State & Local Government (SLG) is quickly adopting to demands of 21st century U.S. citizens demanding e-government (E-GOV) services. With E-GOV comes both the convenience of Internet services necessary to support tech-savvy Cyber Citizens along with the not-so-convenient threat of transactional man-in-the-middle attacks or data theft / loss to profit-seeking malevolent cyber squatters or foreign governments bent on sacking the little guys. Little guys here in the sense that without structured CIA assurance models adopted by the U.S. military or OMB-supervised Federal agencies which have significant budgeting and training strategic IT security defenses.
U.S. SLG agencies on the other hand, not so much sometimes. Consider for example some of the crown jewels and adjoining vulnerabilities at State & Local government cities and counties that make SLG such coveted targets of these profiteering cyber crooks and hacking ne’er do wells.
- Public Safety & Environmental Security Risks: SLG agencies manage supervisory control and data acquisition (SCADA) and industrial control systems (ICS) controlling critical energy (gas & electric),water supply, and waste management systems. These systems are distributed across much of the U.S.. In fact, much of our nation’s critical infrastructure is managed not by large highly organized and regulated agencies of the U.S. federal government or Defense Department, but by smaller often disjointed entities operating independently on a shared interagency computing infrastructure or network.
Take these risks and compound them with the nearly endless array of personally identifiable information (PII) data stores available on these computer systems, and it becomes even more compelling for those interested in selling data on the black market to the highest bidder. This highly sensitive data is found typically unclassified (i.e. no designation for public, private, personal data etc.…) and unencrypted on file shares, USB drives, electronic databases, optical media and on laptops/PCs usually without even basic rights management or file auditing enabled to track access by authorized users.
- National & Homeland Security Secrets: SLG maintains control of valuable and often unique electronic data including PII in the form of
- Legal, criminal, and health records
- Juror names & Judges information
- Juvenile Criminal Records (under 18 files protected by law from public disclosure)
- Domestic Assault & Rape Victims Names and Addresses
- Police & Sheriff Fingerprint Databases
- County Hospital & Health Department Medical Records
- Registered Voters‘ Social Security Numbers
Finally, the perfect storm emerges once the weaknesses in many SLG communities are exposed by the weak IT security standards or enforcement mechanisms which result out of low budgeting constraints, political boundaries to security enforcement authority, and limited availability of security-trained application developers or security personnel to address detected problems.
- Organizational Weaknesses: SLG agencies are fundamentally organized differently than federal agencies or businesses which often creates a potentially high risk operational environment.
- Counties run hosted revenue system for the states, but are often left to manage their own security standards.
- Complex disjointed departments without a unified top down management or security enforcement ability are still typically interconnected on the same networks to other agencies without clear security protocols or defined encryption methods or interagency firewalls
- Many cities and counties have low or zero funds for developer security training or dedicated security staff
- Local Election Commissions manage voting at local, state, and federal levels
Data Breaches in State & Local Government affect our personal privacy, financial information or federal constitutional rights
- E-Voting machines affect outcome of city, county, state, and federal elections and eventually the laws of our land
- Stolen Social Security numbers from laptops affects identity’s security
- Tax systems affect personal finances and legal/criminal accountabilities
- Legal & justice system databases affects us legally and possibly our privacy
- SCADA & ICS systems affects the environment and our personal safety as utility consumers
Data Loss Prevention technologies comes in many forms from Microsoft, but there are a few technologies at different defense-in-depth layers that stick out to help SLG prevent loss of this sensitive data in government.
- AD Rights Management Services (File layer)
- RSA Data Loss Prevention Suite (File, app & network layers) – integrates with RMS
- Forefront Unified Access Gateway (App layer)
- HTTP redaction to remove PII in web apps
- Attachment wiper
- BitLocker (Drive/volume layer)
Technology alone will not make SLG data secure, but if SLG combines these technologies with a good security policies, a security development lifecycle (SDL), encrypted connections (SSL/IPsec) using the doctrine of least privileges access and a top-down security management approach that’s enforceable; then these technologies from Microsoft can assist government is securing its data on premise, in transit and in the cloud.,