States face a growing number of increasingly sophisticated cybersecurity threats but lack the staff needed to deal with them, according to a report released Monday by consulting firm Deloitte and the National Association of State Chief Information Officers.
Malware, ransomware and phishing attempts remain among states' leading cybersecurity threats, according to the report, which is based on a survey of state CISOs. In addition, states' CISOs are becoming more concerned about foreign state-sponsored espionage, zero-day attacks and threats to cloud computing, the report said.
States are struggling to address cyberthreats due to poor coordination among local and state governments and public institutions of higher education, the report states, as well as worker recruitment and retention challenges.
States moved several operations, services and employees to virtual environments "nearly overnight" during the COVID-19 pandemic, with state CISOs boosting "safeguards such as multifactor identification, risk monitoring and incident readiness to secure a remote workforce," the report says.
But that isn't enough to meet states' growing cybersecurity demands. States must devote more time, money and effort to cybersecurity as they use more connected technologies and allow more employees to work from home.
State cybersecurity budgets and dedicated staff numbers "pale in comparison" to the private sector, said Deloitte's Srini Subramanian, principal of its risk and financial advisory practice for the state, local and higher education sector, who co-authored the report.
The number of cybersecurity professionals employed by states is essentially unchanged from 2020, the survey found.
Among the state CISOs surveyed, the top five barriers to addressing cybersecurity challenges were:
- Legacy infrastructure and solutions to support emerging threats (named by 52%)
- Inadequate availability of cybersecurity professionals (50%)
- Inadequate cybersecurity staffing (46%),
- Decentralized IT and security infrastructure and operations (38%)
- Increasing sophistication of threats (29%)
All those figures have increased since Deloitte and NASCIO conducted their last survey in 2020.
In addition, nearly 1 in 3 state CISOs reported that state agencies manage cyber incidents independently instead of working with a central IT security team. More than 60% of those surveyed said their staff has gaps in its cybersecurity competencies.
The report recommends that states adopt a statewide cybersecurity approach and reform their recruiting and retention practices to attract cybersecurity professionals, many of whom are younger and have different values and expectations than older workers.
It also recommends that states increase their cybersecurity budgets and upgrade technology to combat new cybersecurity threats.
However, local governments are sometimes reluctant to work with state CISOs because they prefer greater autonomy, Deloitte's Subramanian said in an interview.
That hesitancy could subside now that Congress has approved a $1 billion cybersecurity grant program for local, state and territorial governments under 2021's infrastructure law. The grant program requires states to give local governments at least 80% of the funds, which should encourage greater collaboration among local and state governments on cyber issues, Subramanian said.
The San Diego Regional Cyber Lab leads a coordinated effort among local governments and others in the greater San Diego area to guard against and respond to cyberthreats. The city received more than $900,000 from the U.S. Department of Homeland Security for the project, which shares information about cyberthreats, develops and shares best practices for cybersecurity and provides training, according to the city.
The need for greater collaboration became clear after San Diego conducted a survey that found local governments in the area didn't have the staff or resources to protect against cyber threats, Darren Bennett, CISO for the City of San Diego, said in an interview.
Local and state governments previously tried to keep bad actors out of their IT systems by putting "a fence around their organizations" while making it relatively easy for employees and other authorized users to navigate them once inside, Bennett said.
But that approach doesn't work anymore because bad actors have turned to new tactics to get inside IT systems, such as phishing scams or convincing people to hand over sensitive information, Bennett said.
That's making it harder to build IT systems that protect against cyber threats and allow people to do their jobs effectively. "We want our networks and our cyber environment to be kind of like a hospital," Bennett said. "We want it to be more secure, cleaner and tighter than most [places], but we don't want the entire environment to be an operating room because then it becomes problematic. It [becomes] so secure that you can't get work done. So, it's a little tricky."