“Spill on Aisle Four”: Who is responsible for cybersecurity risks in the public sector?

Key takeaways:

• When seeking to understand the reasons for a cybersecurity incident, organizations should not only examine technical factors but simultaneously perform deeper assessments into organizational and cultural factors that could have contributed to security lapses.

• The private sector has a different set of motivators, accountability structures, and budgeting signals that position entities to be more resilient and secure than public sector entities.

• IT/cyber leaders and business leaders need to do a better job communicating with each other about organizational and technological risks.

• System enablers or blockers like procurement, budget, and personnel are just as important as the latest security tools to providing security.

• Governance and accountability structures must be established that prioritize security over turf protection; the risk is too great to allow peripheral factors to interfere.

In order to understand the factors that lead to devastating cyber attacks, we need to go much deeper than the traditional after-action reports that are laden with technical jargon. While they accurately assess the technological and sometimes process failures, they don’t adequately analyze the larger organizational and cultural factors that make entities vulnerable to an attack in the first place. A public or private entity that fails to consider how budget, communications, personnel, governance, and procurement fit into a holistic strategy are just as vulnerable to an attack as those without the latest technology stacks and system controls.

If an organization wants to truly learn from an attack, then these factors need to be vigorously probed and remediated just as technological vulnerabilities need to be documented and fixed. The failure to do so makes for an even more painful experience as attacks are likely to reoccur, further harming organizations that haven’t learned from their acts of omission and commission. It’s easier to procure some additional tools and say that the problem has been addressed. Tools alone won’t solve an organization’s problems or prevent future attacks.

To put a historical analogy to this point— one can easily blame the Visigoth tribes for the ultimate destruction of Rome. They looted and ransacked the city leading to the dissolution of the empire. However, as most historians accept, the slow rot and destruction of the Roman empire had many more social, political, and economic causes than one horrendous security breach. By the time Rome was “breached”, the empire was already compromised.

The more difficult charge and less common activity in analyzing a cyber attack is to dig deeper to identify and address the larger factors that were proximate if not direct causes of an incident. Because these factors are less visible and not clear cut, security reviews aren’t always the best at diagnosing organizational and cultural security issues. This failure to dig deeper makes for a less resilient and less secure organization, by papering over root causes or cultural failures in favor of quick fixes.

After an attack, organizational leaders want to know what happened and how they can make the pain go away. Everyone wants a quick fix, but easy solutions are often illusory and are incomplete. A business or government that has just been subjected to a devastating attack is often in no position to perform this critical self-assessment; it’s easier to search for the technical answers and kick the can down the road.

An organizational risk assessment would be a complementary barometer to more clinical and technological reviews. Reviews often stop at the “who, what, and where” and frequently leave out the “why” because it’s not nearly as simple or easy to pin down. The “why” questions are also not a straight line between cause and effect. The risk of not conducting a more thorough review subjects entities to repeat attacks and wastes precious resources making recovery and remediation in vain.

The public sector is often regarded as less innovative, slower, and more resistant to change than the private sector. I think the government often gets a bad reputation, however, I do believe that the structure of public sector agencies makes them less resilient and more vulnerable to attacks. Is this simply because the private sector is more incentivized by stockholders, regulators, and the market to correct deficiencies? Possibly. However, there are other dynamics that exist in government that are often smoother and crisper in the boardroom such as budgeting, procurement, lines of communication, and accountability.

Some recurring themes that I would suggest policymakers pay closer attention to:

1. Communications

   I was intrigued at the generational divide on social media after the recent congressional hearings on TikTok. It was apparent that many representatives didn’t quite understand the technology or platform of TikTok. Their critics were quick to denounce their lack of tech savvy. As the stereotype goes, “Politicians and business users don’t understand tech and don’t try to grasp important concepts that their constituents depend on”. Conversely, the other stereotype goes like, “IT people don’t communicate well. They speak in jargon that lay-people don’t understand.” In my opinion, both statements are equally true.

   Where this Cool Hand Luke- like “failure to communicate” manifests itself in catastrophic ways is when cyber/IT folks aren’t enabled, equipped, and empowered to communicate about risk to those up the chain of command. Cybersecurity is now too much an existential threat to an organization to be relegated to the realm of the “IT department”. Private and public sector organizations are too dependent on technology to not understand how it works and how it impacts services. Too often, however, the gulf between technologists and business/policymakers is too wide with disastrous results.

