In the digital age, cyber threats loom larger than ever. State and local governments are not immune, often targeted due to their troves of sensitive data and critical infrastructure. Recent incidents, such as the ransomware attack on Oakland, California’s government systems, and the cyber intrusion in Curry County, Oregon, are stark reminders of this emerging reality. Add to this a litany of attacks on other US state and federal agencies, and it becomes clear: cybersecurity is not a luxury but an absolute necessity.

Cyber threats are no longer isolated incidents; they are constant and evolving, probing for weaknesses in our security architecture. As the saying goes, it’s not a matter of if a cyber attack will occur but when. Against this backdrop, a new security approach has emerged from the smoke of the digital battlefield known as Zero Trust.

With its mantra of “Never trust, always verify,” Zero Trust operates under the assumption that threats can come from anywhere — both outside and within an organization’s network. In contrast to traditional security models, which heavily invest in establishing a secure perimeter, Zero Trust focuses on securing data and services directly. Achieving Zero Trust isn’t just a step forward; it’s a leap toward a secure future where data breaches and system compromises are reduced to a minimum.

Today, we will guide you through both understanding and how to implement zero trust in state and local governments. Whether you’re a government executive, a cybersecurity officer, or a concerned citizen, understanding Zero Trust is the first step in fortifying our government’s digital infrastructure against the burgeoning tide of cyber threats. So, let’s dig in and explore how we can turn these principles into practice.

Understanding Zero Trust

Definition and Principles of Zero Trust

Zero Trust is a security model pivoting on the belief that no user or device, inside or outside the network, should be trusted by default. This concept dismantles the outdated idea of a secure perimeter, replacing it with robust mechanisms to secure data and services directly.

Zero Trust is built upon a set of key principles:

1. It treats all resources as external and available over the untrusted network. This means that the traditional distinction between internal and external networks evaporates.
2. Zero Trust identifies and verifies every user and device trying to access resources on the network, regardless of their location or role.
3. It operates on a least-privilege strategy, ensuring that every user, device, or application has only the bare minimum permissions necessary to perform their functions.

Key Components of Zero Trust Architecture

For a state or local government to implement Zero Trust, they need to focus on five core components:

1. Identity Verification: With Zero Trust, every user is a potential threat, so their identities must be consistently verified. This can be accomplished using multi-factor authentication (MFA), biometrics, or smart cards.
2. Device Authentication: Similar to user authentication, all devices attempting to access the network must also be authenticated. This ensures that only devices compliant with security standards are granted access.
3. Micro-segmentation: This involves dividing the network into small, isolated segments to limit the lateral movement of potential threats. Micro-segmentation reduces the risk of a system-wide breach, confining any damage to isolated pockets of the network.
4. Least-Privilege Access: Zero Trust calls for limiting user and device permissions to the absolute minimum required to fulfill their roles. This restricts the amount of damage an attacker could inflict if they were to compromise a user or device. network access controls play a critical role here.
5. Continuous Monitoring and Analytics: Even after verification and authorization, Zero Trust assumes the possibility of threats. Hence, continuous network traffic monitoring and real-time analytics are crucial for detecting and mitigating potential breaches.

Remember, the journey to a Zero Trust architecture is an evolution, not a one-off project. Start small, define your security parameters and network access controls, and gradually extend them across your organization. This framework not only fortifies your government’s digital infrastructure but also ensures the safety and privacy of the citizens you serve.

Benefits of Zero Trust for State and Local Governments

Implementing a Zero Trust security model can offer a multitude of benefits for state and local governments. Here are some of the most impactful advantages:

