#2018InReview Government Security

Written by

With the midterm elections now behind us, we have seen that there were several high-profile issues that caught the attention of voters, but data security was not one of them. It should be.

We have heard over the past few years from some elected officials on election interference and the security of voting machines, but the fact that all levels of government collect a massive amount of personal data is often overlooked. Without adequate protection in place, there is a real risk that this private data can be stolen or exposed.

While the general public doesn’t typically recognize the importance of state and local governments spending tax dollars to protect their information technology systems, the citizens of Atlanta and Baltimore may think differently. They know firsthand what can happen to municipal and emergency services when cyber-criminals capture your private data. 

Both cities were struck by ransomware this past year and following the advice of the FBI and other cybersecurity authorities, neither city chose to pay the ransom, but the cost of recovery has been staggering. The total cost to Baltimore is still unknown, while the cost to Atlanta has been reported at over $17M. These are funds that ultimately were taken away from other programs.

If those in charge had made cybersecurity a priority and taken more precautions to protect the city’s critical data, the citizens of Atlanta would have been spared much of this expense. 

Higher level governing bodies — both domestic and abroad — have taken significant and positive steps over the past year to focus on the challenges surrounding cybersecurity and address what is needed for the future. This will continue to become an even more prevalent and dire topic worldwide over the coming years.

In the US, recent action has been taken at the federal level to give broader support to the issue of data security. In the past few months, the Senate and House of Representatives passed legislation which would reorganize the Department of Homeland Security’s National Protection and Programs Directorate (NPPD) into a new agency and prioritize its mission as the federal leader for cyber and physical infrastructure security.

This monumental initiative, CISA Act (H.R. 3359), was signed into law by the President, November 16, 2018, creating the Cybersecurity and Infrastructure Security Agency (CISA) within the Department of Homeland Security

Across the pond, the UK has taken significant steps to address the issue of Critical National Infrastructure (CNI). The UK’s National Cyber Security Programme (NCSP), is a program established to build the cybersecurity posture through cross-government initiatives. The budget for the next five years of the program (2016–2021) is more than double that of the first five years (2011-2016), demonstrating how seriously high-level governments are beginning to take the issue of cybersecurity. 

One of the specific provisions the NCSP program is addressing is the worldwide cybersecurity skills shortage. An overwhelming number of breaches and security incidents are caused by human error and this will not improve until more resources are dedicated towards improving cybersecurity awareness. This is certainly an issue that will continue to be a big topic of conversation in both government and commercial industries.

As more federal governments enact legislation and programs to address the issue of cybersecurity on a national and even global level, perhaps the directives will trickle down to local government bodies to make cybersecurity a priority, so attacks like Atlanta and Baltimore are thwarted. 

New government and industry regulations are strengthening the rights afforded to individuals affected by breaches of personally identifying data and increasing the fines that can be imposed on non-compliant organizations. 

Few state and local politicians will see campaign supporters hoisting signs and banners advocating cybersecurity defense spending, but it’s time for our politicians to take a stronger stance and make information privacy and data protection a part of their campaign platforms moving forward.

It is the type of understanding and perspective that can separate an exuberant candidate from one who is better informed. It’s time to take action.

The City of Atlanta might have built another school or park or improved its traffic flow with the funds diverted to recover from a recent cybersecurity attack, but the point is moot without addressing the problem up front.

What’s hot on Infosecurity Magazine?