Cyber Readiness of U.S. State & Local Government

By Trellix · April 14, 2022

A March 18 Presidential letter to the nation’s governors on cyber-warfare activity in Ukraine has rekindled a discussion of the cyber readiness of critical infrastructure run by U.S. state and local government (SLG) entities.

In recent years, SLGs have come under significant levels of attack by ransomware gangs who freeze up the systems of local utilities, first responders and other emergency services to demand payment in the millions of dollars. These incidents have raised concerns about the integrity and protection of these IT systems, particularly should they be targeted by adversaries seeking more than financial gain. Despite this proliferation of attacks over the last couple years, the majority of SLGs have not implemented full cybersecurity capabilities, according to a new report released today by Trellix.

The report, Path to Cyber Readiness – Preparation, Perception and Partnership, surveyed 900 IT decision makers from the public and private sectors around the world, including respondents from U.S. SLGs responsible for everything from first responder emergency services, regional utilities and transportation systems.

Notably, the report’s survey found that U.S. federal government agency respondents lead their non-federal government and private sector critical infrastructure peers in the implementation of four of five solutions required by the U.S. Executive Order on Improving the Nation’s Cybersecurity (EO 14028): extended detection and response (EDR-XDR), cloud cybersecurity modernization, zero trust architectures (ZTA), multifactor authentication (MFA) and software supply chain risk management policies and processes.

While some may be surprised that the U.S. government would lead private sector organizations in this (or any) technology area, it is important to realize that critical infrastructure providers (CIPs), as the U.S. Department of Homeland Security’s Cybersecurity and Critical Infrastructure Security Agency (CISA) defines them broadly today, to increasingly include sectors that have under invested in information technology, let alone cybersecurity, for decades. U.S. SLGs constitute such a sector.

The State of Cyber Defense Implementation

Based on the survey results, 92 percent of SLG respondents cite MFA as a crucially or highly important cybersecurity priority to their sector, followed by cloud cybersecurity modernization (90 percent), EDR-XDR (74 percent), ZTA (72 percent) and software supply chain management policies and processes (67 percent).

These regional providers of government services appear to lag the field of U.S. CIPs in EDR-XDR implementation. Only 23 percent claim to have achieved full implementation compared to 35 percent among the overall U.S. CIP group. Nearly two-thirds (64 percent) of this group’s respondents cite EDR-XDR solutions as difficult to implement.

Fifty-four percent of survey respondents reported lack of implementation expertise as the leading barrier to their implementation of new cyber defense technologies. Expertise was followed by a lack of inhouse staff resources (51 percent), a lack of leadership recognition in the need to invest (49 percent), challenges related to tender and bidding processes (38 percent), a lack of trusted vendor partners (36 percent) and a lack of budget (28 percent).

Software Supply Chain Risk Management

Regional government services respondents report poor progress in software supply chain risk management, with only 31 percent claiming full implementation of these measures. Ninety percent of respondents somewhat to strongly agree that there has been little oversight on how cybersecurity products themselves were developed and where.

Ninety percent of respondents believe that if the US federal government demands higher software security standards within government agencies, this would play a role in raising standards across the software industry. Ninety-one percent of sector respondents believe cybersecurity standards for software development should be mandated by government.

That said, 54 percent of sector respondents believe that government cybersecurity standards for software could be too expensive to implement in practice and that government timelines might be difficult for software developers to adhere to.

COVID-19 Impact & Legacy

Seventy-four percent of regional government services respondents report that the need to secure remote access to their enterprise resources became a somewhat more important to a much more important issue in maintaining their cybersecurity posture during the COVID-19 pandemic.

Fifty-one percent have a wait and see position on whether the remote work-hybrid model will remain in place, with 26 percent believing the hybrid model will be permanent and around as many (23 percent) believing there will be a total return to normal.

U.S. Cybersecurity Safety Board

Seventy-nine percent of regional government services respondents see value in the establishment of a US Cybersecurity Safety Board similar to the US National Transportation Safety Board..

Forty-nine percent of respondents believe the Cybersecurity Safety Board should only focus on government infrastructure, 51 percent believe it should also focus on critical infrastructure outside of the federal government, with 38 percent of those believing it should focus on regional government infrastructure as well as federal infrastructure. Only 13 percent believe it should focus on both public and private critical infrastructure.

Partnering with U.S. Federal Government

Ninety percent of regional government services respondents believe there is room for improvement when it comes to the level of partnership between the US government and organizations in their sector. As many as 62 percent believe there is vast room for improvement, which represents more enthusiasm than any other critical infrastructure category surveyed.

Seventy-nine percent of survey respondents somewhat to strongly believe there is no real consistency as to how organizations respond to cyber incidents, and 56 percent favor improved guidance on cybersecurity best practices.

Forty-nine percent favor greater federal funding, 41 percent tighter cooperation on the investigation of attacks following their discovery, 38 percent greater consequences for perpetrators of cybercriminals, and 36 percent tighter cooperation on cyber incident management while attacks are in progress.

Only 33 percent favored more Federal regulations and only 26 percent favored a combination of incident notification and liability protection to facilitate sharing of attack data between impacted organizations, government partners and industry audiences.

Eighty-seven percent of respondents said there was room for improvement in the data shared by the US government with organizations in their sector.

For more information:

• Trellix Cyber Readiness Report
• Cyber Readiness in Europe: France, Germany & the United Kingdom
• Cyber Readiness in Asia Pacific: Australia, India & Japan
• Cyber Readiness in U.S. State & Local Government
• Cyber Readiness in U.S. Healthcare Services