   If those ultimately responsible for maintaining public services aren’t even aware that there are technological, process, and people risks that undermine the security of a system, a successful attack is much more likely. This is the risk of not integrating cyber security and data protection to a central place of prominence. Just as warning signs were missed in major military catastrophes such as Pearl Harbor and September 11th, patterns and processes that point towards systemic issues and threats need to be diagnosed, elevated, and addressed. The tyranny of the urgent in any organization makes it difficult to slow down and have mature conversations about risk beyond the technical level. Public leaders shouldn’t wait for the management consultants to tell them their processes need modernization. They should be constantly assessing this risk.

   Consider a domestic metaphor as an example from my home recently. Our new refrigerator required a filter change after only 6 months. Because it’s equipped with a bevy of sensors, lights, and annoying chimes, it reminds me every day that it’s one more day overdue from this needed replacement part. As annoying as my aggressive fridge is, I would have really appreciated a similar automated warning before the devastating cyber attack that negatively impacted public health services during my time in Maryland government. Can one quantify the risk that legacy on-premises applications, shadow IT, and flat active directories pose to a network? I assume these factors and many more could certainly point towards increased risk of an attack, but how to package this in a way that escalates above the noise of competing problems and priorities, like global pandemics?

   Cyber risk seems to be an omni-present condition but has the public sector caught up to this threat yet and made remediation and prevention key pillars of a modern government?

2. Organization Change

   In my own career, I assiduously avoided dealing with procurement for decades until the last 3 years of my state service when I had the oversight of an operation that needed procurement to function smoothly. Conventional wisdom holds that, generally speaking, public procurement is not as efficient as the private sector. That has certainly been my experience. How does this impact cyber? Procurement laws are often passed in response to past indiscretions and public corruption. They exist to make the process fairer and more transparent, not swifter and more efficient. Over time, the process subsumes the stated goal of procuring the best value for goods and services. More directly, when IT professionals cannot procure the goods and services they need to keep a government safe because the laws and procedures haven’t adapted to a 21st century IT economy, it negatively adds risk to the enterprise. Should the attorneys be blamed? Tempting, but probably not, at least not exclusively.

   This does, however, represent another case where the system lacks the ability to quickly respond to threats as it is primarily oriented towards process concerns vs. security concerns. Procurement systems need to be designed to serve the agency to obtain quality goods and services, not to serve the needs of the procurement bureaucracy. It has been my experience that the public procurement system not only slows down the accumulation of good security tools and vendors, but it also does little to prioritize security in the selection process. Security by design should also apply to procurement.

   This dynamic easily spreads to budgets and IT spending. Public agencies are surrounded by legacy tech that’s out of date. As evidenced repeatedly throughout the pandemic, the public, expecting similar experiences in dealing with government as they had with Amazon and other web commerce sites, was consistently disappointed. Does a well-funded IT budget win votes? Of course not. Once again the cause– lack of spending on IT— and the effect— bad online experience or cyber attacks— are not closely linked enough to justify the expense. Are candidates in a gubernatorial or presidential debate likely to discuss their strategies to modernize legacy technology systems? Not likely.

   Perhaps here’s where the private sector’s experience of a more quantified, risk management approach rationalizes and organizes the IT/cyber spend better than the budgeting process in the public sector. Private companies simply cannot afford to allow their IT and cyber functions to fall behind, the financial risks are too great. There is something more fundamental related to the profit motive that makes the private sector safer. Governments don’t need to compete and modernize to attract and retain constituents. Accordingly, they make budgetary decisions that are incentivized by political rewards. Constituents might not like their state’s ancient IT, but they aren’t likely to vote with their feet and punish the political leadership or move to a state with a more advanced suite of technological services. In reality, they have accepted the notion that public IT is not going to be as good as the private sector.

   But, as security threats become more severe, I believe that the public will in fact start to hold public agencies more accountable. When basic public health and public safety services are negatively impacted by cyber attacks for a prolonged period, perhaps then voters will demand more IT and cyber investment.

   Organizations that have failed for years to modernize and innovate their digital assets suffer from legacy technological debt. However, this type of debt is not solely a function of security tools. The lack of standards, certifications, and training for IT and cyber staff also contribute to this debt that makes agencies less resilient. The paradigm has shifted rapidly from a place where the biggest threat was information leakage and system outages to our current reality of ransomware attacks that disable entire IT systems of critical infrastructure. However, the makeup of the state and local IT/cyber workforce hasn’t kept up. Once again, the comparison to the private sector is relevant. The private sector can demand more training and commensurately pay more for the talent. Consistently, the state and local workforce loses talent to the private sector and struggles to keep up. Designing effective and timely workplace training for public employees is sorely needed.

