Risk & Security

Universal Broadband Must Include Cyber Hygiene Practices

As states tap into Covid-19 emergency funds to increase broadband coverage and boost digital citizen services, they need to bake cybersecurity into their efforts.

As CIO for the state of Missouri, Jeff Wann has had his hands full trying to build the kind of application infrastructure needed to deliver the quality of digital service today’s citizens increasingly expect.

It’s not that he isn’t staffed for it or that the state legislature doesn’t wish to catapult government IT systems into the 21st century. It’s that many of the more than 800 staff offices lie in rural areas where fiber-optic broadband connectivity is limited or nonexistent. And the state’s budget has just never been there to get on top of this common problem.

So, when President Biden signed the $1.9 trillion American Rescue Plan Act (ARPA) in March, the state of Missouri saw a chance to finally do something about it.

Control all network IT assets in minutes with automated client management.

The Covid-19 stimulus bill includes $350 billion in emergency funding for state, local, and territorial and tribal governments. While much of that windfall is intended to address routine needs like highway repair, law enforcement salaries, college grants, and vaccine distribution, parts of it would also be set aside for IT maintenance and upgrades across the country.

Wann was thrilled.

“A lot of Missouri (37%) is rural, and many of our offices in those areas don’t have appropriate broadband access,” he says. “When ARPA funding came along, the state saw it as transformational. It was the kind of once-in-a-lifetime opportunity that allows you to make very significant investments you couldn’t normally make.”

A six-pronged attack

While the U.S. is a world leader in providing internet connectivity to the masses, about 19 million Americans, or 6% of the population, lack basic access, according to the FCC’s Eighth Broadband Progress Report. The problem is worse in heavily rural areas, where 22.3% of Americans lack broadband access compared to 1.5% in urban centers. Think states like Arkansas, Mississippi, and Alabama.

It was the kind of once-in-a-lifetime opportunity that allows you to make very significant investments you couldn’t normally make.
Jeff Wann, CIO, State of Missouri
If internet service isn’t available for residents, it may not be available to government offices in those areas, either. That’s something state and city leaders hope to change with ARPA funds.

As part of Biden’s infrastructure bill, about $42.45 billion is expected to be set aside to upgrade broadband connectivity. At a state level, California Gov. Gavin Newsom signed a $6 billion bill in July to expand broadband across the state. And in Missouri, the state IT division proposed an aggressive, six-pronged program that will create a digital hub to make obtaining government services as easy as ordering a pizza from a phone app. Those enhancements will be extended to Missouri residents through the expansion of broadband.

[Read also: Texas’ former CIO says states must help battle ransomware]

The initiative would tap $117 million of ARPA funds to build out supporting technologies, including: journey mapping for tracking application progress (similar to how consumers can monitor the status of pizza as it’s made, leaves the store, and is delivered); alerts for pushing updates to devices; workflow orchestration for harmonizing disparate systems; IT tweaks for making data transfer faster, more efficient, and accurate; and real-time metrics for tracking how everything is performing.

“We’re moving toward a total new citizen experience in dealing with state government,” says Wann. “That’s what our digital transformation is all about in the state of Missouri.”

Making cyber hygiene part of the plan

While state and local governments are clearly putting ARPA funds to use for top-priority digital services, some industry experts worry they’re not paying enough attention to another top priority—cybersecurity.

Too often, government agencies default to buying the least expensive technologies for managing, monitoring, and safeguarding their IT assets. This is especially the case with departments that haven’t yet faced the ransomware scourge. They frequently lack visibility into what devices—or who—might be accessing their networks at any given time. In fact, a recent State Department inspectors general audit couldn’t account for 60% of employees who had access to classified materials, a situation, the auditors say, that “could cause grave damage to national security.”

Matt Pincus, director of government affairs for the National Association of State Chief Information Officers (NASCIO), says agencies have good intentions when it comes to preventing cyberattacks but aren’t committing enough budget dollars to the problem. Although state CIOs ranked cybersecurity as their top priority in NASCIO surveys for nine consecutive years, states are allocating only 1% to 3% of IT budgets to it, and only 35% of them have dedicated line items in their budgets for cybersecurity.

“That is really bad compared to the private sector,” Pincus says. “Some Fortune 500 companies are allocating 20% to 30% of IT budgets to cybersecurity because they understand the urgency of the threat.”

Alan Shark, executive director of Public Technology Institute, says that instead of making cybersecurity an afterthought, state and local CIOs need to bake it into all digital transformation efforts. A portion should go to modern technologies like endpoint data security as well as backup-and-recovery tools, he says. But organizations also need to explore and invest in cybersecurity awareness training to cover the human element, which is often the weakest link in cybersecurity, Shark advises.

[Read also: To improve cybersecurity, empower your people]

Experts recommend supplementing ARPA-funded programs with solutions supporting good cyber hygiene. These would include investing in tools for:

  • Continuous vulnerability patching, an area that agencies frequently overlook.
  • Automatically managing configurations to save time and money while increasing efficiency and cybersecurity posture.
  • Enforcing the zero-trust model, where every device that tries to log on to a network is treated as a potential threat, with the aim of securing computer networks from malicious intrusion.
  • Creating and tracking incident response protocols in order to reduce hacker dwell time and minimize the exfiltration of data.

“If you’re modernizing, invest now,” Shark urges. “Just do it and know that your investment will carry you for a number of years, which is better than what you probably have today.”

Addressing citizen consternation

John Quinn, CIO and secretary for digital services for the state of Vermont, is going a step further by including cybersecurity requirements, such as endpoint protection and satisfactory penetration-test scores, into all vendor contracts for ARPA-supported projects under his watch.

Without these funds, the modernization of the DMV wouldn’t be happening.
John Quinn, CIO and secretary for digital services, State of Vermont
Tapping $66 million of the state’s $1.3 billion in ARPA funding for IT, Quinn hopes to securely and effectively reverse many of the most aggravating experiences citizens have with state government. A portion of the money, for example, will help modernize the hardware and software powering the Department of Motor Vehicles. In the midst of a pandemic, where remote is the name of the game, this would include eliminating the 10 paper touches that typically occur during something as simple as renewing a registration.

Another chunk of the funds would go to upgrading the decades-old mainframes, which are notoriously slow at processing and shipping unemployment checks from the state’s Department of Labor. Vermont is also implementing a single customer relationship management (CRM) solution to better orchestrate the 189 processes and systems involved in serving residents. In the end, Quinn believes ARPA funding will vastly improve citizen experiences.

“Without these funds, user interfaces wouldn’t be getting upgraded right now, and the modernization of the DMV wouldn’t be happening,” he says. And there is a bonus: Today’s investment will reap dividends tomorrow. “Those things have long-term effects on the state.”

[Read also: To improve cybersecurity, federal agencies should modernize IT first]

At a local level, ARPA funding is enabling fresh thinking about technology’s role—both operationally and financially. The city of Alexandria, Va., for example, is doing something remarkable. It is using a share of $60 million in ARPA funding to dig 40 miles of trenches for new fiber-optic broadband lines to better connect municipal and school offices. But while the ditches are open, the city will also contract with an internet service provider (ISP) to bury a second line for delivering service to underserved residents.

What makes the initiative novel is that the city could potentially make money from this arrangement.

“Whomever partners with us needs to be willing to provide access to every street in the city,” says Laura Triggs, deputy city manager for Alexandria. “We are providing the skeleton for them to connect it all.”

David Rand
David Rand is a business and technology reporter whose work has appeared in major publications around the world. He specializes in spotting and digging into what’s coming next – and helping executives in organizations of all sizes know what to do about it.