The great news is that the United States is finally addressing cybersecurity at the national level. But what about the state, local, and educational (SLED) levels? The sad truth is that many states depend on legacy data systems, which lack resiliency to cyberattacks. And the vast majority of data systems in local government and public education are even weaker. These public bodies are aware that they need to upgrade their security. But, with a shortage of qualified security professionals, state and local governments must compete with each other, the federal government, and private industry to attract the needed talent.
What's at stake
One of the biggest vulnerabilities faced by SLED is the potential crippling of critical infrastructures by cyberattacks. An attack at the SLED level could result in lateral movement, so a vulnerability in one place means broader vulnerability. Interlinked systems in electrical grids, oil and gas pipelines, public safety services, and public water systems represent a complex patchwork of vendor solutions, configurations, and policies that make data security a challenge. The power grid, for example, is regulated at the state level but impacts large regions. On the school district side, instances of breaches leading to student personal data leaking onto the dark web are increasingly common.
Challenges to transformation
State and local governments often lack the budget for needed upgrades. In the face of other pressing needs, these agencies have often pushed cybersecurity to the back burner.
Just as severe is the shortage of cybersecurity professionals. According to Cyber Seek, there are half a million cybersecurity jobs in the U.S. going begging.
Another challenge is the profound interdependency of modern data systems. State and local networks are necessarily cross-connected to enable everything from Medicaid administration to law enforcement. But each system is only as secure as the weakest link. Data in one state is only secure if data in every state is secure.
SLED data system security is fragmented because each state or local government and school districts have their own approach to security. Not surprisingly, some may have little or no security. Even secure systems may have incompatible policies, leading to security gaps when systems and people exchange data.
Finally, policymakers and the public do not fully understand how vulnerable SLED organizations are to cyberattacks and the severity of the risk—even though incidents like the Colonial Pipeline ransomware attack have raised public awareness. We cannot afford to put off serious action until after a catastrophic attack.
Trends in SLED cybersecurity
Fortunately, some government agencies are pursuing SLED data security. For example, the StateRAMP public-private partnership promotes consistent ready-to-deploy security solutions for state government. StateRAMP standards encourage the adoption of secure cloud services with standards, vendor certification, and regulation.
And there’s more hopeful news: The infrastructure reconciliation bill pending in the House of Representatives includes $400 million for implementing President Biden's May executive order on cybersecurity. This bill allocates $50 million for the Multi-State Information Sharing and Analysis Center (MS-ISAC), whose mission is "to improve the overall cybersecurity posture of the nation's state, local, tribal and territorial governments." This bill also includes $100 million to fund cybersecurity education and training.
Finally, the recently announced Joint Cyber Defense Collaborative (JCDC), part of the federal Cybersecurity and Infrastructure Security Agency (CISA), will help states and localities develop broadly consistent plans for cyberattack resiliency. The JCDC website notes that we must address cybersecurity collectively: "None of us can do it alone."
What must be done to secure SLED systems
Securing SLED data centers will be a massive undertaking. The most effective path to success is through a coordinated effort to transform security systems at all levels.
Transformation will require substantial investments for state-of-the-art security technology at every level, such as zero trust architectures and secure cloud adoption. And it will take human capital. SLED organizations need to develop, attract, and hire top-notch cyber professionals.
To achieve success, the public and private sectors need to cooperate closely. The public sector needs the private sector's cybersecurity know-how and talent. And the private sector needs public sector institutions that can support stable infrastructure.
Crucially, we must rationalize SLED data centers. The U.S. has thousands of these data centers. Coordinating cybersecurity policy among so many disparate agencies is nearly impossible, so the best path forward is to consolidate these data centers into a manageable number by shutting down local data centers and moving their functions to the state level.
This step is absolutely necessary to reduce the SLED attack surface and ensure that all levels of government use state-of-the-art cybersecurity. With dozens rather than thousands of individual data networks, SLED organizations can ensure consistent security policies with no gaps—and make the most efficient use of a limited talent pool.
That’s not to say that this will be easy. Datacenter consolidation will result in some loss of local control. It will disrupt existing cybersecurity teams and lead to local job displacement. We might lose valuable talent as cyber professionals find other careers. Anticipating these disruptions, those involved with SLED legacy data systems are likely to oppose consolidation.
To make this transformation successful, we need to tackle these issues head-on.
Above all, we need to communicate effectively when presenting the strategy for cybersecurity transformation, its purpose, and its roadmap. We must make it clear to all stakeholders—staffers, managers, government officials, and the general public—that:
- The changes are absolutely necessary to prevent disaster and enable future growth and resilience.
- Nobody needs to lose their livelihood as a result of consolidation. We will repurpose local talent, ensuring that IT professionals can use their considerable skills locally to help build a resilient, future-proof digital infrastructure.
This is actually a win-win scenario. Nobody loses their job. In fact, transformation may provide opportunities for career advancement, as IT professionals learn how to implement and manage the latest cybersecurity tools. And the public derives benefit from the value that they add.
Conclusion
Deep transformation of SLED data infrastructure is absolutely critical to prevent and mitigate catastrophic future cyberattacks. A stable, reliable digital infrastructure is essential for tackling critical challenges such as climate change mitigation and pandemic recovery and prevention.
As a society, we are moving ahead on national cybersecurity, but we must not neglect SLED cybersecurity. Our future depends on it.
What to read next
From Wisconsin’s former CIO: Cybersecurity must be a national priority