Skip to main content
close search
site logo
Dive Brief

State CISOs up against a growing threat environment with minimal funding, report finds

A report by Deloitte and NASCIO warns that states do not have the resources necessary to fight state-backed and criminal threat groups.

Published Oct. 2, 2024
David Jones's headshot
Reporter
New York Gov. Kathy Hochul at a podium.
A 2022 ransomware attack against Suffolk County highlights the threat faced by state and local governments from hackers. New York state, led by Gov. Kathy Hochul, has taken several steps to strengthen its cyber posture. (2024). "Pausing Congestion Pricing to Address Affordability and the Cost of Living in New York" [Video]. Retrieved from Governor Kathy Hochul/Youtube.

Dive Brief:

  • State governments across the U.S. are facing a more sophisticated and complex cybersecurity landscape than ever before, and CISOs in many of those states say they don’t have enough funding to protect their computer systems and critical infrastructure, according to a report released by Deloitte and the National Association of State Chief Information Officers
  • State-level CISOs are being asked to protect computer networks that rely on legacy technology and limited IT-security budgets, according to the report. Among the top concerns for these states is the protection of local utilities and water infrastructure, where staffing is limited. The technology is often not up to date and sophisticated state-linked threat groups also actively target these systems.
  • Nearly 2 in 5 state-level CISOs say they are not getting the financial support they need to combat these threats. While federal budgets allocate about 10% to 12% of IT spending to cybersecurity, just 6% of respondents said their IT budget allocation was larger than 10%.

Dive Insight:

State and local governments have faced an increased threat of both criminal ransomware and state-linked attacks in recent years. In some cases, threat groups have exploited legacy technologies, including older computer systems and dependent on out-of-service or otherwise unpatched software.

“Out of the top five barriers, the top of the top five barriers is legacy technology and the challenge of putting protection provisions around them,” said Srini Subramanian, a principal at Deloitte, the company’s Global Government and Public Services consulting leader and co-author of the report.  

Just last week, the Cybersecurity and Infrastructure Security Agency reiterated warnings about hacktivists targeting drinking and wastewater utilities in the U.S. Local operators often rely on aging technology, use devices that are either unpatched or otherwise exposed to the internet and are still using default passwords. 

Many have failed to enable multifactor authentication. 

One recent investigation delved into the Suffolk County ransomware attack linked to AlphV/BlackCat in 2022. The threat group exploited a vulnerability in Log4j and took advantage of aging computer systems, firewalls that were bypassed and local officials ignored FBI warnings about active threat signals prior to the attack.

The state of New York has taken multiple steps in recent years to strengthen its cyber posture, including naming a statewide cyber chief and launching a statewide cyber strategy

The Department of Homeland Security last month allocated $280 million to the State and Local Cybersecurity Grant Program.

Editors' picks

Company Announcements

View all | Post a press release
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
DigiCert Unveils 2025 Security Predictions
From DigiCert
November 21, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Editors' picks
Latest in Strategy
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell