8 Virginia Issues & Answers Global Threat, Local Action

An interview with David Jordan,Arlington County chief information security officer

Global Threat, Local Action: A View from Arlington County

Q: Describe the cybersecurity landscape today. What is the

magnitude of the threat, and what kinds of attacks have local

and state governments faced?

A: There is an expanding global cyberwar in progress. Identity thieves stole $16 billion from 12.7 million U.S. consumers in 2014 (Javelin Strategy & Research), while British insurance company Lloyd’s estimates that cyberattacks cost businesses as much as $400 billion a year (Gandel). One recent study projects cyberattacks will cost the world as much as $90 trillion by 2030 (Takala).

There is a dire need for a significant and sustained focus on cybersecurity within local governments, K-12 schools, colleges, and universities. These combined entities provide one of the larg-est cyberattack surfaces in our nation. There have been major in-

cidents in state-held data stores announced in the past few years, most recently the South Carolina state data breach that exposed the personal data of nearly 4 million individuals and 700,000 businesses (Be’ery). School systems are known to be riddled with BOTNETS,1 and we know what follows those infections: email spam and more malware tools that could be used to breach data. I worry about school systems becoming launching pads for Dis-tributed Denial of Service attacks2 or malware.

Q: How has the approach to cybersecurity evolved in Ar-

lington County? What has improved? What can the county do

better?

A: When I started in my current position, computers weren’t using antivirus software. Arlington hired its first chief informa-

1 BOTNET: A network of private computers infected with malicious software and controlled as a group without the owners’ knowledge to send spam messages, or to attack a government enterprise network or other critical infrastructure provider.

2 A distributed denial-of-service (DDoS) attack is one in which a multitude of compromised networks (one of which could be a school system) attack a single target with a flood of incoming messages. The attack overwhelms the target system and forces it to shut down, thereby denying the system’s service to legitimate users.

9Winter 2015-16 via.spia.vt.edu

tion security officer (CISO) just months before 9/11. We’ve come a long way since then. The terrorist attack on the Pentagon, located here in Arlington County, had the effect of pushing the county government out of its comfort zone of day-to-day opera-tions. The government re-invented itself to address the “new” reality that terrorism can happen in the homeland. The develop-ment of a robust and integrated cybersecurity practice was one of those inventive changes. Technology began to play a larger role in public-safety and life-safety issues, and that was the catalyst for cybersecurity funding.

The security practice is mature now, but there is still more that can and should be done. Arlington is advanced compared to some or even most of the governments in Virginia, and local officials recognize and appreciate the federal agencies and assets we host, but this recognition often has little influence over the old tried-and-true traditional methods used to administrate local governments. In the 21st century, the mission of government must evolve to include optimal cybersecurity, which protects the sensitive data of constituents and employees. Governments must add cybersecurity to the basic tenets of their mission, alongside public safety (fire and police), health, and education.

Arlington has vibrant and youthful constituents who want anywhere and anytime access to their government and education system. It’s exciting and innovative when we can offer free wire-less and Web-based applications to provide access to government services, but it also creates new cybersecurity challenges. CISOs in local governments can influence the development of new cybersecurity technology during beta-testing3 to make it more rapidly deployable and optimized for real-world scenarios. In Ar-lington County, we have developed excellent relationships with our vendors, and we often work to influence products, product updates, and new features. In one recent case, our IT Security staff met with a vendor’s development team to share insights we had developed after an initial attempt to create a custom anti-spam application in-house. Through ongoing collaboration, the vendor developed an excellent product that incorporated our ideas. Shortly after the vendor’s product release, the Arlington County government purchased the anti-spam offering, and the product is available to serve other local governments as well.

Q: You have said that the three major challenges chief in-

formation security officers face are funding, procurement, and

compliance. Explain to our readers in more detail what each of

these challenges looks like.

