US urges mayors to confer with states on cyber posture, but can more be done?

  • Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger speaks at a White House press briefing last February. (Photo by Drew Angerer/Getty Images)

    Members of the U.S. Conference of Mayors this week met virtually with U.S. Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger, who advised them on the current ransomware epidemic and requested that city leaders “convene heads of state agencies to review their cybersecurity posture and continuity plans,” according to a White House press release.

    Cyber thought leaders were quick to acknowledge the importance of continued cooperation across federal, state and local jurisdictions, though several CISOs suggested that there wasn’t too much new ground covered and recommended ways the federal and state governments and private industry could do even more to assist overwhelmed municipalities.

    Mike Hamilton, founder and CISO and CI Security former Seattle CISO, told SC Media he thinks having mayors seek support from state agencies is “likely a dry well” due to a mix of circumstance and restrictive policies. “States have their own problems with IT security, and many state governments are prohibited from offering services to local governments, as they can’t be in the position of competing with the private sector,” he said.

    Hamilton also said that the current federal strategy to curtail ransomware “could also [be] more specific about how public policy can assist in the fight… For example, the federal government could backstop the ailing insurance industry as a reinsurer, and combine that with a prohibition on paying ransom as well as working to deanonymize cryptocurrency transactions. That would have the effect of breaking the business model of the ransomware gangs and get them to move onto softer targets.”

    Still, even if the U.S. Conference of Mayors “may have been expecting more from the federal government, the readout seems to be a reiteration of existing support and yet another admonishment to secure networks,” Hamilton noted. “The federal government has always been ready as a responder, and as a no-cost provider of risk assessment – no changes there.”

    Gary Hayslip, current CISO at SoftBank Investment Advisers and a former CISO of San Diego, also said he “didn’t see anything new” that would catch U.S. city leadership by surprise.

    “Many of the recommendations from the administration are best practices that private industry follows, but unfortunately many municipalities don’t,” said Hayslip. “I found as a CISO for the City of San Diego for four years, there was a focus on delivering services to the customer (citizen) who votes. Cybersecurity wasn’t as sexy then as managing homeless issues, expanding the convention center, or filling potholes.”

    Moreover, while private industry often feels forced to implement security protocols within their walls to comply with regulatory requirements or keep customers and investors satisfied, there is not nearly as much incentive for a municipality, and the state often won’t meaningfully help in such matters.

    For instance, “as the CISO for the City of San Diego, there were times the state of California would recommend that municipalities follow certain security best practices, like using CIS20 as a baseline framework to manage risk. However, since the state wasn’t providing any funding for new security initiatives but only making recommendations, no city, county or town is really going to be held accountable for improving their internal security program, controls, or lack thereof,” he explained.

    Therefore, the federal government may ultimately have to step to the plate even further, and there will need to be incentives for state and private industry to become more invested in their local towns’ cybersecurity status, Hayslip commented.

    “What needs to change is municipalities need to be aware of security products and services offered by DHS/CISA and local Law Enforcement Coordination Centers (LECCs) and empower their CISOs to incorporate these services into current security programs,” said Hayslip. “Then municipalities should also look at what local services and partnerships are available to continue their effort in improving their security program, such as working with local security businesses, startups, and possible partnerships with other municipalities.”

    “Finally, I think states need to have some skin in the game in that they need to assess state infrastructure/networks and require cities to assess, as well using a chosen framework such as NIST CSF, and then… partner with federal government and private industry to improve their cyber report card.”

    Saumitra Das, CTO and co-founder of Blue Hexagon, emphasized the importance of state, local and education departments taking additional steps to mount a more powerful defense against ransomware “since many of them also control and manage the infrastructure that may be attacked.”

    “We experienced firsthand how state and local budgets were stressed during 2020 due to COVID-related expenses, and they could not purchase security products or hire staff that they had already planned for. This fact, combined with the increased onslaught of both nation-state and criminal gang threat groups, requires not the immediate evaluation of posture, but actual investment in cyber staff and acquisition of newer technology to combat the ransomware epidemic.”

    Despite these constructive critiques, other experts praised Neuberger’s efforts to maintain communication with U.S. cities as the threat of ransomware against city agencies and school districts reaches new heights.

    “Anne’s direction on disrupting the ransomware process is essential for the success of state and local governments in reducing ransomware attack efficacy,” said Sebron Partridge, former CISO of Riverside County and security strategist with cyber risk firm Epiphany Systems. “The United States formed the DOJ’s Ransomware and Digital Extortion Task Force in April 2021. This organization seized 64 of the 75 bitcoin ransom paid by a U.S. company to the DarkSide criminal enterprise. This, and many developments in the utilization and understanding of cryptocurrency tracking, will begin to increasingly reduce the capability of criminal enterprises to use cryptocurrency as an anonymous monetary vehicle.”

    “…Neuberger is taking a proper, proactive approach to escalating cyber threats facing this nation’s infrastructure,” added Richard Blech, founder of XSOC Corp. “Not only must U.S. mayors take the initiative to incentivize tech companies within their community to create project plans with milestones for delivery of solutions, but [they] should collaborate and share findings with all the other mayors’ findings and solutions. By doing this, there will be better cohesiveness between communities across the country, thus allowing a much more effective response time when an incident occurs in other locations.”