Over the past few years, cybersecurity has grown into a major concern for federal government and law enforcement. Two-thirds of federal CIOs and CISOs place cybersecurity as one of their top priorities, and FEMA listed it among its five core capabilities in the organization’s latest preparedness report. Although high-profile data breaches involve larger organizations, there is growing concern that smaller agencies will be targeted with greater frequency in the future.
Old tech is resilient
Effective cybersecurity defense begins by protecting critical functions specifically hardened against cyber attacks. Small police departments, sheriff’s offices, firehouses, hospitals and other public safety centers may not be able to afford technology upgrades, but older tech lacks the information robustness that would be attractive to a cyber thief. Cybersecurity risks are mitigated by the fact that it is such a low-bandwith communication
“From a technology point of view, emergency services are in the Dark Ages,” says David Wild, a certified EMT and professor of Informatics at Indiana University, “but from a resilience point of view, they are ahead of everyone else.”
New technology isn’t always built with security as a priority. Von Welch, Deputy Director of the Center for Applied Cybersecurity Research at Indiana University, says this is a byproduct of fast-paced software development that lacks maturity. He compares it to building bridges and homes during the Gold Rush, when the need was so great, there was no time to stop and get the structures inspected.
“We don’t have equivalent expectations for software,” says Welch. “We have a bunch of people building sheds, and then we stack them on top of each other and call them a skyscraper.”
Preparedness cannot guarantee security
Small agencies struggle to bring security expertise in-house. Funding and recruiting both become more difficult at the local level.
“There is no way we could hire someone to do a primary task of cybersecurity,” says Joel Bomgardner, Deputy Chief of the Bloomington Township Department of Fire & Emergency Services. “However, it’s possible that we could develop an additional job responsibility for that.”
Whether a large federal agency or a small local sheriff’s office, however, the weakest link is often a single person making a mistake. According to Verizon, 58 percent of cybersecurity incidents in the public sector were caused by employees mishandling data or through unapproved use.
CACR adopts a risk-based approach, counseling organizations to prioritize their cybersecurity plans around mitigating failure in their mission-critical functions. The expectation that something will go wrong is in the DNA of all first responders.
“You can do all of the planning and scrutiny in the world, of course, and it won’t guarantee you that you won’t have a cybersecurity problem,” warns Welch. “There is no magic bullet that will ever prevent you from having to implement a Plan B.”
Read the full article and other cybersecurity topics in the October-November issues of Homeland Security Today Magazine.
- Axelrod, R., and Iliev, R. “Timing of cyber conflict.” PNAS 2014, 111 (4), 1298-1303, published ahead of print (January 13, 2014). doi:10.1073/pnas.1322638111
- Bennett, A. “GAO: Maritime security plans don’t address cyber threats.” FierceHomelandSecurity (June 9, 2014).
- Blue, V. “Cybersecurity’s hiring crisis: A troubling trajectory,” Zero Day. ZDNet (August 25, 2014).
- Bremer, B. “Cyber-Protection for Those Who Serve and Protect.” Law Enforcement Today (August 10, 2014).
- Center for Applied Cybersecurity Research. http://cacr.iu.edu/
- “Data breaches create insurance costs.” PhysOrg (June 12, 2014).
- Frederickson, T. “Global Benchmark Study Reveals 73% of Companies are Unprepared for Disaster Recovery,” from PR Newswire. Disaster Recovery Preparedness Council (March 4, 2014).
- Griffith, D. “Cyber Security: Locking Down the Databases.” Police: The Law Enforcement Magazine (August 8, 2014).
- The Heartbleed Bug. http://heartbleed.com/
- “Hedge funds turn to cyber liability insurance to mitigate risk.” Government Security News (June 26, 2014).
- Kerner, S.M. “Law Enforcement Aims to Prevent Cyber-Attacks: Secret Service Agent.” eWeek (February 26, 2014).
- National Preparedness Report, FEMA (August 6, 2014).
- Network Indiana. “Safety Officials Warn Of Possible Cyber-Terrorism Attacks.” Indiana Public Media (August 8, 2014).
- Nguyen, P. “Bridging the cybersecurity skills gap with automation: a blueprint for federal agencies.” Government Security News (April 2, 2014).
- Orsini, L. “The White House Now Has A Digital SWAT Team.” ReadWrite (August 11, 2014).
- Paganini, P. “Nuclear Regulatory Commission hit by foreign hackers.” Security Affairs (August 20, 2014).
- Peterson, A. “How Anonymous got it right and wrong in Ferguson,” The Switch. The Washington Post (August 14, 2014).
- Ponemon Institute. “2013 Cost of Data Breach Study: Global Analysis.” Ponemon Institute Research Report (May 2013).
- Rausnitz, Z. “Congressional Research Service finds renewed focus on domestic terrorism.” FierceHomelandSecurity (August 25, 2014).
- Sarkar, D. “Army labs re-create battlefield environment to test cyber threats, identify vulnerabilities” FierceGovernmentIT (August 7, 2014).
- Sarkar, D. “Study: Cybersecurity problems won’t be solved with a permanent solution any time soon” FierceGovernmentIT (June 25, 2014).
- Sarkar, D. “Cybersecurity top concern for federal CIOs, CISOs, says TechAmerica survey.” FierceGovernmentIT (June 9, 2014).
- Sarkar, D. “DHS offers online, open-source collaborative environment to help improve software” FierceHomelandSecurity (August 7, 2014).
- Sarkar, D. “NATO needs a cyber ‘exercise range’ to help bolster security capabilities, face emerging threats, report says” FierceGovernmentIT (June 29, 2014).
- Sarkar, D. “Shortage of cybersecurity pros in government, business potentially undermines national cybersecurity, finds RAND” FierceGovernmentIT (June 20, 2014).
- Sarkar, D. “FBI issues warning, EHRs vulnerable to cyber attack, theft” FierceGovernmentIT (May 1, 2014).
- Senate HSGAC Minority Staff, “The Federal Government’s Track Record on Cybersecurity and Critical Infrastructure.” Homeland Security and Governmental Affairs Committee (February 4, 2014).
- Verizon Enterprise Solutions. 2014 Data Breach Investigations Report. Verizon (April 23, 2014).
- Vijayan, J. “Target attack shows danger of remotely accessible HVAC systems.” Computerworld (February 7, 2014).
- Wagley, J. “Most government data breaches caused by employees, says Verizon study.” Government Security News (April 25, 2014).
- Ward, M. “How to hack and crack the connected home.” BBC News (August 17, 2014).
- Walker, M.B. “Cybersecurity policies lacking at small agencies, finds GAO.” FierceGovernmentIT (June 26, 2014).
- Yasin, R. “Unencrypted drive exposes IRS employee data.” FierceGovernmentIT (March 20, 2014).