• Enhanced Data Security: By verifying every user and device, zero trust reduces the risk of data breaches. By assigning minimum permissions, even if an attacker compromises a user or device, they have limited access.
• Improved Visibility: Zero Trust provides a holistic view of the entire digital ecosystem, enabling IT departments to monitor and manage all activities within their network more effectively.
• Mitigation of Insider Threats: Zero Trust assumes threats can originate from anywhere, including inside the network. By adopting this model, governments can proactively detect and handle potential insider threats. And remember, insider threats aren’t always about a disgruntled employee going rogue – sometimes, it’s well-meaning employees acting irresponsibly or carelessly.
• Flexibility and Scalability: Zero Trust is adaptable to changing network environments, making it ideal for government entities that need to scale up or adapt their security in line with evolving digital transformation strategies.
• Reduced Attack Surface: Through micro-segmentation, Zero Trust limits the damage of a potential breach to confined network segments, reducing the overall attack surface.
• Compliance Assurance: Zero Trust can help governments comply with stringent data protection regulations and standards, such as GDPR, HIPAA, and NIST.
• Improved User Experience: With identity and access management central to Zero Trust, users enjoy secure access to the resources they need from any device or location, improving overall productivity and satisfaction.
• Cost Efficiency: By preventing data breaches and minimizing damage, Zero Trust could save state and local governments a significant amount in remediation costs.

Assessing the State of State & Local Government Cybersecurity

While cybersecurity should be a priority for all organizations, it’s especially critical for state and local governments due to their handling of lucrative data.

Recent Cyber Attacks on State and Local Governments

State and local governments have become prime targets for cyber attacks, jeopardizing critical infrastructure, sensitive data, and public trust. In recent years, several high-profile incidents have highlighted the urgent need for robust cybersecurity measures. Examining these attacks sheds light on the devastating consequences and underscores the importance of implementing effective security strategies.

Curry County, Oregon Ransomware Attack

In a chilling demonstration of the vulnerability of state and local governments, Curry County, Oregon fell victim to a ransomware attack in April 2023. Bad actors infiltrated the county’s network and encrypted critical systems, effectively rendering them inaccessible. While the county still had control over 911 dispatch calls and the local election, the attack impacted every other part of government operations^[1].

Oakland, California Cyber Attack

On April 27th, the city of Oakland announced that it had been hit with a ransomware attack. The attack affected the city’s email systems, phone lines, and some of its websites. It did not affect the city’s emergency services, but it caused significant disruptions to non-emergency services.

Although the ransom demand was not disclosed, the city stated it would not pay it. Instead, they worked with law enforcement and cybersecurity experts to investigate the attack and restore their systems. The city also urged residents to be cautious of potential scams and phishing attempts that might arise as a result of the attack.

Atlanta, Georgia Cyber Attack

In March 2018, the city of Atlanta, Georgia, fell victim to a massive cyber attack that crippled its operations for weeks. The attackers employed ransomware, infecting numerous systems and encrypting critical data, including police and court records. The incident led to widespread service disruptions, financial losses, and a severe blow to the city’s reputation.

Baltimore, Maryland Ransomware Attack

In May 2019, Baltimore, Maryland, suffered a devastating ransomware attack that targeted the city’s government systems. The attackers exploited a vulnerability in the city’s network and encrypted crucial data, paralyzing many municipal services. The incident had severe repercussions, causing substantial financial losses, service disruptions, and compromising sensitive citizen information.

These attacks are stark reminders of the significant threats facing state and local governments in the digital age. The ramifications extend beyond financial losses and operational disruptions, impacting public safety, critical services, and citizen trust.

Vulnerabilities and Challenges Faced by State and Local Governments

• Outdated Systems: Many government agencies rely on legacy systems no longer supported by vendors, exposing them to unpatched security flaws. For instance, the 2017 WannaCry ransomware attack exploited a weakness in older Windows systems that many organizations still use.
• Insider Threats: Whether it’s intentional malicious activity or unintentional mistakes, insider threats pose a significant challenge. Employees or contractors with access to sensitive data can be exploited by cybercriminals or could unknowingly cause a data breach.
• Lack of Cybersecurity Awareness: Many breaches occur due to employees clicking on malicious links or falling victim to phishing attacks. Without proper cybersecurity education and training, employees remain an easy target for attackers.
• Resource Constraints: Often, government entities struggle with budget limitations and a lack of specialized personnel, making it challenging to maintain an up-to-date, robust cybersecurity infrastructure.
• Interconnected Systems: Government entities often need to interact with various other systems, such as federal databases or those of other municipalities. These interconnections can create security vulnerabilities if not properly managed and protected.
• Physical Security Breaches: Physical breaches, such as unauthorized access to data centers or theft of devices, can lead to significant security risks. These risks are exacerbated if the stolen devices contain unencrypted data or have logged-in sessions to critical systems.
• Supply Chain Attacks: Cybercriminals can compromise a government’s supply chain, infecting software or hardware before it even reaches the government network. The 2020 SolarWinds attack is a prime example, where sophisticated attackers compromised the software update process to infiltrate numerous organizations.
• Emerging Technologies: Adopting emerging technologies like IoT, AI, and 5G brings new vulnerabilities. For instance, insecure IoT devices can provide an easy entry point for attackers into the network.

