increase over the prior year. The White House’s latest report also includes analysis on non-federal spending — state and local governments, in particular. The data for their analysis is sourced from an outdated 2016 Deloitte-NASCIO study, despite a more recent and exhaustive 2018 study in which, for the first time, all 50 state CISOs participated. Nevertheless, little has changed. In fact, Deloitte-NASCIO declare cyber’s top challenges still persist largely unchanged—since 2010! The study documents nearly half of all US states have no cybersecurity budget; slower budget growth compared to 2016 among those that do; and that most states still spend less than 3 percent of their total IT budget on cyber.

Why It Matters: While most private and public sector entities still budget and execute cybersecurity within IT departments, such an approach ignores the holistic, organization-wide impact of cyber risk. The role of a CISO is not just to oversee cybersecurity operations, it is to be an integral risk manager to every function and department in an organization. The siloing of cyber spending and operations under IT diminishes its influence with an organization’s top decision-maker, and relegates its focus only to technological risk management, not more holistic organizational risk and strategic planning. But wherever they want to concentrate funding: cyber risk is growing exponentially as the attack surface broadens with every new device, and cyber crime is showing absolutely no signs of abating. The minuscule percentage of funding on cybersecurity by state and local governments may indicate a dramatic misunderstanding of cyber risk across the public sector. Or, it may indicate a calculus that falsely concludes accepting such risk is a more politically or financially viable strategy than mitigating through improved cybersecurity the losses that would be incurred from an actual attack. States and local governments have jurisdiction over far more than just their own networks—critical infrastructure providers, though often privately owned and operated, are frequently regulated or guided by public entities.

Reference: Consolidated Appropriations Act 2017, Public Law No. 115-31, amended 31 U.S.C. § 1105 (a)(35).

Reference: White House Budget Proposal FY2020, pgs. 305-310

Reference: Deloitte-NASCIO 2018 cybersecurity spending study: States at Risk

White House OMB does not track state or local cybersecurity spending

Background: Referencing the same OMB budget document and analysis from above, another key take-away is literally just a footnote in the White House’s analysis on cybersecurity spending. Footnote #4 on pg. 306 notes OMB does not collect any data on cybersecurity spending from non-federal entities, including states, local and county governments, and private entities.

Why It Matters: That such data is not tracked is not in and of itself surprising, but is indicative of a much broader problem—a collective government apparatus endlessly spinning its wheels on cybersecurity. Cyber has been a “priority” in Washington since at least 2010, but we still have no comprehensive vision and strategy for defending the collective, united states. There is much more to secure than just Defense networks. Election systems and critical infrastructure. State and local government networks. (Particularly among the states that share infrastructure across state lines or provide integrations to federal systems, thus making it more of a federal issue. Not to mentio states who cannot afford expensive cybersecurity operations or talent in the first place. If you are not even tracking the expenses and priorities of the states, it’s hard to argue you have an effective vision for a risk that affects the entire nation. If California’s agricultural farmlands or supply chains are attacked, it will impact nearly all the states and countless other countries. This makes cyber risk not just a California concern, but a national one. DHS has dedicated elements for each critical infrastructure sector and extensive coordinating entities, but state and local programs are piecemeal where they even exist at all. Partly, that is the understandable democratic process taking time to achieve consensus. But even the Trump Administration’s cyber executive order made few substantive changes from the Obama Administration’s, which itself was uninspired. And through mixed signals, eliminated positions, constant leadership turmoil, and strategic ambiguity, the current administration has de-emphasized cyber risk and policy outside of defense and intelligence operations. (Which have, to be fair, been greatly bolstered.) The administration eliminated the National Security Council’s senior-level cyber coordinator in 2018. It has provided little leadership to Congress in clarifying expectations, authorities, or roles for the State Department’s new cyber office—after first downgrading from Ambassador-status and then later disbanding the original office entirely. In an era where there are few international cyber norms and risks to all the states and the federal government are increasing exponentially, the lack of a coherent, unified plan is hindering any meaningful progress—both at a federal level, and in terms of guiding national-level priorities across the states.

Reference: White House Budget Proposal FY2020, p. 306

Cyber may not be prioritized under new DHS Secretary

Background: DHS Secretary Kirstjen Nielsen resigned in the past week, and is set to be replaced (acting until confirmed) by Kevin McAleenan, previously commissioner of Customs and Border Protection. There are still key cyber experts in federal service—particularly in the DoD—but at a policymaking, cabinet, diplomatic, and international affairs level, it’s an ever-shortening list.

Why It Matters: DHS has an almost unfathomably broad set of missions, each by itself deserving of prioritized national attention. Nielsen brought to DHS significant cyber experience, from private sector consulting and serving as an advisor to President George W. Bush. From election systems to forming the new/consolidated Cybersecurity and Infrastructure Security Agency (CISA) and the National Risk Management Center, she made cybersecurity an essential priority across DHS components. The loss of Nielsen is another in a long list of cyber experts who have either resigned, been fired, or forced out of the Trump Administration—Kirstjen Nielsen, Tom Bossert, Rob Joyce, among others. It seems unlikely McAleenan will either drive for such a priority or be able to offer a cyber perspective rooted in experience. He has extensive credentials in immigration and border security, and the administration has clearly made that the number one priority for DHS. Yet we are also in a cyber war against many adversaries, in an operating environment where cybersecurity is largely still unregulated, unlegislated, and uncoordinated within the U.S. and internationally.

Cyber Risk Report is published by global intelligence and cyber risk advisor Dan Trimble. Opinions are his own and do not necessarily reflect those of any organizations he works with.