A: A major threat governments face is inadequate funding for cybersecurity that arrives too late. IT departments are the new kids on the block when it comes to local government. IT budgets should grow every year, but with tax revenues down or flat, most IT budgets are regularly cut. Cybersecurity that qualifies as “pretty good” is expensive, and technology agencies have to compete with other departments for scarce funding. It’s a wrong-headed, short-sighted mistake made by elected officials and chief administrative officers to believe that all agencies must be treated equally. Today, IT is at the heart of all the other government agencies, and IT funding cuts may severely impact cybersecurity and hurt other agencies’ performance.

In a moderately sized local government with a billion dollar budget, a typical funding scenario might provide $25 million for IT and $1.5 million for IT security. It’s safe to assume the cost to restore the credit rating of a taxpayer whose personal data was stolen from a government system is $500,000. For 100,000 taxpayers, the total value of personal data housed within the government’s data stores would be $50 billion. This means the government is budgeting just $1.5 million to secure $50 billion.

3 Beta-testing is the last stage of product testing, and normally can involve sending the product outside the company for real-world exposure.

David Jordan is the chief information security officer (CISO) for Arlington County, Virginia, and is responsible for information security strategy and policy and cyber-incident emergency operations for the county. He is also an advi-sory board member for Mission Secure Inc., which provides next-generation cyber-defense solutions for critical physi-cal systems. Jordan is a member of the Commonwealth of Virginia Information Technology advisory board, co-chair of the Council of Governments CISO committee, and co-founder of Securing Smart Cities, a nonprofit global initia-tive that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, other nonprofit initiatives, and individuals.

The views and opinions expressed in this article are those of the author and do not necessarily reflect or represent the views of Arlington County government or Virginia Tech.

10 Virginia Issues & Answers Global Threat, Local Action

Would you want your personal health or financial data stored in a system whose cybersecurity was funded at a level of 0.15 per-cent of the overall annual budget, or 6 percent of the IT budget? The 6 percent figure is simply not enough to fund the necessary employees and network infrastructure.

This inherent funding issue may explain why there are so few chief information security officers (CISOs) in local government. A government without a CISO lacks a mindset acknowledg-ing that the benefits of the IT era are expensive and require significant annual sustainment funding. In other words, the government is saying it’s willing to roll the dice on an advancing cyberthreat environment.

Elected officials must prioritize critical cybersecurity systems, and make tough funding choices to protect vital data. Discre-tionary spending projects may need to be placed on hold or de-layed so that funding is made available for essential cybersecurity systems and additional personnel. What good is a new swimming pool complex if the water in the pool is toxic due to the exploita-tion of a vulnerability in the purification system?

It’s important to note that a government could contract for CISO-like services—cyberrisk assessments, remediation, employee-awareness training, liability clauses in vendor contract language, robust network architecture, wireless device security, Internet and World Wide Web security, encryption, and more—to ensure that infrastructure best-practices and policies are in existence for the government’s systems, employees, and constitu-ent users. Elected officials and chief administrative officers must replace lip service and optics with funding and realistic cyberse-curity remediation action plans.

Q: What are the problems with cybersecurity procurement?

How can local governments do better?

A: Antiquated procurement practices are a major hurdle for local governments attempting to keep up with 21st-century cybersecurity threats. The current rules are too heavily weighted toward providing benefits to vendors rather than expedience in processing critical procurements supporting the development of cyberdefense systems. In some local and county governments, it takes years, not months, to acquire funding and complete the procurement process. Most governments are already playing catch-up in a very dangerous cyberenvironment.

Procurement officials must recognize that there is an expand-ing global cyberwar in progress, and a one-, two-, or three-year procurement cycle is unacceptable. Governments need to create fast-pass, emergency procurement procedures that expedite cybersecurity infrastructure procurements. Local governments also need to involve CISOs or employees tasked with cyberse-curity responsibilities in the procurement process. Oftentimes, the finance and procurement folks don’t understand IT, let alone cybersecurity, and ought not to be making decisions about critical infrastructure cybersecurity procurements. The CISOs understand their networks and the technologies and services that the security vendors offer.

