From Wisconsin’s former CIO: Cybersecurity must be a national priority
Jul 14, 2021
There’s been a lot of media talk about the increase in ransomware and other cyber threats over the last few months, especially in light of the Colonial Pipeline attack that shut down gas distribution for a significant portion of the Eastern seaboard.
As the CIO of Wisconsin over the last eight years, I was responsible for creating and managing the state’s data infrastructure. I spent much of my time consolidating multiple data centers into a single infrastructure for use by 50 agencies, 30 IT directors, a staff of 2500, citizens, and other people conducting state's business, filing taxes, processing DMV transactions, recording department of corrections paperwork, handing department health services, and much more.
As a public servant trusted with Wisconsin’s data, I am keenly aware of how much depends on IT infrastructure. Our society’s democracy and functionality absolutely rely on it. And for the most part, we don’t understand the implications of a massive infrastructure shut down. We are starting to, but we still underestimate the impacts it could have.
IT security is critical to protecting the infrastructure of the United States, and the legacy systems that make up that infrastructure need a new security model to prevent disruption. Zero Trust is that model.
The infrastructure of society
The Colonial Pipeline attack was a watershed event. The disruption in the gasoline distribution system for the eastern seaboard hammered home what an infrastructure attack looks like: No gas for a large chunk of the population. And this hardship fell across the entire spectrum of the populace. It didn’t matter if you were earning minimum wage or were a CEO at a Fortune 500 company—you couldn’t get gas.
Infrastructure is essential to a functioning society. Recently, the power outages in Texas demonstrated what happens when these systems fail. Tens of thousands without power and lives lost.
That’s what an “outage” looks like. Critical systems unavailable or crippled by lack of power, access, or availability. And the internet has become a crucial part of this infrastructure, connecting many people, businesses, and systems to further provide services and access.
The reality of downtime
States routinely conduct tabletop exercises. The one we held in Wisconsin involved more than 1200 people and 240 agencies. We staged a cyber attack on a utility and took out all power. On days one and two, people were comfortable and coped. By day three, chaos loomed. These are the stakes. If a cyberattack hits the energy sector, it can generate real disruption in day-to-day activities for individuals, industry, and institutions. Visualize no power and no energy: there is not much left.
The United States Cybersecurity and Infrastructure Security Agency (CISA) has identified 16 sectors that must be protected to ensure a functioning society.
These physical and virtual systems and networks are so vital to the United States that their incapacitation or destruction would cripple security, national economic security, national public health, or public safety. Presidential Policy Directive 21 (PPD-21): Critical Infrastructure Security and Resilience advances a national policy to strengthen and maintain secure, functioning, and resilient critical infrastructure based on these 16 areas.
I've been passionately advocating for improving cybersecurity in these 16 sectors since I assumed my duties as Wisconsin’s CIO. Cybersecurity should be a top-of-mind issue for all government CIOs and CISOs as they work to digitally transform their state and local government IT infrastructure. Cities with the resources are already building dedicated cybersecurity teams to examine and address cyber threats full time.
Legacy security is the problem
In the Colonial Pipeline attack, the biggest issue was locating what systems the ransomware affected. Colonial employees didn’t know if the attack was on the IT side or if it had bled into operational technology (OT). Fortunately, it was just on the IT systems. That meant “only” a five-day turnaround for repairs.
If it had hit the OT, they would have had to stop distribution machinery, reverse the product flow, and check for co-mingled product. That would NOT have been a five-day turnaround. Even worse, a severe compromise of the OT system could mean physical damage, including pollution or a massive explosion.
And that's true for every segment of the energy sector. There are supervisory control and data acquisition (SCADA) and industrial control systems (ICS) throughout the country for many industries—many of which connect to IP-addressable devices. Much of this infrastructure is old—decades old—and isn’t built to withstand today’s typical attack environment.
Any one of those devices is a possible port of entry for a hacker. If a hacker gets into legacy infrastructures, they can leap to any number of control systems and wreak havoc. For example, an attacker recently breached a Florida water treatment facility and increased water lye levels (briefly, quickly reversed) to unsafe levels.
With all infrastructure, these systems will and do cross-connect with each other. Legacy castle-and-moat security systems focus on access to any of these system perimeters. But once that perimeter is breached, there is little (sometimes no) attempt to check traffic passing laterally through all connected systems.
Running IT infrastructure in any environment is complex. Digital transformation can increase the complexity by exceeding the limits of legacy infrastructure security as systems, apps, and assets move to the cloud. People access these from outside the security perimeter. As more of these systems leave the security perimeter, castle-and-moat security solutions get incredibly taxed.
Zero trust architectures assume that all access and traffic are compromised, regardless of where the traffic originates or going. Using policies that connect traffic—whether from a user, device, or application—to applications and assets, access is limited to only traffic that should have access. Zero trust policies look at login credentials and context (user and device alignment, geo-positioning, and access time data, for example) to determine whether or not to grant access.
If some person or device is compromised, based on zero trust policies, that breach can’t be used to travel laterally throughout the network.
Make security a(n) (as-close-as-possible) single-vendor solution
In its cybersecurity report, Gartner identified 24 security categories for organizations serious about protecting their assets. Each of these categories—for example, DLP, firewall, IAM, web-filtering, etc.—should have a security solution. Legacy architectures address this with boxes at the network perimeter. Complex box-based security has a two-fold negative effect: expense and performance.
As a government leader, I’m responsible for spending taxpayer dollars. This means all expenses must be approved through a complex process of accountability. That means for each of these 24 areas, we might need to walk through a procurement and justification process.
In Wisconsin, I had a mainframe that was processing 15 billion transactions a year, ERP processing another billion transactions, and a distributed computing platform doing things I can’t even measure. I need to run this business 24 hours a day, 365 days. I don’t have time for 24 RFPs.
But we still need cybersecurity. One phishing email could take us out of the water at the second in a moment's notice. And security can’t stop performance—the demand for performant systems only grows as more people get used to doing things online. But your solution must adapt and grow as your needs change. The whole point of digital transformation is to create agile systems—security should be no different.
My plea to CIOs is to look for vendors and partnerships that scale and provide a complete cyber defense quickly. Evolve. Find a vendor whose solution matches your needs, grows with you, and allows you to react without needing a year-long procurement process.
Cybersecurity must align with today’s needs
The cyber defense you bought last year doesn’t meet your needs today—too much has changed. I have two things with which I’d like to close.
To my brethren in the other 49 states, I have a high degree of empathy for your daily challenge. Simplify that decision-making process
The pandemic paused all your digital transformation plans. A digital transformation surge is coming, and it is bringing new security challenges. The demand to address change will be loud and force you to prioritize your needs. And you can’t compromise cybersecurity as you meet these challenges. Legacy security won’t cut it. You need security that scales, covers all the bases, and doesn’t bog your processes down with procurement requirements. Look at new architectures like zero trust from single vendors to help you digitally transform your environment and meet the needs of the citizens you serve.
What to read next