Connecting state and local government leaders
With a big data breach, citizens might not be the only ones to lose confidence in a state government. Bond markets might react negatively, too.
2016 was a watershed year for both government and business when it comes to cybersecurity. It wasn’t just our perception based on incidents that dominated the news, a recent report found that breaches increased by 40 percent last year. And nearly all 50 states took the U.S. Department of Homeland Security up on its offer to help assess their voting systems just prior to last year’s presidential election.
But those assessments were a last-minute measure that only looked for vulnerabilities to date, and did not result in a comprehensive cybersecurity strategy for states. Despite these recent events, state governments have been slow in taking action to protect data.
Assessing systems for vulnerabilities and shoring up weaknesses takes time. This downtime before the midterm elections provides a much-needed opportunity for improving states’ overall security posture. Many states have technical controls in place, but need to focus on policy and processes around those controls such as a common data dictionary, monitoring and logging, incident response playbooks, asset procurement and management, and data transfer. A mature security posture also includes instilling a culture of security throughout the workforce.
Cybersecurity was a main topic at the National Governor Association’s recent winter meetings in Washington, D.C., where Virginia Gov. Terry McAuliffe hosted a session on the “serious cybersecurity issues” facing states. Virginia has been a leader in proactive measures on cybersecurity, still the state was targeted by 86 million cyberattacks just last year.
As state budget allocations from the federal government are decided, along with clarity on what states will need to focus on under the new administration, progress on cybersecurity will hopefully pickup pace—because trust and the ability to govern is at risk.
Data risk is expanding what it means to protect constituents. State agencies are warehouses of personal data—a single individual’s life can be pieced together using the information states gather on constituents. A breach could result in identify theft or financial fraud. Now that cybersecurity is on the minds of everyday people, they have an expectation and take for granted that the government is working to keep this precious private information safe and secure.
The business community has come to realize that it is no longer a question of if, but a matter of when they will be targeted. Any future breach of constituent data may cause citizens to question how secure government systems are. As a way to try and protect themselves, this may cause people to provide inaccurate or incomplete data, or even refuse to use automated systems—ultimately impacting the efficacy of state programs everywhere. Since many businesses also rely on state systems to provide information, such as Medicare/Medicaid verification, tax status, or driver’s license identification, integrity of this data has a trickle down effect.
A state’s citizens won’t be the only ones to lose confidence, concern will be contagious and extend to other states and even the federal government, as we saw during the primary cycle when it was revealed that Illinois and Arizona had been hacked.
Perhaps the most severe consequence of a government breach is the possibility that it will extend to the bond markets, resulting in lower ratings for states that have been compromised. It’s estimated that on average a breach results in a full-level downgrade for companies. Assuming a similar assessment for government, when it comes time to borrow money any state that’s been downgraded is likely to incur a serious hike in the cost of raising debt. Going from an A to BBB rating alone has been known to trigger a nearly three-quarters of a percentage point increase. On $100 million, this is equivalent to about $3 million in additional interest. Also, a state’s credit rating is a financial and economic indicator and one that governor’s like to tout when their state has been upgraded—especially when it’s time for re-election.
No doubt any such breach will become national headline news. Such disruption and consequences aren’t necessary. States can and should take precautions now…
Cathie Brown is the former deputy chief information security officer for the state of Virginia and current vice president of governance, risk, and compliance at Richmond-based Impact Makers.