May 2016

Three perspectives on How DMVs should prepare for impending cyberattacks



State governments are at risk! Today’s headlines are filled with stories of cybersecurity incidents and their disturbing impact on both public and private sector organizations. No organization is immune from the consequences of a cybersecurity event. Cybersecurity protection, response, resiliency and recovery dominate the agendas of state chief information officers (CIOs), and it remains a top priority for the state CIOs and the National Association of State Chief Information Officers (NASCIO).

Because of the massive amount of personal information held in trust by state government agencies, including DMVs, states are attractive targets for hackers, cybercriminals and foreign entities. In the last three years, states have experienced a significant increase in cybersecurity incidents. Attacks from activist groups or “hacktivists” with political agendas also have become more prevalent. The latest twist is ransomware—criminals infiltrating government computer systems and holding agency data hostage until a ransom is paid.

For DMVs, the question of a cybersecurity incident is not if, but when. They are becoming more vulnerable to attacks because of the increasing severity, volume and sophistication of cyberthreats. Cybersecurity events now have the potential to significantly disrupt the business of government. State governments must view cyberattacks as more than incidents and must prepare for events with significant consequences beyond the loss of data. These can be termed cyber disruptions, disasters or even catastrophes. As a result, governors and other elected officials must be prepared to respond quickly to restore public trust.

Jurisdictions are facing persistent challenges in cybersecurity risk reduction because of several factors, but most importantly these four key issues: inadequate strategic direction and organizational structure; constrained security budgets; increasing sophistication of the threats; and lack of cybersecurity professionals. What should be the priorities for states? First and foremost, NASCIO recommends states organize for success with a clear and authoritative governance structure that includes all appropriate stakeholders (and not just technology leaders). Cybersecurity presents ‘business’ risks to the states and must be understood in this context.

Cybersecurity should be addressed as a significant risk to state government and funded at a level commensurate with the risk. Based on NASCIO data, the percentage of information technology spending on security is much lower than recommended benchmarks. This would include investments in continuous diagnostics and mitigation (CDM) tools for constantly monitoring cybersecurity risks and providing alerts. In addition, NASCIO recommends states plan for the consequences of a cyberincident or data breach with a robust response and recovery protocol, including a crisis communications plan.

And finally, make no mistake—there is a cybersecurity workforce crisis in state government. Because state government agencies can’t compete with private sector compensation, it’s imperative they develop innovative approaches to recruitment, develop university partnerships and find creative ways to build their cybersecurity teams. States should cast a wide net and work to identify and recruit minorities, veterans and candidates that would benefit from flexible work programs.

Cybersecurity risks must not be relegated to a ‘technology only’ discussion. Only by making cybersecurity a policy priority for state leaders, organizing for success, and embarking on innovative collaborations with public and private sector entities, will states be in a position to address the continuing onslaught of cybersecurity risks.

iStock 000005913775Medium 2A Security-Focused Mindset

As a senior security engineer at LexisNexis, an emerging trend I’m seeing in cybersecurity is phishing or malicious emails. Cybercriminals are using very personalized emails that appear to come from legitimate sources—such as the user’s bank or from the IRS, for example—to get an unsuspicious user to click on the link, or download the attachment and unwittingly add a piece of malware to his or her computer. These types of email attacks have been on the rise, and many people have been falling into that trap.

Another cybersecurity trend I’ve noticed is Distributed Denial of Service (DDoS) attacks, which are carried out by automated bots or programs. As stated earlier, when people click on the links in phishing emails or download attachments, they unwillingly infect their computers with malware, which then can be used in a bot farm to conduct a DDoS attack. A DDoS attack works by overloading a website or an online resource with useless traffic. This way, the resources become unavailable for the authorized users.

The private sector has more tools in its arsenal to fight these threats. Although funding is often an issue with public entities’ information technology, such as DMVs, that doesn’t mean there’s nothing they can do to fight back. DMV employees should be educated about various cybersecurity threats and risks. Having employees with security-focused mindsets can prevent them from clicking on links in phishing emails or going to suspicious websites that could download malware onto a DMV computer or network. It is important to have annual training and regular communication—such as a newsletter that covers security topics—to help ensure employees stay security conscious. In addition, DMVs should ensure that their computer systems have anti-virus and anti-malware running and up-to-date. They also should have Internet filtering to prevent employees from accessing dangerous websites.

Additionally, jurisdictions should have policies in place regarding the use of personal devices by employees, such as a disclaimer that would allow the DMV to wipe the device to remove confidential data. Before a device is allowed on the network, it should be checked to make sure it is up-to-date with the latest security patches, is encrypted and is password protected.

iStock 000005913775Medium 3aPrioritizing Employee Education

The subject of cybersecurity is extremely important to the Idaho Transportation Department’s Division of Motor Vehicles. One of the things Idaho has done to help ensure staff know and understand the importance of good cybersecurity is provide mandatory training modules for every employee on the subject. The training is a good way to reinforce ITD’s emphasis on data integrity and protection of personally identifiable information. The partnership the DMV has with Idaho’s IT organization has proven to be very helpful in identifying phishing attempts, as well as ensuring good cybersecurity practices are in place throughout the organization. Ensuring that the staff know how to respond to a potential breach or cybersecurity threat is high on the Idaho DMV’s priority list of training initiatives.