There may be light at the end of the cyber-risk tunnel for state governments, but don’t look for it to appear soon. That was the sobering message from Commonwealth of Virginia CISO Mike Watson delivered on July 21 at FedInsider’s CyberThreats 2021 event.
Speaking with FedInsider’s John Breeden, Watson talked about how state and local governments have embraced new technologies and tactics to protect information in response to the evolving threat landscape.
Asked about the increasing number and sophistication of attacks, Watson replied, “to say that the threat environment is changing is almost an understatement, the last six months have been a completely wild ride cyber-wise.”
During that period, there have been large cyberattacks against software supply chains, direct attacks against popular mail software, and targeted attacks against critical infrastructure systems. The latter include a water system in Florida, and most recently the cyberattacks on Colonial Pipeline and national meatpacking operation JBS USA.
“All of these things are great examples of just how bad things are getting in the cyber landscape. Attackers are getting more sophisticated, and they’re getting very effective at what it is they’re doing. They’re setting themselves up to make a really large impact and make some money off of their transactions,” said Watson.
The uptick in ransomware and critical infrastructure attacks is demonstrating just how bad the cyber situation is across the country. “Fortunately in Virginia, we’ve got a lot of support from government, from our governor on down, our Chief Information Officer and others, but it doesn’t make the job any less challenging,” Watson said.
Watson also talked about the deteriorating environment for cybersecurity insurance to cover attack-related losses and make ransomware payments.
“We know that if we’re not insured we’re probably in a dangerous spot,” he said. “Recently, within the last three to four months, cyber insurance companies has changed their posture, they’re not writing any new coverage policies, plus they’ve increased their rates and cut coverage amounts,” said Watson. Some states have reported insurance rate increases up to 400 percent, with amounts of coverage cut in half.
Those developments are a good bellwether as to just how bad the situation is, and just how complicated and effective cyberattacks are proving to be. Insurance companies want to provide coverage, but they are not non-profits, Watson said.
“If they’re unable to make money in this space, it means that there just aren’t enough protections and controls” being employed by the organizations they insure, he said. “They’re having a very difficult time covering state and local governments. And that’s a good example of just how bad things are getting,” Watson said.
Better Security is Not a Mystery
Finally, FedInsider’s Breeden asked about technologies that state and local governments can evaluate to boost security and improve the outlook for defeating future attacks.
“I’m glad that you’re asking the question because you’re right,” Watson replied. “A lot of times we’re having these cyber conversations and it feels all gloom and doom. It feels like there’s just nothing that can be done about it.”
He said cybersecurity officials know what needs to be done, and they know what’s relatively effective to narrow the chances of successful attacks.
“Nothing’s going to ever be perfect,” Watson said. “We don’t, for example, expect that locks on our doors are going to keep all types of criminals out of our homes. But we do expect that they work pretty well.”
And it isn’t any different in cybersecurity. State CISOs know that strong identity and access management procedures catch who is accessing their systems, and because of that zero trust structures are being deployed.
“You have to check every interaction, instead of assuming that some interactions are okay. The borders of our security profiles must be closer and closer to the data so that regardless of where it is, or what is where, or when it transfers from one location to another, you can guarantee that same level of security exists, whatever it is,” Watson said.
Implementing tighter security will take some time because it’s a pretty significant shift in many organizations, but it’s where the CISO community is headed. “We can do a better job of protecting ourselves because one of the things we look at, and one of the reasons that ransomware attacks are really impactful, is once they get in, they’re able to spread around and hit a whole lot of stuff at once,” Watson said. “With a zero trust environment where you’re unable to connect to another system without being checked every time, it will prevent that type of spread and exposure.”