Information Technology Shared Service Team North Dakota Cyber Security Across North Dakota Threats and Opportunities 15 September 2018 EMPOWER PEOPLE IMPROVE LIVES INSPIRE SUCCESS
AGENDA SIRN / FirstNet / Network Backbone Cyber Security
Procurement Events Date RFP Issued 11/6/17 Deadline for receipt of proposals 2/15/18 COURAGE Financial Item Fiscal Note: HB 1178 Projected Biennium Revenue Value $9.6 M $7.5-8M Revenue in Fund $4M Expenses Incurred $49,974.53 Loan Value Zero Approximate initial evaluation completion 3/9/18 Demonstrations and presentations 3/19/18 3/23/18 Best and Final Offer(BAFO) Issued 4/23/18 BAFO Response Due 6/6/18 SIRN Governance Approval to proceed to negotiations phase 7/24/18 Public Safety Radio Challenges: COVERAGE INTEROPERABILITY CHALLENGES AGING INFRASTRUCTURE Currently in contract negotiation phase Intent to award objective 12/2018 HB 1178: Public Safety Mission Critical Voice
FirstNet is HERE and AVAILABLE TODAY COURAGE 3G / 4G / 5G services available for Emergency Responders Priority and Preemption is available today Things to be Aware of ~80% of the state has 4G, but 0% 5G today 40 new towers being built Coverage is expanding constantly however, CHECK COVERAGE BEFORE LEAPING IN
Major Network Backbone Upgrades for all Government COURAGE 20 x 100 times faster than most communities have available today Installs in progress, to be completed July 2019
North Dakota Cyber Situation Overview
The threat landscape has significantly changed over recent years, driven by state-actor industrialized hacking, and increasing government complexity: Then the old way Now Build a perimeter defense Security culture focus System focus Monitor everything / Data Focus Assume the inside is good and outside is bad Defense-in-depth Fantasy of 100% compliance with zero-risk Lock the house, and the car, and the safe
THREATS Complexity of Cyber Attack Capabilities are Growing (2016 Survey) High Foreign state sponsored cyber espionage Insecure codes Cyber terrorism Cyber warfare Government IMPACT: trust Cost to protect Legal/ regulatory Critical infrastructure Low DATA IN SECURE BUSINESS SYSTEMS Mainframe systems Internetworking Network attacks Emergence of open systems Hackers Data breach INTERNET ACCESS AND HIGHLY CONNECTED SYSTEMS Online access to citizen data Advances in internetworking self service Cyber crime Identity theft Critical infrastructure attacks Malware ACCESS ANYWHERE & ANYTIME Integrated online eligibility systems Big data Cloud Mobile DATA EVERYWHERE; USER EXPERIENCE DRIVEN Wearable technology Unmanned vehicles Internet of things Smart devices Drones (UAS) Artificial intelligence Mobile payment Electric grid Critical Infrastructure Etc. 1990s 2000s 2010-2014 Now Distributed systems are significantly harder to protect against escalating threats 42+ organizations in the US had over 1,000,000 records stolen in 2017
Complexity of Data in North Dakota
COURAGE Bad actors are targeting North Dakota We have things they want Social hacktivism with events like Dakota Access Pipeline North Dakota s IT Shared Service has defended against in the last 6 months 34,000,000 Vulnerability attacks 3,300,000 Denial of Service attacks 88,000,000 Spam and Phishing Messages 1,300 0-Day Attacks (attacks with no fixes yet) State-sponsored Hacktivist Criminal
Specifics: High Concern K-12 Items K-12 Malware: Double Pulsar Infection Indicators of threat from North Korea and other nation states identified Over 1/3 of ND schools infected with Double- Pulsar malware just one of many malware threats
COURAGE Communities are being targeted in 2018 Atlanta Ukraine Millions in losses services impacted 230,000 people left without power Municipal Railway Water treatment systems Energy production centers Iron ore furnaces City-wide emergency alarms Electronic construction signs Malware In 2017 San Francisco Attacks against North Dakota Communities Detected by State Cyber Team July 2018 Political Sub Division ATTACKS: 178k CITY THREATS: 66k (Scans, Malware, Vulnerabilities ) COUNTY THREATS: 111k (Scans, Malware, Vulnerabilities ) Most Common Types of Malicious Traffic VULNERABILITIES: 70k MALWARE DETECTED: 54k SPYWARE: 68k SCANNED: 103k
Considerations Moving Forward
Challenges ~50% of the population has had some data breached over the past year Average salary for a Cyber Security Professional is $116,000 annually Unemployment rate for Cyber is ~0% The market for Cyber related jobs is expected to increase by ~1,800,000 people over the next handful of years We need to think differently
What do we need to do?
