Transcript: The Cyber Savvy State Government
Host (H): Welcome to another edition of Deloitte Insights, a production of Deloitte LLP. Deloitte Insights is an audio news podcast that looks at important business issues. Today’s program, “The Cyber Savvy State Government.”
The growing cyber threat or disruption of our lives on the internet can affect us as citizens. It affects our economy, our national security, and our central government services. How can governments mitigate these cyber risks while continuing to provide constituents with efficient and effective services in a trusted environment? Joining us today to discuss some of these issues are General Harry Raduege (GR) and Srini Subramanian (SS). General Raduege is chairman of the Deloitte Center for Cyber Innovation, and Srini is a director with Deloitte and Touche LLP and leads our state cyber security initiative.
Welcome to the program!
General Harry Raduege (GR): Thank you very much, good to be with you.
Srini Subramanian (SS): Thank you, I am happy to be here today.
H: General Raduege, let us begin by briefly discussing the current cyber security landscape across government. What are some of the key challenges this emerging cyber domain poses for states and do these public sector challenges differ from private sector challenges.
GR: Well, cyber space today is often described as the fifth domain and that is following the earlier defined domains of land, sea, air, and space, and where the original four domains have defined boundaries, cyber space has no boundaries and, interestingly, runs though the other four domains. And so in these ways, cyber space is a unique fifth domain that we have actually created. With respect to key cyber security challenges facing the federal government, national security is probably the primary challenge based on the daily threat occurrences and the potential for disruptive cyber attacks against the central government services and critical information losses due to cyber espionage. Now for the state governments, they key cyber security challenges involve ensuring continuity of essential services like power, water, police, fire, and hospitals, protecting against the growing areas of cyber crime and protecting the privacy of the citizens personal information, for example, in the areas of health and human services, department of motor vehicles, and educational systems, and I think another reason and challenge for the states is finding adequate funding for the essential needed improvements in these vulnerable areas. Now, many of the public and private sector challenges are the same, but there are also some distinct differences. Both of these sectors generally lack an overall strategy or a road map for addressing cyber security challenges and with that quite often clear policy, authorities, and standards are limited or nonexistent, and although both public and private sectors have to comply with laws and regulations, global organizations have to also address the different regulations in every country in which they operate and that is a massive job.
H: Srini, as reliance on cyber connections grow, governments and citizens must focus on awareness and education as tools for deterrence. Most people do not think about identity theft until they become a victim. What can states do to change this cyber mindset so that agencies and citizens are proactive versus reactive.
SS: This is really a two-part question. Why is it important for the states to focus their attention on cyber security and how do we create a cyber mindset, in other words, what should the states do about cyber security awareness. Let us foresee why cyber security is important to the states. According to the U.S. Department of Justice, identity theft is the No. 1 crime in the nation. The U.S. Department of Justice also said that public sector accounts for more than a third of all the data breaches reported. About 79 million records reportedly lost in a span of 12 months in the public sector alone. It is not difficult to see why. States have the most comprehensive information about citizens, starting from birth, education, K 12, university and college education, professional licenses, our job, income tax, property, law and justice related information, driver and motor vehicle information, personal medical records until death. States collect and provide services related to the information about all of these areas. The internet has revolutionized the way the states interact with their citizens. During the past decade, the states have done an outstanding job of responding to the citizen demand for online access to government services. As the states started providing these services and interacting with their constituents, they started collecting, storing, using, and sharing the citizen data electronically. In the cyber age, information is an asset. As the states are starting to accumulate these assets, they should also start to protect these assets against exposure to an unlawful element. Needless to say, the states need a comprehensive strategy, tactics, and adequate funding to protect these assets.
Now, let us look at these exponentially growing information assets in the context of the cyber crime trend. Cyber criminals have gotten organized. The threat is no longer casual hackers and thrill seekers just looking to deface this agent. Organized criminals are equipped with the tools, techniques, and processes to steal the data and benefit financially from it. William Sutton, the notorious bank robber of the past century, once said, “I robbed banks because that is where the money is.” Similarly, cyber criminals are looking at the state governments as a rich source of citizen data, also because states are perceived to have a weaker security posture compared to more regulated and better equipped organizations such as banks and financial institutions. And thus, the states face the most daunting job of protecting their growing information assets while delivering services and maintaining citizen trust. Now this brings us to the next question “how do we go about creating a cyber mindset?” Today, cyber security awareness happens at multiple levels in state governments. At the executive level of secretaries, the data breach notification legislations that more than 45–46 states have in place today have helped increase the awareness, often through painful realization that a data breach notification has to be issued and unplanned dollars are to be spent on the cleanup investigation and providing credit monitoring services to the impacted constituents. At the next level of the Chief information officers (CIOs) and Chief Information Security Officers (CISOs), organizations such as the National Association of State CIOs and Multistate Information Sharing and Analysis Center (MS-ISAC) are doing a phenomenal job of spreading awareness and providing the trends that the state CISOs and the CIOs can use, and the state governments are also making mandatory the security trainings and awareness sessions. At the citizen level, the states are providing cyber security information awareness through their Web pages. These efforts are not clearly enough. Citizens do not go to a state Web site to proactively learn and be educated about identity theft; they come across it or are directed towards after they have become a victim to identity theft already. A comprehensive new cyber security awareness campaign is required to address the awareness needs at these multiple levels. The states can start collaborating with the federal sector as well, I mean for instance, the federal Department of Homeland Security has just launched a national cyber security awareness campaign challenge to invite innovative ways to get our children, families, and workforce have the cyber mindset and become cyber savvy. This is going to take time, effort, and funding.