The Need for Enhanced Cybersecurity Measures

In light of these vulnerabilities, there’s a pressing need for state and local governments to upgrade their cybersecurity measures. Traditional perimeter-based security models are no longer enough. Given the evolving threat landscape, a proactive approach is required, and that’s where Zero Trust comes into play.

Zero Trust provides an enhanced security framework that addresses many of these vulnerabilities. It bolsters defenses against both external and insider threats, limits the potential damage from a breach through micro-segmentation, and adapts to the changing needs of the organization. Combining robust identity verification, least-privilege access, and continuous monitoring is a significant step toward a more secure future for state and local governments.

While implementing Zero Trust can be complex, its benefits far outweigh the investment. In the fight against cybercrime, state, and local governments can’t afford to be left behind.

The State and Local Government Cybersecurity Act of 2021: A Comprehensive Overview

The State and Local Government Cybersecurity Act of 2021 is a landmark piece of legislation aimed at bolstering cybersecurity defenses across state and local government entities.

What is it?

This groundbreaking act represents a commitment to address cyber threats head-on. It establishes a framework for federal agencies like the Department of Homeland Security (DHS) to collaborate with state and local governments, providing vital resources, guidance, and information sharing. The act seeks to boost cybersecurity resilience through improved education, technical tools, and enhanced defensive measures.

What Impact Will It Have?

The potential impact of this act is vast and multifaceted. It provides critical resources to governments that often struggle with budget constraints and outdated systems, enabling them to upgrade their cybersecurity infrastructure. By fostering greater cooperation and information sharing between federal and local entities, the act allows for more coordinated responses to cyber threats. Moreover, the focus on education and training resources will help build a more cyber-literate workforce, mitigating the risk of breaches caused by human error.

How Does it Align With Zero Trust?

The act’s emphasis on collaboration, information sharing, and upgrading cybersecurity infrastructure lays the foundation for implementing a Zero Trust model. The increased resources provided by the act can assist governments in adopting crucial elements of Zero Trust, such as multi-factor authentication, micro-segmentation, and continuous monitoring.

In essence, this legislation represents an important step in reimagining our approach to cybersecurity, moving from static defenses to a dynamic and proactive strategy.

How to Implement Zero Trust

Step 1: Assemble a Focused Zero-Trust Task Force

The journey toward Zero Trust requires focused attention and dedicated resources. Instead of making the “transition to Zero Trust” an afterthought or a secondary task for your IT department, form a specialized team responsible for strategizing and executing the Zero Trust transformation. You can also engage a third-party company to act as this Zero Trust Task Force if you lack the in-house talent (many state and federal agencies do due to the cybersecurity skills shortage).

This task force should comprise experts from key areas that align closely with the foundational pillars of Zero Trust:

1. Application and Data Security: Individuals from these teams understand where critical data resides and how it’s accessed, making them essential for defining and protecting your sensitive data assets.
2. Network and Infrastructure Security: These team members can leverage their understanding of your network’s architecture to facilitate micro-segmentation and prevent lateral movement of threats within your network.
3. User and Device Security: Representatives from this area ensure all users and devices are adequately authenticated and have appropriate levels of access, crucial components of the “never trust, always verify” principle.

In addition to these core areas, your Zero Trust task force should also include representatives from security operations, particularly those from the security operations center, and risk management. Their collective insight will be instrumental in monitoring the Zero Trust environment, identifying potential threats, and assessing the effectiveness of the implemented measures.

Remember, implementing Zero Trust isn’t a side project—it’s a significant shift in your security posture that demands dedicated resources and expertise. By assembling a focused task force, you can ensure your move toward Zero Trust is strategically planned, effectively implemented, and continuously monitored.

