Much like with businesses, many state and municipal governments can afford to allocate only a relatively small portion of their tech budgets toward cybersecurity. Looking to boost the cyber intelligence resources of these institutions, Deloitte is now granting thousands of government workers access to its Cyber Detect and Respond Portal in what the global consulting firm is calling a first-of-its-kind free offering between private and public sectors.
MS-ISAC members already have access to federal intelligence dispersed by agencies such as the Department of Homeland Security, but having access to complimentary cyber threat intelligence from the private sector will at times help provide a more timely and in-depth delivery of information, while also supplying an altogether different perspective, according to Srini Subramanian, Deloitte Risk & Financial Advisory leader for the state and local government.
“The Deloitte Cyber Detect and Respond Portal will provide access to cybersecurity threat and vulnerability advisories from Deloitte’s analysts who cover multiple industries,” said Josh Moulin, senior vice president, operations and security services at MS-ISAC, a division of the Center for Internet Security. “These will keep our SLTT [state, local, tribal and territorial] community up to date on the tactics, techniques and procedures used by cyber threat actors, and will allow them to prepare countermeasures for the most pressing malware threats. Additionally, vulnerability advisories will allow SLTTs to prioritize their patching activity.”
The offering is a major shot in the arm to government bodies that can’t necessary afford to invest heavily in their own solutions. Indeed, every two years, Deloitte conducts a study with the National Association of State CIOs (NASCIO) to gauge the latest cyber trends among U.S. states. And according to the most recent report, most states spend only one to three percent of their technology budget on cyber.
By comparison, federal civil agencies (not counting defense) on average dedicate 16.3% of their technology budget on cyber, while private financial institutions on average allocate 10.9% of their tech spend toward cyber. “For over a decade, state governments have been underspending on cyber.”
Subramanian spoke to SC Media in further detail about the new partnership.
Explain the significance and timeliness of this new collaboration.
“You can imagine the difficulty in getting people to come and work for state governments, [with] the demand for cyber talent. State governments are not in a position to win that… and now they are starting to get hit with ransomware attacks and other kinds of attacks – just because of the richness of data that states hold on citizens from birth all the way to death.
And now with COVID, the issue is only compounded because state governments are doing contact tracing, there are more people applying for benefits like unemployment compensation, and there is rampant fraud in that area.
States can only tackle these cyber threats if they play it as a team sport with the private sector, and with higher education. And so this is a first-of-its-kind collaboration, doing this with MS-ISAC and state and local governments.
Explain how this intelligence you provide will supplement the intel that the federal governent already supplies to smaller governments.
MS-ISAC is already funded by the Department of Homeland Security, and that is the typical channel where state and local governments get their threat intel from. By the way, they have the best government intelligence data on cyber threats, there is no question about it. Nobody in the private sector can compete with that.
But they are taking that [intelligence] through a deliberate process of declassification, or in some instances, taking the classified data and sharing with specific members…And typically those reports through MS-ISAC go out as a push notification.
The power of this now is there is a portal where people can look at historical data, as well as private sector research data that is coming in from Deloitte, to complement what they are getting from the Department of Homeland Security. And now they really have the power to make more meaningful decisions. That's the difference.
What led to the decision to share this tool with MS-ISAC’s membership?
We’ve offered this to our clients for free… for more than a year now, and then we got feedback from our some of our state clients, saying, “We find this to be extremely useful. This really helps.” And that's when we [talked to] MS-ISAC and said, “Look, this is a portal, we are doing the research, and this is available. Do you want to consider offering it to your broader population?”
And then they looked at it, they evaluated it, and they had the executive committee pilot it for almost six months or so. And then they came to the conclusion that there is a lot of value in having an ability for their members to be able to go through a portal so they can pull information and do research on their own.
I think the MS-ISAC was always looking at having a portal that would eventually be a mechanism for cyber threats to be shared between members… Even in week one, almost more than 900 people [from MS-ISAC have already] enrolled. So that's pretty encouraging.
What are the various tools, features and intelligence reports that are going to be made available to MS-ISAC members through this portal?
Like any portal, they can set up preferences to be alerted when something of interest shows up. And once they go into the portal, they can also start seeing specific issues related to whatever is their interest of that particular day. They can start looking at prevalence of similar issues, and the advisories that have been published, and then they can start drilling down into really deep technical aspects of the vulnerability or the threat.
For example, when there are specific threats being identified, there is a fairly exhaustive multi-page intelligence report that gets published right away. Those kinds of things are available to them, and then they can also get on specific conference calls related to the description of such threats.
For the cyber threat intelligence reports, we first look at a particular vulnerability [or threat]. And is that something that’s seen across the globe, or only in a particular geography of the globe? Is that is it seen in the U.S., or not? Is it seen only in Europe, in certain countries?
And then the second [focus] is: Which particular platform [and its users are] potential targets… [Or] it could be in a particular industry vertical, like a particular vulnerability that is only targeting OT or operational technology in, let's say critical infrastructure related to energy. And so we might paint it as an energy industry-related threat... As you know… some municipalities actually run the utilities, not the big energy companies… So if a particular state or a local government is interested in that aspect, they might flag it and say “I would like to be notified when there is a particular attack happening with energy distribution.” And so they can get those alerts.
And then I would image those reports also contain information on how to properly detect, respond and mitigate, yes?
Correct – what do you do about it? If it's a zero-day vulnerability, when is a patch expected from a particular vendor that that might be operating that platform and so when do you apply that patch and things like that.
The threat advisory does include all of the relevant details, so they can start doing [response] themselves. Or in some instances, if [MS-ISAC members] see an imminent threat, they can raise an alarm and say, “Look, we might actually need cyber incident response capabilities,” and they could go back to MS-ISAC, they can go back to the Department of Homeland Security [for additional help].