Padlocks floating in cyberspace

Does your city council, state legislator, or even your senator have an understanding of cybersecurity? What about all the people who work for them?

There’s a chance that the people running your local, state, and even federal government don’t share a core understanding of the principles of cybersecurity, and that’s not okay. Over the past decade, the private sector has made it clear that cybersecurity isn’t impossible when organizations are willing to invest money and human resources into the fight.

Government employees’ sense of security doesn’t just impact their ability to create and uphold regulations. It also impacts their ability to keep your data — and even your family — safe. Moreover, the people (their bosses) think it’s important. According to a survey completed at the 2018 Black Hat conference, 88% of people believe that all government officials need a core understanding of cybersecurity, whether they draft legislation or not.

Why Cybersecurity is Critical for Government Employees

When you think of cybersecurity in the government, you think of top-tier practices to protect state secrets. However, every government from the local town to the federal is vulnerable. In recent years, local governments in Florida, Maryland, and Texas have all been held hostage by attackers. When the city of Baltimore refused to pay $76,000 in Bitcoin to its attackers, it faced about $18.2 million in losses and expenses.

Investing in cybersecurity is more critical than ever before, and for every industry across the board. As the private sector shows, a commitment to cybersecurity requires a top-down approach. If the people in the C-suite aren’t committed, then the teams managing systems won’t have a security-first approach, either. The same needs to be true of governments at all levels, but that doesn’t seem to be happening.

Specifically, Richard Clarke, a cybersecurity expert who previously sat on the commission investigating the 9/11 attacks, said in an interview with Mother Jones: “...very little has been done in the last 10 years to protect… our electric power grid, our gas pipelines, and other sorts of critical infrastructure.”

With overwhelming threats from both individual actors and even foreign governments, why wouldn’t government employees all have a basic understanding of essential security skills? First, because there exists a skill gap of critical cybersecurity jobs both at the federal and local level to fill those necessary roles in the first place — much less provide training to administrators and other employees.

What Kind of Skills Do Government Employees Need?

Beyond putting a new emphasis on hiring talented employees with relevant security certifications for critical cybersecurity workforce roles, everyone with access to government data or systems needs security skills. But what skills are the priority? After all, not every employee needs to learn about cryptography or network access control.

Amanda Sparks at Federal News Network argues that all government employees should know at least these six principles:

  • Vulnerabilities involved with failing to update apps and software
  • Dealing with emails from unknown sources
  • Staying secure on social media
  • Handling procedures for work devices (phones, tablets, etc.)
  • Proper storage of documents
  • Spotting and reporting suspicious activity

Some of these should already apply both in common sense and training. Don’t include government employment data on social media profiles. Flag suspicious emails and don’t download attachments. And so on.

However, personal devices are a real weakness not only for governments but for the world, generally. In addition to no-tolerance policies for personal use, employees need to know how to use them safely and destroy those devices effectively so that no data can be recovered.

How Governments Are Attempting to Tackle the Skills Gap

At the federal level, both the executive branch and Congress are attempting to shore up the security issue with two bills aiming to close the gap for federal agency employees. In October 2019, Rep. Ro Khanna (D-Calif.) introduced legislation requiring all federal employees to undergo basic cybersecurity training with an emphasis on the risks presented by the IoT. It was an update to Title 44 section 3554 of the U.S.Code and will be overseen by the Office of Management and Budget.

There was also a bipartisan effort to improve security generally through the Internet of Things Cybersecurity Improvement Act, which legislators also introduced in 2019. The bill, if passed, will ensure that government agencies complete due diligence before buying IoT and internet-enabled devices from contractors. It would require the establishment of a vulnerability disclosure process for federal agencies to use on any related tech purchase.

While these bills find themselves languishing on the floor of Congress, state and local governments can pick up the slack and pass these bills on their own. Mandating the kind of security training and measures outlined in the bills above not only saves on waste and protects from breaches, but it also opens up opportunities to hire new specialists. For example, funding a grant program to help pay for cybersecurity education and training for veterans could fill the skill gap while also employing an otherwise vulnerable population in a growing and urgent field.

Government Cybersecurity is Both a Challenge and an Opportunity

Cybersecurity needs to be taken seriously at the top levels of the government in order for everyday administrators with limited data access to also take it seriously. Although it is expensive and time-consuming, teaching every government employee about the core principles of security will strengthen the government and prevent millions — if not billions — in losses over the coming years.

The process also opens up opportunities to make the government a leader in the field. It can lead in promoting diversity in cybersecurity as well as in investing in innovations that provide models for the private sector.

Ultimately, the government has a problem and it’s only going to grow worse as hackers become more sophisticated. The time to start with security planning was yesterday, but today isn’t a bad place to start.