Step 2: Define the Attack Surface

The next step in implementing a Zero Trust model within state and local governments involves defining the attack surface. This process uncovers the landscape that needs defending from cyber threats. Let’s break it down into four key areas:

1. Sensitive Data: Identify where sensitive data resides across your digital infrastructure. This could include databases containing personally identifiable information (PII), financial details, healthcare records, or law enforcement data. It’s crucial to pinpoint all storage and transit paths of this data to protect it from potential breaches.
2. Critical Applications: Your organization’s mission-critical applications—like those used for public services, financial management, or law enforcement activities—are lucrative targets for attackers. It’s essential to know where these applications are hosted, how they interact with other systems, and who has access to them. Rigorous access control and monitoring are key to securing these applications.
3. Physical Assets: While focusing on the digital sphere, don’t neglect your physical assets. These include data centers, networking equipment, servers, and even individual workstations and mobile devices. An unauthorized individual gaining physical access to these assets could bypass many digital security measures. Zero Trust mandates verification at every layer, including physical access.
4. Corporate Services: Often, common corporate services, like email systems or intranets, can be an entry point for cyber threats. Any service that requires user authentication and interacts with your network can be exploited. Applying Zero Trust principles to these services means consistently verifying users, even if they are on your internal network.

Step 3: Evaluating the Security Landscape

A clear understanding of your existing security framework simplifies the implementation of a Zero Trust approach. As you assess your environment, consider the following points:

1. Locate the Security Controls: Identify where your security controls are distributed across your infrastructure. In the network sphere, these controls could be firewalls, web application gateways, and similar systems. From user/identity perspectives, controls might involve endpoint security systems like Endpoint Detection and Response (EDR), or Extended Detection and Response (XDR), and Identity Access Management (IAM). In applications and data, controls might be container security, Data Loss Prevention (DLP), microservices authorization, and others.
2. Assess the Effectiveness of Controls: Evaluate whether these controls provide dynamic, granular, end-to-end trust frameworks independent of outdated classifications. Traditional tools like firewalls often aren’t as granular, dynamic, or comprehensive, and rely on outdated categorizations like “outside = bad” and “inside = good.”
3. Identify Knowledge Gaps: Determine what you don’t know. Achieving granular access to data is impossible without understanding its security classification. Unclassified data signals a knowledge gap that needs attention when moving toward a Zero Trust model.

Step 4: Exploring Available Technology

While conducting your assessment or immediately after, it’s important to explore and understand the burgeoning technologies available to support your Zero Trust initiative. The landscape of cybersecurity tools and solutions is rapidly evolving, and several of these advancements can play a pivotal role in bolstering your Zero Trust architecture.

Next-generation networking equipment, for instance, offers a host of advanced capabilities that can be integral to your Zero Trust journey:

1. Microsegmentation: This technique divides your network into multiple isolated segments or zones, each with its own set of access controls. This way, if one segment is compromised, the impact is limited, and the threat is less likely to spread to other areas of your network.
2. Virtual Routing: This method allows you to control the traffic flow on your network, routing data packets based on predefined rules and conditions. This granular control over network traffic further enhances security and allows for more precise implementation of access policies.
3. Stateful Session Management: This technology keeps track of all active connections in your network, providing real-time visibility and control. If a session exhibits suspicious behavior, it can be immediately terminated, limiting potential damage.

Identity Access Management (IAM) solutions are also becoming more refined, providing dynamic and granular control over who has access to what. Capabilities like risk-based authentication, contextual access policies, and real-time access management can help ensure that every user’s access rights align with their role and current context.

By leveraging these cutting-edge technologies, you can add a layer of sophistication to your Zero Trust strategy, making your government network more secure, responsive, and agile.

Step 5: Implementing the Principle of Least Privilege (PoLP)

Simply put, this principle restricts user and system access rights to the bare minimum necessary to complete a specific task. In other words, it’s about giving just enough access to get the job done and nothing more. This approach significantly reduces the attack surface and limits the potential damage from security breaches.

For human users, this may involve:

• Consider a local government clerk who needs access to citizen records to process a public service request. Their permissions should be precisely defined only to allow viewing of necessary documents. They should not be able to modify, delete, or access unrelated records. By applying PoLP, even if their credentials are compromised, the potential damage is significantly limited.
• A system administrator might require wide-ranging access to perform their duties. Still, this should be tightly controlled with high-level monitoring and the use of temporarily elevated access privileges when necessary to avoid persistent high-level access that malicious actors could exploit.