3. Governance

   A particular risk to many state and local governments is the lack of centralized authority over IT and cybersecurity. Several years ago, my wife and I were shopping in a department store and heard over the loudspeaker “Spill on aisle four, who is responding?” I’ve always appreciated that type of system where individual employees are made responsible for the common good. This does not always exist in government, particularly when authority is decentralized and not clearly articulated. Who is responsible for systemic failures, for failures to invest in modernizing legacy tech, for investing in employee training, for requiring adherence to NIST standards? Organizational charts don’t typically shed any light on these types of responsibilities.

   A considerable amount of ink has been spilled in the IT press about whether or not CISO’s should report to CIO’s. Based on my own experiences, I strongly believe they should report to the CEO of a public or private organization, however there’s a greater issue than this and it deals with who is responsible and accountable for IT and security policy. Many governments, where IT evolved along with large public agencies, still have decentralized IT policies where individual agencies call all the shots, set the policies, and determine how to best protect their own turf. While I am more sympathetic to this desire as it relates to the IT needs of the business, I am wholly convinced that cyber threats require a centralized and coordinated approach. This position is extremely unpopular with large enterprise agencies for some very valid and equally invalid reasons. Whether worthy or not, it does mean that in a large state or other government entity, there’s a wide range of cyber maturity and all public organizations aren’t equal, not by a long shot.

   This attitude serves a siloed agency head’s turf protection more than it does the security of an agency. When it goes wrong, it can go horribly wrong. When agencies are more concerned about turf, personnel, and agency power rankings than network security, risk creeps into the equation. Cyber criminals and advanced state actors don’t care about the academic debates over who sets security policy. If they see an open door, they will attack with catastrophic results. Statutory and constitutional factors matter little. Once again, advantage- private sector. In a decentralized, quasi-feudal archaic structure, one can easily blame an array of policies, processes, and people for cyber attacks. Where accountability is more focused with direct lines of authority, regardless as to public and private, excuses are more difficult to hide behind.

   Here again, I would point out that the private sector is organized in such a way to better minimize these bureaucratic fights. One would think that inter-departmental power struggles are more rapidly addressed in the private sector as everyone has a common line of command to a central governance authority. As an aside, I see it as an encouraging trend to see a number of states who are recognizing this challenge and empowering state CISO’s, senior Cyber Advisors, and others directly in the governor’s offices. As government services are nearly wholly dependent on IT and vital public services can be disabled in a short time span with devastating effect; there needs to be centralized power and accountability straight to where the buck stops.

   Lastly, a note about democracy and transitions. My point is not to delve into a political treatise, but the consequences of democratic government do in fact impact public sector agencies in ways that it doesn’t generally impact the private sector. Most governments have a great deal of potential turnover every four years. Peaceful and orderly transitions are good for democracy and good for society to encourage ordered change and reflect the wishes of the people. However, one hallmark of regime change tends to be that the old crew had it wrong, messed up, and now the new guys need to fix it. Many top leaders weren’t around and tempered by exigent circumstances so investments and policies are changed without relying on institutional memory. Perhaps, this gives the new regime a fresh outlook on how to approach problems differently, on the other hand I think it can also lead to backsliding towards bad habits and a lack of collective understanding and commitment to security.

Conclusion

In this post, I have argued that cyber risk is better explained by larger organizational and cultural factors than just technology. It is also probably true that less mature private and public sector agencies also don’t have the best technology stacks either. I believe that agencies that want to be more resilient cannot simply focus on a technical approach to cybersecurity. In contrast, I believe that organizations need to be able to understand how non-technical factors can play an even larger role that negatively impacts their security posture. This is a more challenging analysis however in that it’s more removed from the source of the problem than granular tools and processes. Governments large and small should spend more time with systems analysis to understand what factors are inhibiting their ability to secure their networks. Possible lines of improvement and inquiry include governance structure, communications flow, budgeting process, and procurement reform.

Technology and tools alone won’t solve the problem. Process improvements, security configurations, and better policies will help, but also will not eliminate the risk. Modernizing procurement could in fact be more important than installing a next-gen EDR solution. At any rate, if the procurement system does not facilitate purchasing a new EDR system, the organization is at risk. Upskilling workers could pay more dividends than the most advanced firewall. Perhaps most importantly, developing a more modern and resilient governance system and communication structure that recognizes how profoundly the cyber threat has shifted in the past decade will serve public sector agencies well. Failure to adapt to this new reality will jeopardize the security of all of us.