Risk & Security

Texas’ Former CIO Says States Must Help Battle Ransomware

Leaving states out of the national cyber conversation, says Karen Robinson, is a mistake as big as the Lone Star sky.

The devastating ransomware attacks that shut down a major gas pipeline and the world’s largest meat supplier show how critical the issue of cybersecurity is becoming for U.S. businesses.

President Biden has responded to the recent assaults with an executive order to strengthen cybersecurity by requiring new software standards for government contractors and swifter breach reporting.

But it turns out that the frontlines in today’s cyberwar are much closer to home. Often they reside at the state level, on local infrastructure that businesses and government depend on to deliver services to consumers and constituents. State CIOS, however, are struggling to partner with their federal peers.

Tanium’s Cyber Hygiene Assessment: An actionable path to better endpoint management and security

That, says Karen Robinson, must change.

Robinson is the former CIO for the state of Texas as well as a member of the National Association of State Chief Information Officers. Throughout her career, she has partnered with both public and private organizations to help states and government agencies improve technical innovation and cybersecurity. 

Now CEO of KWR Acuity Strategies, a consultancy that advises government tech leaders on digital modernization and cybersecurity strategies, she recently spoke to Endpoint about the need for public-private partnerships to battle cybercrime, how the pandemic has shifted state IT priorities, and the role of state CIOs in leading digital transformation efforts to benefit their citizens and local businesses.

What role do states play in bolstering national cyber security?

Given the weaknesses in today’s information technology, and the advancing strength of cybercriminal tools and methodologies, we can no longer just rely on cyber-perimeters for digital assets and data protection.

A best-practice principle is to move protection as close to assets as possible. Better securing of assets means protection mechanisms are placed on and around the infrastructure, allowing business and government entities to deliver products and services securely.

But not all states are created equal when it comes to cybersecurity and IT, right? What are the dangers and challenges of having uneven approaches across the country? 

States have unique needs. They each have critical assets, business processes, and risk tolerance. States have different demographics and cultures. Effective cyber hygiene and IT risk management must be matched with criticality and need.

Our collective cybersecurity is only as strong as its weakest link.

Our collective cybersecurity is only as strong as its weakest link. Look at the Colonial Pipeline attack. A single attack shut down a pipeline that supplied gas to 45% of the East Coast. The attack shows our interconnectedness and why we all must be concerned about cyber-readiness.

What can we do to level the playing field?

Some states have an abundance of resources, with established control frameworks, regular and periodic assessments, and advanced security operations and fusion centers. At the same time, other states continue to struggle with insufficient funding to support their mission and critical infrastructure. Using a comprehensive tool to help organizations confidently manage performance, address threats, and ensure compliance is critical to basic IT operations.

[Read also: How government CIOs can play tougher D]

To level the playing field, we need state funding for technology, making state-of-the-art tools available, and sharing approaches and best practices. But what is most needed is a credible and consistent framework against which all states can conduct planning and deployment of security programs. Those programs can then be consistently measured for appropriateness and progress. 

How can the federal government and states work together to improve our security?

The federal government would bolster cybersecurity by establishing an “umbrella” framework or governance committee of desired cybersecurity postures, allowing room for states to “achieve” those postures that match their level of risk and need.

Today, we know that states do not base their programs on a consistent industry framework, such as the ISO 27001 (the international standard for measuring information security) or the federal NIST [National Institute of Standard and Technology] framework. 

The pandemic accelerated digital transformation, but it also shrank state budgets. What case can state CIOs make to get the resources they need to continue digitization efforts?

The devastation of resources has been a bit overstated. Our experience has been that resources and budgets, instead of being reduced, were significantly reprioritized to help create new or enhanced digital business capabilities. That includes both new technologies and processes.

[Read also: How engine maker Cummins embraces cyber hygiene]

Now that those capabilities are operating successfully, government agencies must continue to invest in, strengthen, and secure them. The public is looking for consumer-grade government services. Once the states provide a frictionless, one-stop, single-click experience, citizens will get the user experience they demand.

When will states reach parity with the likes of Amazon or Netflix?

The rollout of digital state services during the pandemic was done with existing processes and technologies that may or may not have been appropriate to the need. But they got the job done.

Digital services were rolled out on existing—and perhaps incomplete or less robust—infrastructures. And in many cases, services were delivered with security as an afterthought, given the priority and focus placed on speed to market.

I believe that in the next 18 to 36 months, we’ll see the modernization, hardening, and enhancement of those digital processes using the lessons learned in the past 15 months. 

I also believe we’ll see leading-edge approaches and technologies emerging from the development pipelines. It’s an exciting time. I’m looking forward to what comes next.

Teri Robinson
Teri Robinson is an award-winning cybersecurity and tech journalist who, for the past decade, led editorial for SC Media, a top-ranked security news outlet. Her work has appeared in The New York Times, Inc. Magazine, and a variety of leading B2B editorial brands.