Q: Cybersecurity compliance in Virginia just got a boost

from Richmond.

A: Regulations and guidance policies are fine, but they are meaningless without methods available to ensure compliance. I was pleased to see Governor McAuliffe sign several cybersecurity-related bills4 this year, particularly the one that holds state agency heads responsible for cyberbreaches that occur in their agencies.5 This policy is a stroke of genius that will aid the state chief infor-mation security officer when it comes to best-practice compli-ance. This type of regulation needs to be pushed down to all 138 Commonwealth cities and counties.

Q: What is the condition of IT security in state and local

education systems?

A: Important progress is being made at the higher education level. The University of Virginia and Virginia Tech are prime examples. Almost a decade ago, both schools removed Social Se-curity numbers as employee and student tracking numbers. They proved it can be done—and it should be done by governments, health care providers, and K-12 schools.

At the local level, school systems—pre-school through high school—are far behind in securing their enterprise networks and in educating students about the risk of using the Internet and smart devices. Both areas are critically important, and both areas appear to be off the radar screen of school superintendents and school board members. Next time you attend a school board meeting, ask board members to identify the district’s most recent enterprise-network risk assessment and whether an annual third-

4 For a list of cybersecurity-related bills passed in the 2015 legislative session and details on each bill, see https://cyberva.virginia.gov/.5 S.B. 1121, Va. Gen. Assembly (Reg. Sess. 2015).

11Winter 2015-16 via.spia.vt.edu

party risk assessment is performed. If there is a dramatic pause, you know that they are not engaged in cybersecurity enough to even be in touch with the basic best practices—and they should be.

Q: For local critical infrastructure—utilities, communica-

tions, transportation, and financials—what is the state of

security? What can we do better?

A: Mid-century mechanical systems running local criti-cal infrastructure like water, sewage, and traffic lights become significantly less secure when these operational technology (OT) systems are interfaced with information technology (IT) systems where many of today’s cyber vulnerabilities exist. The cyber-weapons used to attack IT networks are now evolving to become useful against OT, such as SCADA6 systems for water purifica-tion plants or traffic signals. In local and county governments, OT staff typically don’t interact with IT staff. Governments need to engage critical-infrastructure providers in the cybersecurity accountability discussion and make those discussions a routine practice. In many parts of the country, IT cybersecurity staff have been developing relationships with emergency managers who one day may have to respond to the consequences of an IT cybersecurity incident. It is time to expand that discussion to include operations technology staff so that they can be in the best possible position to secure critical infrastructure services in case of a cyberattack. If your government doesn’t educate emergency management and environmental services staff about cybersecu-rity threat prevention and vulnerability remediation, how will it secure its critical infrastructure?

We also need additional regulation and oversight over the producers of the commercial OT systems that many local gov-ernments are using. We cannot trust that corporate America will voluntarily adopt the wise counsel of the NIST Cybersecurity Framework7 and build product integrity features into the critical infrastructure OT they sell our governments. So far, very few have. A little bit of government oversight, beyond providing NIST guidance, is a necessary next step. Local and state policy-makers should require basic product integrity features be built into the OT systems used to control critical infrastructure. These

systems are too important to public health and safety to be left to the tender mercies of the marketplace

Q: What is the Virginia Cyber Security Commission? How

does the group benefit members and the Commonwealth?

A: The Virginia Cyber Security Commission, which the governor formed within weeks of taking office, is part of a broad effort to address many aspects of cybersecurity across the Commonwealth. The commission is taking a number of steps to enhance sensitive data security and improve critical infrastructure cybersecurity statewide. A critical initiative is the plan to create a state security operations center (SOC) to enhance relevant threat-intelligence sharing. The SOC will have access to volumes of information from numerous sources, such as the United States Computer Emergency Readiness Team, the Virginia Information Technologies Agency, the Multi-State Information Sharing & Analysis Center, the FBI, IT-security vendors, and more, and will sift through what is relevant to Virginia cybersecurity practitio-ners operating in government and business environments. The SOC will have an adjunct competency center to collaborate with and assist business startups, established mid-size businesses, and critical infrastructure providers in the state. The commission will also work to create ways to raise cybersecurity awareness among citizens, developing educational materials for schools, colleges, and universities and possibly even developing cybersecurity pub-lic service announcements.