For non-human resources such as applications, systems, devices, and processes, PoLP takes a similar approach:

• An email server, for example, might need to read and deliver incoming messages but does not need permission to delete databases or modify other servers. By restricting the server’s privileges, you can minimize potential damage if a cybercriminal exploits it.
• A payment processing application may need access to sensitive financial data. Still, it should be limited to interacting only with the necessary databases and kept separate from unrelated systems to prevent unauthorized access or lateral movement in case of a breach.

Implementing the Principle of Least Privilege is not just a one-time action but a continuous process. It requires regular audits and adjustments to ensure that access permissions remain aligned with job requirements and organizational changes.

Step 6: Strengthening Network Access Control

Taking it a step further, we have comprehensive Network Access Control (NAC). A central aspect of implementing Zero Trust lies in fortifying your network access controls. NAC is a security solution that dictates who or what can access your network and to what extent. It verifies the security status and user credentials of every device trying to connect to your network, effectively enforcing the “never trust, always verify” principle of Zero Trust at the network level.

When implemented correctly, NAC can prevent unauthorized access, contain potential threats, and maintain the overall integrity of your network.

Let’s take a broad view of the kinds of technologies that underpin Network Access Control (NAC) solutions:

1. Authentication Servers: These systems verify the identity of users or devices trying to access the network. They often integrate with existing identity solutions, like Active Directory or LDAP, to validate credentials and enforce authentication policies.
2. Policy Servers: These systems make decisions about access based on predefined rules. They consider factors like the user’s role, the device type, and the network location to determine the level of access granted.
3. Enforcement Points: These are network devices like routers, switches, or firewalls that carry out the decisions of the policy server. They can block access, redirect traffic, or apply certain restrictions based on the policies defined.
4. Endpoint Assessment Technology: These tools inspect devices before they connect to the network to ensure they meet your organization’s security standards. They can check for updated antivirus software, specific security configurations, or the absence of prohibited software.
5. Network Security Platforms: These comprehensive solutions often combine several of the above elements into a single package. They can provide capabilities like intrusion prevention, web filtering, and threat intelligence, all of which help enhance the overall security posture of your network.

Step 7: Creating a Zero Trust Policy

Once you’ve laid the groundwork by architecting your network, the next critical step in your Zero Trust journey is to design your Zero Trust policies. These policies serve as the guiding principles for access decisions, defining who can access what, under what circumstances, and how such access is granted.

To do this effectively, you can leverage a time-tested approach known as the Kipling Method. Rooted in the six fundamental questions – who, what, when, where, why, and how – this method provides a comprehensive framework for access decisions.

1. Who: Identify the individual or system attempting to gain access. This could be a government employee, an automated process, or an external contractor. Identity verification is crucial to ensure that the entity seeking access is legitimate.
2. What: Determine the resources or data the user or system is attempting to access. For example, a tax department officer may require access to a citizen’s income details but should not have access to unrelated health records.
3. When: Set policies regarding when access is granted. This could involve time-bound access privileges. For instance, access to certain sensitive systems might only be given during regular business hours unless there is an emergency.
4. Where: Consider the location from which the request is being made. A login attempt from an unfamiliar location may require additional security checks.
5. Why: Understand the purpose behind the access request. For example, an IT personnel performing routine maintenance would have a valid reason to access server data. On the other hand, the same request from an admin employee might be unusual.
6. How: Examine the method by which the user or system attempts to access the network. This includes the type of device being used and the security posture of that device.

By systematically answering these questions for every user, device, and network attempting to gain access, you can create robust Zero Trust policies that provide granular, context-aware access control.

Final Thoughts

With the escalating cybersecurity threats and evolving attack strategies, Zero Trust is our most potent defense. From defining the attack surface to formulating robust policies and leveraging advanced technologies, each step strengthens our digital fortresses. It’s an ongoing journey that demands commitment, agility, and precision. As we move forward in the Zero Trust journey, we’re not just fortifying our networks but safeguarding the foundations of our democratic institutions.