States Experiment with Automation to Bolster Cybersecurity

One of the large video screens is checked in the Department of Homeland Security's National Cybersecurity and Communications Integration Center (NCCIC) in Arlington, Va., Wednesday, Aug. 22, 2018.

One of the large video screens is checked in the Department of Homeland Security's National Cybersecurity and Communications Integration Center (NCCIC) in Arlington, Va., Wednesday, Aug. 22, 2018. AP Photo/Cliff Owen


Connecting state and local government leaders

A new pilot program overseen by Johns Hopkins University's Applied Physics Laboratory hopes to cut down on the time it takes for governments to respond to potential cyber threats by automating the process.

State and local governments have been a favorite target of hackers using ransomware and other cyberattacks in recent years.

Rather than leaving these governments to face down threats alone, a new pilot project aims to help them bolster their online defenses by automatically identifying potentially troublesome IP addresses and malware files for them.  

Information technology agencies in four states and one county are participating in the program, which uses security orchestration, automation and response (SOAR) tools to share intelligence on cyber threats and automatically take action to protect systems against them. The pilot is using a framework developed by the Johns Hopkins University Applied Physics Laboratory (APL) and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency.

Relying on indicators of potentially malicious activity on a system or network flagged by the Multi-State Information Sharing and Analysis Center, the states are able to respond quickly to suspected cyber threats.

“We just want to help the states augment their current capabilities because of the growing threat and there are only so many staff that agencies can bring into the problem,” said Charles Frick, Jr., the APL's lead investigator overseeing the project.

If suspect IP addresses or untrustworthy domains can be flagged proactively, the technology can alleviate some of the current heavy workload of cybersecurity analysts, Frick said. Depending on how state and local governments chose to set up the process, a detected threat could automatically be shut down or banned from the network, or once data is collected on the potential threat, an analyst could take up the process to determine next steps. Either way, cybersecurity professionals say the program will be a timesaver.   

A simple process like looking up an IP address to determine if it’s operated by malicious actors may take less than 10 minutes to do manually, said Lester Godsey, the chief information security officer for Maricopa County, one of the jurisdictions participating in the pilot program. But it’s the type of task that the county’s six-person team spearheading the program has to do hundreds of times a day.

“If you do it 50 to 100 times a day, that is a significant time savings over the day,” Godsey said.

Arizona, Louisiana, Massachusetts and Texas are also participating in the program. Frick said the program expects to release some initial results from the pilot at the end of September.

Local governments have struggled at times to keep up with the continued threat of ransomware or cyberattacks. A coordinated ransomware attack that targeted 23 Texas municipalities last summer was seen by security experts as a particularly bad example of the worsening escalation of cyberattacks on local governments.

States have taken measures in recent years to enhance their security postures, at times coming to the aid of municipalities as well.

Last year, Ohio established a volunteer “cyber reserve,” a civilian unit of the National Guard, that will be called on to assist local governments in the face of ransomware or cybersecurity attacks. Others have turned to cyber insurance to help pay for the costs of restoring their computer systems if they are compromised during a ransomware attack.

Maricopa County had already begun to delve into automation of security processes before the pilot, Godsey said. But the program has allowed the county’s Office of Enterprise Technology to focus on identifying the workflow processes best suited for automation. It also provides the county with a higher degree of confidence that the information used to flag potential cyber threats is accurate, he said.

Overall, Frick said a local government’s cybersecurity operations need to be fairly mature to support the automated process. 

If agencies have not experimented with automation, Frick said the best way to prepare for the process is to take a hard look at the workflow associated with cybersecurity operations. Once staff understand and document the steps in place as part of the manual process, they will be better prepared to automate the process.

Andrea Noble is a staff correspondent with Route Fifty.

NEXT STORY: State Watchdogs Plan to Monitor Covid Data Accuracy