Improving State and Local Governments’ Acquisition Security Management Strengthen information sharing about potential vulnerabilities in commercial technologies Dan Lips EXECUTIVE SUMMARY State and local governments are on the front lines of the national effort to protect American citizens from cybersecurity attacks. They are responsible for providing public safety and man- aging elections. State and local agencies hold some of our most sensitive information, including financial and health records. State and local education agencies manage the personal information belonging to more than 50 million schoolchildren and their parents. All of these vital national services face serious threats from potential cyberattacks. But state and local governments have limited cybersecurity expertise and capacity. In January 2020, the National Governors Association (NGA) and the National Association of State Chief Information Officers (NASCIO) issued a report describing state governments’ increasing respon- sibilities for supporting the cybersecurity needs of local government agencies, which often have few resources. State governments themselves have scarce resources for addressing cybersecurity vulnerabilities among other responsibilities, including information technology management and federal regulatory compliance. The federal government has an opportunity and a responsibility to support state and local gov- ernments’ cybersecurity postures, including by sharing information about known cybersecurity threats. One way that the federal government can assist state and local governments is by sharing infor- mation about known or perceived cybersecurity threats and by providing guidance about infor- mation technology acquisitions management. A review of recent federal and state information technology management policies shows that federal agencies are banning the acquisition and use of certain information technology with links to nation-states that present a cybersecurity threat to the United States. But state governments and local governments continue to purchase and use certain technologies that federal govern- ment agencies have deemed unsafe. Specifically, recent reviews warn that state and local agen- cies continue to use Lexmark, Lenovo, and DJI technology that federal agencies have prohibit- ed. 1 This report reviews publicly available information about differences in the cybersecurity acqui- sition policies and practices of federal, state, and local government agencies. It presents the following recommendations to Congress and the executive branch to take immediate actions to strengthen state and local governments’ cybersecurity: 1. Congress and the federal government should improve information sharing about known or perceived cybersecurity threats, consistent with the requirements of 2018 bipartisan legislation. 2. Congress and federal agencies should prohibit federal funds being used by state and local governments to purchase technology, equipment, or services that are identified to pose a cybersecurity threat to the United States by the Federal Acquisition Security Council. 3. Congress, federal agencies and federal watchdogs should partner with state and local government agencies to assess the presence of potential cybersecurity vulnerabilities within the inventories of state and local government agencies’ current information technology systems. 4. State officials and lawmakers should recognize security risks related to commercial off-the-shelf technology and pursue reforms to align state procurement policies with security recommendations from federal agencies. Improving information sharing about known cybersecurity threats has been a priority for the federal government over the past decade, under the leadership of the Obama and Trump admin- istrations. Bipartisan legislation passed by Congress has created a venue and legal processes for government agencies and partner organizations to share information about cybersecurity threats and vulnerabilities. In 2021 and beyond, Congress and federal agencies should prioritize sharing information about security vulnerabilities in commercial off-the-shelf technologies with state and local government agencies and other partners. Moreover, Congress should restrict the use of federal grant funding to prohibit states, localities, and tribal and territorial government agencies from purchasing technology or other equipment that would put sensitive data at risk. 2 BACKGROUND ON STATE AND LOCAL GOVERNMENT CYBERSECURITY CHALLENGES In 2020, state and local governments faced significant information technology challenges related to COVID-19—including transitioning government workers to teleworking,1 maintaining essential services,2 holding a national election,3 and supporting the unprecedented transition