GR: Well, let me comment on a couple of things that Srini just mentioned there, and based on my military background, the states have really become a target-rich environment for criminals who are seeking identities of their victims, and this is happening more and more today. In fact, I have had several good friends just recently who have tremendous credentials working in this area and have held top security positions in the federal government who have become victims themselves, and this is very discouraging to them when their private information is taken captive by criminals who are actively working more and more on the internet. Let me also comment about creating a cyber mindset because we are finding that we really need to establish better awareness and education throughout not only our government activities but also industry and also among the common individuals in our private lives because these areas are becoming very important to us as far as protecting ourselves against the cyber security threats that are around us every day, and really there needs to be a national-level campaign to establish this cyber mindset so that we really are aware of what the vulnerabilities are to our networks and our systems, whether they are at our homes or in our business operations, then also to be able to know what the threats are to us; and those two areas, the vulnerabilities and the threats are key, I think, to creating a clear cyber mindset of how to protect yourselves and how to make sure that you do not become victim to the people out there that are praying on us every day.
H: We have heard a lot about the risks and threats in cyber security. Srini, how are the states responding to the challenges that we have described, is there a roadmap for successfully moving forward.
SS: I have some thoughts and I also believe it is going to take a lot of focus and effort and hard work; first and foremost, cyber security is not a technology issue, it is a business issue that deals with citizen safety and citizen trust in government. Consequently, it must become a priority for the governor and the governor’s office at the state level. Second, we need to tackle the governance of this cyber security that General Raduege talked about as a challenge; for instance, today a number of state level’s chief information security officers do not have the budget, authority, or visibility over the cyber security measures at the state agency level. The federated and often times autonomous model of state governance is a contributing factor to this government’s challenge. A number of states are trying to address cyber security governance by enacting statues or executive orders to grant authority to the state chief information security officers. It is a great start, but it is not adequate. Contrast the chief information security officer in a state government sector with a similarly sized private sector enterprise, say a corporation with revenue of 25 to 50 billion dollars, which is the average revenue of most of the states. The private sector is regulated more; it has security and risk executives that have the budget, global authority, and known consequences for noncompliance and negligence and hence more accountability. The governor’s office could consider designating a cyber security coordinator at the state level, perhaps similar to the White House cyber security coordinator with a clear authority for cyber security across program, technology, and spanning agency boundaries. The states will then be in a better position to implement effective cyber security measures by asking some simple and appropriate questions for any major program strategy and implementation; for instance, one could start with “what should be the state’s cyber security goals and objectives?” A number of states have already taken this path of establishing and articulating their cyber security strategic plans. The next question could be “how do we fund this cyber security initiative?” Again, some states have taken initiative to look at innovative ways of funding some of these programs through state, federal, and in some instances special federal grants from agencies like Department of Homeland Security. What are these information assets and their associated risks, come up with a plan to inventory the information assets across the state agencies and the risks associated with them because it is simply not practical to protect all information that states have at an equal security measure. The states must take up on a risk-based program. And to do that, how do I prioritize my cyber security actions? Do I have a risk framework in place, and finally, is there an effective cyber security program measurement, how do I measure those programs, how do I continue to improve on these programs and report on how effective they have been. This aspect of program measurement is an important aspect to continue to get funding and emphasize the need for the existence of such a program.
GR: Absolutely, well in addition to the roadmap ideas that Srini has outlined, we often talk in terms of addressing cyber security in three ways: addressing people, process, and technology, and frankly those are in the order of importance. People become the most important and highest payoff area for any organization. Creating a cyber mindset within your people and establishing the proper awareness and education in this vital area of cyber security is just really so very important to any organization, and frankly, the states are having tremendous funding issues and when funds are really tight, you can still get with your employees and have a much less expensive improvement across your entire organization through the awareness and education, for example when purchasing the technologies that are needed, you can get a lot of bank for the buck by creating the cyber mindset in your people and then having that create the proper atmosphere and environment across your entire enterprise.
H: You have both shared a lot of information with us today. Thank you so much for joining us.
GR: Thank you for the opportunity.
Visit: Deloitte.com/us/cci to access additional insights on today’s discussion.
You have been listening to Deloitte LLP’s production of Deloitte Insights, the program that looks at today’s important business issues. We want to hear from you.
Visit: Deloitte.com/us/podcasts to give feedback, ask questions, or discuss the issues with fellow listeners.
This podcast contains general information only and is based on the experiences and research of Deloitte Practitioners. Deloitte is not, by means of this presentation, rending accounting, auditing, business, financial, investment, legal, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte, its affiliates, and related entities shall not be responsible for any losses.