Mitigations Strategic Operational force Move to a whole of Government approach across Cyber Align with private partners SECURE Establish risk-prioritized controls to protect against known and emerging threats, and comply with standards and regulations Educate Kindergarten through PHD DEFEND Create situational risk and threat awareness across the environment to detect violations and suspicious behavior RESPOND Develop a capability to handle critical incidents, quickly return to normal agency operations, and repair damage to the State
Summary Looking Forward Cyber Security requires a Whole of Government Approach The 21 st Century force must be Cyber educated We need to encompass all 252,000 users on the network (including K-12, Higher-Ed, Political Subs, etc.) ND IT is working through options to bring forward and accomplish this May require: Changes to Century Code Dedicated Cyber security funding / bodies Cyber Security minimum standard enforcement across StageNet CYBER SECURITY Plan RESPOND
Questions & Appendix 18
Centralized Cyber Spending & Staffing Benchmark Paragraph One Two Three The State of North Dakota s Annual Revenue for 2017 was $6.428B IT Spend for 2017 Was $157.235M (~2.4% of Revenue) Percent of ITD budget spent on security Percent of ITD staff focused on security IT security spend by functional area 6.2% 5.0% ~1.4% 5.9% 7.8% 2.9% Operational Infrastructure Security 52% 24% State/Local Government 7 Vulnerability Mgt. & Analytics 12% Application Security 12% GRC Published Average 1 State / Local Government 2 State of North Dakota 3 Published Average 4 State / Local Government 5 State of North Dakota 6 Data Unavailable For State The State of North Dakota s Historical Spend (SFY-2014 SFY-2017) State Fiscal Year - 2014 Annual Revenue: $8.667B *IT Spend: $100.01M / 1.15% State Fiscal Year - 2015 Annual Revenue: $7.918B *IT Spend: $105.63M / 1.33% State Fiscal Year - 2016 Annual Revenue: $5.645B *IT Spend: $168.82M / 2.99% Only 1 FTE is centrally dedicated to Cyber Security in K12 environment and most districts have well intended IT folks, but not trained cyber professionals
Day to Day Cyber Defense SECURE Establish risk-prioritized controls to protect against known and emerging threats, and comply with standards and regulations DEFEND Create situational risk and threat awareness across the environment to detect violations and suspicious behavior RESPOND Develop a capability to handle critical incidents, quickly return to normal agency operations, and repair damage to the State People Fixes Align all state cyber security teams closer Engage force opportunities Process & Policy Fixes Cyber Security Minimum Standard Public / Private Partnership Technical Fixes Building out network segmentation Managing application vulnerabilities Strategic Operational CYBER SECURITY Plan RESPOND force
The Challenge of IT and Information Security ITD Security collaborated with (18) cabinet Agency Stakeholders (e.g., Agency Directors, IT Coordinators and Security Coordinators) and ITD. Through our workshop discussions we noted the following themes: Why IT and information security is challenging and innovation The solutions and process we implement to improve value and services to our citizens may also create, or exacerbate cyber and information risk (e.g., adoption of new technologies, offering new services and developing new service delivery models) Sharing information is imperative The State, its agencies, vendors and most importantly, our citizens are connected using technologies designed to share information not protect it. We have an obligation to secure the information our citizens share with us and as a State, we share with each other. People must be trusted The Sate and every agency rely on people and business partners whom we trust to help us deliver world class service to our citizens every day. Therefore, we must focus on delivering security services that will help the State effectively Secure, Defend and Respond to cyber attacks SECURE Establish risk-prioritized controls to protect against known and emerging threats, and comply with standards and regulations DEFEND Create situational risk and threat awareness across the environment to detect violations and suspicious behavior RESPOND Develop a capability to handle critical incidents, quickly return to normal agency operations, and repair damage to the State 21