to remote or virtual learning for thousands of school districts affecting millions of children.4 State and local governments faced these challenges during a period when they were already facing new and increasing cybersecurity threats. In 2019, states, local governments, schools, and hospitals experienced a dramatic increase in cyberattacks, including ransomware.5 By one esti- mate, 140 “local governments, police stations and hospitals [had] been held hostage by ransom- ware attacks” during the first ten months of 2019.6 One notable victim was the City of Baltimore, which spent an estimated $18 million on a ransomware attack and related remediation expens- es.7 Overall, cyberattacks against state and local governments have increased by 50 percent since 2017.8 State and local governments have limited resources for cybersecurity, despite these rising chal- lenges. A 2020 report published by Deloitte and the National Association of State Chief Informa- 1 Noelle Knell, “Four States Share Realities of the Transition to Telework,” Government Technology, May 5, 2020, https://www.govtech.com/computing/Four-States-Share-Realities-of-the-Transi- tion-to-Telework.html. 2 Deloitte Insights and National Association of Chief Information Officers (NASCIO), “2020 Deloitte-NASCIO Cybersecurity Study” (October 2020), https://www.nascio.org/wp-content/up- loads/2020/10/2020-Deloitte-NASCIO-Cybersecurity-Study-1.pdf. 3 Maggie Toulouse Oliver and Paul Pate, “How We Prepared for the 2020 Election during a Pandemic,” StateScoop, September 14, 2020, https://statescoop.com/preparing-election-pandem- ic-nass/. 4 Kevin Bushweller, “How COVID-19 Is Shaping Tech Use. What That Means When Schools Reopen,” Education Week, June 2, 2020, https://www.edweek.org/ew/articles/2020/06/03/how- covid-19-is-shaping-tech-use-what.html. 5 Dan Lohrmann, “2019: The Year Ransomware Targeted State & Local Governments,” Government Technology, December 23, 2019, https://www.govtech.com/blogs/lohrmann-on-cybersecuri- ty/2019-the-year-ransomware-targeted-state--local-governments.html. 6 Allen Kim, “In the Last 10 Months, 140 Local Governments, Police Stations and Hospitals Have Been Held Hostage by Ransomware Attacks,” CNN, October 8, 2020, https://www.cnn. com/2019/10/08/business/ransomware-attacks-trnd/index.html. 7 Bruce Sussman, “Baltimore, $18 Million Later: ‘This Is Why We Didn’t Pay the Ransom,’” SecureWorld, June 12, 2019, https://www.secureworldexpo.com/industry-news/baltimore-ransom- ware-attack-2019. 8 Stephanie Kanowitz, “Cyberattacks on State, Local Government Up 50%,” GCN, September 4, 2020, https://gcn.com/articles/2020/09/04/cyberattacks-state-local-government-climbing.aspx. 3 tion Officers (NASCIO) highlighted the challenges facing states:9 • A majority of states spent less than 3 percent of their IT budgets on cybersecurity. • Just 18 states include a specified line item for cybersecurity in the state budget. • Fewer than 15 states support local government and public schools by providing train- ing or through other collaborations. • 42 percent of state CIOs reported inadequate cybersecurity staffing.10 Nevertheless, the same survey found that state government employees responsible for informa- tion technology and cybersecurity view the likelihood of security incidents in the next year to be greater than in the past.11 Not surprisingly, reviews of state governments’ cybersecurity postures have identified poten- tial vulnerabilities and weaknesses. For example, an October 2020 review by SecurityScorecard found that 75 percent of the states and territories “showed signs of a vulnerable IT infrastruc- ture.”12 A recent survey of state CIOs found that just half had “documented the effectiveness of [their] cybersecurity program with metrics and testing.13” According to the National Governors Association and NASCIO, state officials were seeking to provide additional cybersecurity support to local government agencies and public schools at the beginning of 2020.14 However, the economic effects of the COVID-19 recession are likely to create new downward pressure on state budgets. According to estimates published by the 9 Deloitte Insights and National Association of Chief Information Officers (NASCIO), “2020 Deloitte-NASCIO Cybersecurity Study Highlights Imperatives for State Governments,” press release, October 14, 2020, https://www.nascio.org/press-releases/2020-deloitte-nascio-cybersecurity-study-highlight/. 10 Deloitte Insights and NASCIO, “2020 Deloitte-NASCIO Cybersecurity Study,” op. cit., https://www.nascio.org/wp-content/uploads/2020/10/2020-Deloitte-NASCIO-Cybersecurity-Study-1. pdf. 11 Ibid. 12 Alexander Heid, “SecurityScorecard’s ‘State of the States’ Report Explained,” SecurityScorecard, October 15, 2020, https://securityscorecard.com/blog/securityscore-