Keep your eye on Virginia—it’s about to leave the 20th cen-tury when it comes to cybersecurity.

Q: What other legislative and policy changes at the state and

local levels could help improve the Commonwealth’s cybersecu-

rity posture?

To start with, state corporation commissions should be em-powered to have cybersecurity concerns outlined in any regula-tory powers that they utilize over critical infrastructure service providers. The commissions don’t have to perform cybersecurity risk assessments, but as part of their mission they certainly should require those assessments or at least be in a position to discuss the results of these necessary security checks and tie com-

6 SCADA (supervisory control and data acquisition): A system operating with coded signals over communication channels to provide control of remote equipment.7 The National Institute of Standards and Technology released Version 1.0 of the NIST Cybersecurity Framework Feb 12, 2014. The framework provides a common

taxonomy and mechanism for organizations to describe current and target state cybersecurity postures, identify and prioritize opportunities for improvement, and communicate cybersecurity risk. For more information, see http://csrc.nist.gov/index.html.

12 Virginia Issues & Answers Global Threat, Local Action

pliance with cybersecurity best practices to any requested rate increases. That is how you use legislation and regulation to create incentivization.

There are a number of fairly simple changes state and local governments can make non-legislatively to greatly enhance the security of IT systems. One of your least costly and most power-ful deterrents to malware infections and social engineering is an educated workforce. Create a website for relevant cybersecurity information and ensure that it is kept up-to-date. Engagement with government employees will help them think about cyberse-curity best practices when they see something odd or get a phone call from a scammer trying to gain access to your network. They will connect the dots and terminate the potential threat. Like it or not, the next-most powerful weapon against cyberattacks is a strong, frequently changed password or, even better, multifactor authentication.

I hope all governments in the Commonwealth are adjust-ing their focus beyond perimeter security, thinking more about proper encryption at rest or purging sensitive data, switching off deprecated secure sockets layers options,8 covering all the bases with best practices from the National Institute of Standards and Technology, and looking at next-generation security incident event management9 for operational technology areas, such as water purification, sewage, and traffic management systems.

Q: What are the most important cybersecurity threats facing

the nation in the next decade? What steps should we take to

prepare?

A: Some think we’re losing the cyberwar—and one way to improve the odds is to add talented cyberwarriors to the battlefield. The country’s universities are producing thousands of students with cybersecurity degrees who are unemployable because the federal government, namely the Department of Homeland Security (DHS), is operating with 20th-century rules, regulations, and procedures that have created a massive gap when it comes to getting talent to government entities and companies with cybersecurity skillset needs. There are thousands of govern-ment job openings for cybergrads, but interested graduates need

not apply without a clearance. How complex and difficult can it be for an agency like DHS to fix a clearance problem that has existed for ten to twenty years? DHS should work on a solu-tion, even if it is an interim one. The country needs a national strategy that provides an entry-level secret clearance program for university graduates with cybersecurity degrees. We’ll lose these graduates to other fields if we keep them waiting too long; plus, their skillsets will become dated.

Another looming threat to the country is the onslaught of the Internet of Things (IoT).10 IoT devices will take everyday objects and enable them to utilize the Internet to communi-cate. Your refrigerator will order milk and eggs. Your clothes washer will order fabric softener. These objects will most likely be information-security risks, unless or until the manufactur-ers bake-in security (making the devices inherently secure) or the manufacturers are regulated into using cybersecurity best practices in the manufacturing process.

