Cybersecurity for Federal and Local Governments: What You Need to Know
What if our military couldn’t rely on safe ways to communicate? What if the IRS wasn’t able to securely transfer your tax return directly to your bank? What if the DMV took even longer to issue permits and driver licenses? Cyberattacks threaten our entire public services ecosystem, from federal government agencies, all the way down to states, counties, and townships.
Over the past couple of years, cybersecurity threats to our public institutions and infrastructure have garnered increased visibility in the media. This is due, in part, to the consequences of recent cyberattacks going beyond data loss or theft of digital assets—whose repercussions, while extremely serious, can seem a bit “abstract” to most people—and negatively affecting people’s everyday lives in very tangible ways.
The ransomware attack on the Colonial Pipeline shut down one of the largest US pipelines, causing days of panic-buying and gasoline price surges. The cyberattack on meat giant JBS forced the company to halt cattle slaughtering at all of its US plants for an entire day, threatening food supplies and risking higher food prices for consumers.
76% of security leaders have reported an increase in cyberattacks over the past 12 months, and governments and public institutions are no exceptions. Remember the SolarWind cyberattack? Hackers managed to infiltrate the IT firm’s network and covertly add malicious code to their software system, “Orion”. Many companies and government agencies use Orion to manage their IT resources, and with every update installed, the malicious code infiltrated their own digital networks.
Affected organizations included parts of the Pentagon, the Department of Homeland Security, the State Department, the Department of Energy, the National Nuclear Security Administration, and the Treasury. While officials have reassured the public that hackers only got access to unclassified data, the broader repercussions of an attack of this magnitude have not yet been tallied.
The Rise of the Cybersecurity Infrastructure and Security Agency
The National Protection and Programs Directorate (NPPD) was established in 2007 as part of the U.S. Department of Homeland Security. Its goal was to broadly reduce any threats to American cyberinfrastructure as well as critical physical infrastructure.
However, in 2018, as the need to address cyber threats became more urgent and widespread, the Cybersecurity and Infrastructure Security Agency (CISA) was created, replacing the NPPD, and expanding its scope to assisting both other government agencies and private sector organizations in addressing cybersecurity issues.
Given the wide range of dependencies it’s been tasked to educate and protect, CISA consists of the following departments:
- Cybersecurity Division
- Infrastructure Security Division
- Emergency Communications Division
- National Risk Management Center
- Integrated Operations Division
- Stakeholder Engagement Division
While the primary focus of the agency is to keep our federal and local governments safe from cybercrime, according to the CISA services catalog, they also “seek to help organizations of all types better understand and increase resilience using all available resources, whether provided
by the federal government, commercial vendors, or small businesses”.
Jen Easterly, CISA’s director, spoke about the agency’s role: “within the federal cyber ecosystem, CISA is the ‘quarterback,’ charged with protecting and defending federal civilian government networks; leading asset response for cyber incidents; and ensuring that timely and actionable information is shared across federal, non-federal, and industry partners.”
Taking Charge With the “Defend Forward” Strategy
In 2018, the US Department of Defense introduced the concept of “defend forward” in their yearly Cyber Strategy Summary. This strategy revolves around two main concepts: (1) being proactive in observing, pursuing, and countering adversary operations; and (2) imposing costs in day-to-day competition.
The first tenant boils down to “knowledge is power”—by improving our intelligence about hackers’ capabilities, we can provide early warnings of impending attacks and respond to them much more quickly.
The second is a universally acknowledged truth: when choosing between a high-cost and low-cost target, hackers will always try to conserve resources. Therefore, forcing higher costs will cause malicious actors to either divert all of their resources into one exploit or cease the attack altogether and move on to an easier target.
With the Defend Forward strategy, the US Department of Defense aims to disrupt and defeat ongoing malicious cyberattack campaigns and deter future ones by going into foreign networks and hunting for upcoming threats.
The Issue of Voluntary Security Standards
Currently, private firms providing critical infrastructures—such as energy systems, drinking water, communication networks, and emergency services—are not required by law to follow any specific cybersecurity measures. While CISA does provide guidance and defines recommended controls, it doesn’t have the power to enforce them.
Because CISA holds such a central role within the larger cybersecurity ecosystem, Easterly is making a case for moving critical infrastructure beyond voluntary security standards—a strategy that Chris Inglis, the White House’s national cyber director, also advocates.
Easterly stated: “I do think it’s important that if there’s a significant cyber incident, that critical infrastructure companies have to notify the federal government, in particular CISA. We have to be able to warn other potential victims.”
Cybersecurity for Federal and Local Governments
Federal agencies and local governments all use the same fallible technologies that allow us all to share information, save documents online, communicate instantly, and store data in the cloud or physical servers.
However, unlike their counterparts in private enterprises, federal and local governments often store highly classified and private information, which needs an even more rigorous layer of protection from hackers and malicious actors.
How You Can Help
Cybersecurity is a constant battle, but now you can train to help keep our digital systems secure. Career-prep programs like Old Dominion University Cybersecurity Bootcamp can help you gain the skills and knowledge you need to start a career as a cybersecurity defender and help make our federal and local governments safer.
The ODU Cybersecurity Bootcamp curriculum prepares you to enter the cybersecurity workforce no matter your initial level of tech-savvy. Additionally, while not mandatory, the bootcamp also offers elective classes that prepare you for 8 globally recognized cybersecurity certifications:
- LPI Linux Essentials
- AWS Certified Cloud Practitioner
- CompTIA Network+
- Ec-Council C|ND – Certified Network Defender
- CompTIA Security+
- Ec-Council C|SA – Certified Soc Analyst
- Ec-Council C|EH – Certified Ethical Hacker
- (ISC)² SSCP – Systems Security Certified Practitioner
If you are just starting out in the cybersecurity industry, acquiring some of the above certifications can help you stand out to employers and serve as an additional confirmation that you have what it takes. Keep in mind that sitting for all of the above exams in less than a year is a very daunting accomplishment, so we generally advise students to aim for two to three certifications.
So what are you waiting for? If you are serious about a future in cybersecurity, the time to start is now. New cohorts start on a rolling basis—schedule a call with our admissions team and learn how you can become a cybersecurity professional in Virginia in less than a year!