Governments haven’t yet focused or adequately funded enterprise security, and the IoT is beyond their control. At the moment, governments and the public are totally dependent upon manufacturers to make IoT devices inherently secure. The question for us, then, becomes: Do we wait for the manufactur-ers to step up to their corporate social responsibility or, as we have seen recently, will the massive theft of personal informa-tion lead consumer activists to pressure government representa-tives to impose regulatory fixes? I expect it would be helpful and perhaps necessary for the creation of a cybersecurity “consumer-ist” movement that pressures government officials to provide regulation for inherent product integrity in the IoT. If the man-ufacturers would step up and become early adopters, regulation would not be required. The question remains whether business entities will recognize the threat and do it right the first time.

When the folks with imagination sit down and craft their next idea for an IoT product, all they need is someone sitting next to them who understands cybersecurity to add a few com-mon-sense security tweaks, and the development cycle becomes one where baked-in security is standardized, with no additional lead-time and at minimal cost. You also end up with a valu-

8 Transport layer security (TLS) and its predecessor, secure sockets layers (SSL), are cryptographic protocols designed to provide communications security over a com-puter network.9 Security information and event management (SIEM) is a term for software products and services combining security information management (SIM) and security event management (SEM). SIEM technology provides real-time analysis of security alerts generated by network hardware and applications. SIEM is sold as software, appliances, or managed services, and is also used to log security data and generate reports for compliance purposes.10 Internet of Things: A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.

13Winter 2015-16 via.spia.vt.edu

able product differentiator—a product with inherent integrity. What’s more, these cybersecurity product-integrity jobs are U.S. manufacturing jobs that resist being exported.

Q: Can you offer any final takeaways for Virginians who

are concerned about the growing threat from successful cyber-

attacks?

Life on Earth has changed forever due to the dawn of the Internet, personal computing, and wireless devices. Nearly every aspect of human life now has a cybersecurity component; any person or nation that ignores this reality could become a victim to criminals, terrorists, or nation-states intent to do harm to our civilization. It is up to each of us to educate ourselves, fam-ily members, and friends about cybersecurity, and to raise the level of cybersecurity awareness and understanding at home, in schools, and in the workplace as quickly as possible to ensure we are sufficiently aware of and taking appropriate steps to prevent cyber threats.11

Many of us who were kids in the mid-20th century will re-member Smokey the Bear and his famous mantra, “Only YOU Can Prevent Forest Fires.” This U.S. National Park Service pro-

motion was the longest-running campaign in Ad Council history, and helped reduce the number of acres lost to forest fires from about 22 million annually in 1944 to an average of 6.7 million in 2014 (National Forest Service). We need a similarly successful promotion for this rapidly growing 21st-century threat. With the same focus and intensity we use to teach our children fire safety, we should add a new safety lesson, one about cybersecurity. Both are critical to life and safety.

Works citedBe’ery, Tal. “The South Carolina Data Breach: A Lesson in Deaf and Blind Cyber-

security.” Security Week 28 Nov. 2012. Web. 2 Dec. 2015.

Gandel, Stephen. “Lloyd’s CEO: Cyber attacks cost companies $400 billion every

year.” Fortune 28 Jan. 2015. Web. 4 Dec. 2015.

Javelin Strategy & Research. $16 Billion Stolen from 12.7 Million Identity Fraud

Victims in 2014, According to Javelin Strategy & Research. 2 Mar. 2015. Web. 4 Dec.

2015.

National Forest Service, U.S. Department of Agriculture. Smokey Bear Celebrates

His 70th Birthday by Reminding Everyone… “Only You Can Prevent Wildfires”. 8 Aug.

2014. Web. 2 Dec. 2015.

Takala, Rudy. “Study: Cybersecurity spending to hit $75.4B in 2015”. Washington

Examiner 24 Sep. 2015. Web. 2 Dec. 2015.

11 The Department of Homeland Security’s Cyber Security Awareness Month website offers cybersecurity education toolkits for various audiences, including students of different ages, parents, educators, older Americans, government, industry, small business and law enforcement. For more information, see http://www.dhs.gov/stopthink-connect-toolkit.