Protecting Ohio: How local governments can better manage cyber risk and response

Cybersecurity is a major concern for both public and private sector leaders across Ohio, and as cyber threats increase, so, too, does the need for organizations to prepare and respond accordingly. 

We chatted recently with two cybersecurity leaders who have experience helping local governments prepare for cyber threats, and discussed some of the resources available to help agency leaders and IT workers build up their cyber defenses. 

Kirk Herath was appointed cybersecurity strategic advisor to Gov. Mike DeWine in April 2022 to lead CyberOhio, coordinating the State of Ohio’s cybersecurity capabilities; developing strategies, plans, and standards; and delivering cybersecurity education. 

Dan Poliquin is an advisory principal with Deloitte & Touche, LLP who leads technology work for state and local governments, with a focus on cybersecurity. 

This interview has been slightly edited for clarity.

OhioTechNews.com: What are the biggest cybersecurity challenges facing local and state governments today, both in terms of threats, as well as obstacles? 

Kirk: I’d say that there is often a disconnect between leadership and the technology folks who are actually managing the cybersecurity risks. I don’t think some leadership [at the local level] grasps the extreme nature of these threats, or has a full appreciation of how high cybersecurity should be prioritized. 

I’m not saying you should spend all your money on cybersecurity, but when so many government delivery mechanisms are digital — from local pool memberships to soccer leagues to permits — you do need to be willing to spend in order to protect those interactions. 

It will be very disruptive when an attack takes this down and impacts the lives, health or safety of your citizens. 

Dan: I agree, and I also don’t think there are enough resources in most local governments’ budgets to get that appropriate amount of spend. In many cases, there’s an incomplete understanding about what it takes to reach a, let’s call it, “minimum security threshold.” It’s a real barrier to entry.

However, we are starting to see a shift to bring applications and services online with security infrastructure in place, rather than building local applications within that security infrastructure. 

How would you describe the differences between public and private sector entities in terms of preparing for cybersecurity? What do you think drives these differences?

Kirk: I would say regulations for the private sector are a big difference, which can be a challenge, of course. For instance, when I was working for a financial services company, we had a state or federal regulator in our building almost every week of the year. It was a nonstop assessment of our technology and security controls. And we kept up with these audits, because frankly it was more costly not to do so. Because of that external oversight, senior leadership was often brought into discussions with the regulators, so it was a reminder that this was critically important. 

There was an accountability loop and, therefore, cybersecurity got funded. I'm not sure that would have happened without that level of scrutiny.

Dan: In the public sector, there is some auditing, but it’s not the same thing. 

Kirk: Exactly. And in the public sector, there’s not really a risk that a state agency’s operations are going to be shut down, for example. The federal government needs the states to carry forward those critical services.

Dan: I agree with you. It’s just not the same level of scrutiny at all. 

Kirk: I’m not saying states don’t take federal regulators seriously, they very much do. I would just say it’s more of a partnership than what you see in private industry where it’s much more adversarial. 

You mentioned state agencies. What about local municipalities? How are they prioritizing cybersecurity?

Dan: I will contrast that with many cities and counties, however, really don’t have any of this [pressure]. 

We’ve been asked to do a cyber assessment for some counties and local governments and it’s often a much lower level of maturity. For some, they are so early in their journey that it’s even difficult for them to answer basic questions about cybersecurity. 

Kirk: I think part of it is that cyber is viewed as the wiring and plumbing in the house in that we just expect it to work or to be good enough. They’re not going to get any kudos for doing this work, right? It’s sort of out of sight out of mind. 

Dan alluded to it earlier, even the largest cities and counties in any state individually do not have enough resources to really scale this [to where it needs to be]. 

However, as we continue to see, it’s critical not to ignore cybersecurity, as local governments, including Columbus, regularly fall victim to cyberattacks. You can’t let it just sit there, right? 

Kirk: Right. In my 30 plus years of private sector work, it was mandatory we had this [cybersecurity systems and protocols] in place and there was a lot of support from senior management and the board level. 

I think we’re seeing that in Ohio, we do also take this very seriously in the public sector. There is accountability from the top.

Gov. DeWine is one of the first governors to really create a position like mine and create a centralized coordination of all cybersecurity because he realized that Ohio needs it. But there wasn’t someone who got up every day and worried about whether it was good enough. And that someone became me.  

From your vantage point, what are the one or two things that local governments should tackle first to be in a good position to defend themselves? 

Dan: My first reaction is that they should make sure to have requirements when they put out a bid [for technology work] to have a certain minimum of base cybersecurity. 

For example, we need to see RFPs for applications and services with security embedded into the request. So that vendors see demand for cyber protection is there, and it has to be done. Too often we see the further away you get from larger, regulated departments and agencies, the less security is embedded into many of these RFPs. 

Kirk: Yeah, yeah, I agree. And if I could just wave a magic wand, I would have everybody in the state adopting multifactor authentication on their email and applications. While not a complete silver bullet, by any means, the absence of multifactor authentication is basically the number one vector for ransomware, for account takeovers, for almost everything. 

Dan: It is. 

Kirk: I think email protection is another common risk point. If you can just scrub out most of the spam and nonessential emails, you’re really reducing the risks. Those are the two big things. 

Dan: I also see in many large cities they have somebody responsible for security who really doesn’t have the time for it. Maybe it’s the network engineer, and security is job number six for him. Which sounds great on paper because you don’t need to hire more people and security is kind of covered. 

But be honest: How often do you get to your sixth job? Or your seventh? 

Kirk: There has to be somebody in charge of it who thinks about it every day. You need to have people who get up every day and think about security as their only job.

And finally, comprehensive incident response and recovery in my mind are two main things I’ve focused on in my career. You know, by recovery I mean having disaster planning and business continuity planning in place. And you need to practice incident response. 

This is not sexy stuff, and it's kind of, it's kind of scut work, frankly. But, it is fundamentally essential.

What was the impetus for creating CyberOhio and what role does it play in assisting local governments with cybersecurity? 

Kirk: Well, this really goes back to when Gov. DeWine was Ohio Attorney General in 2016. He was worried about the lack of awareness initially from small businesses around cybersecurity, so he put together a private sector technology advisory board. He appointed me to it, and later they asked me if I wanted to chair it. We called it CyberOhio.  

When he was elected governor, there was a desire to expand our work. Lt. Gov. [Jon] Husted’s InnovateOhio program was a natural fit, and CyberOhio then became the cybersecurity pillar for InnovateOhio. I retired from the public sector in 2020 and in 2022 they asked me to be the Cybersecurity Strategic Advisor to Gov. DeWine. 

My role, and CyberOhio, has an executive order, and it lays out that basically I coordinate all the cybersecurity inside the state of Ohio, including executive branch agencies, and then for programs and capabilities to assist local governments with critical infrastructure.

That’s a pretty wide range of responsibility. What does that look like today? 

Kirk: You are right, it is quite large and broad. We spent the first year focusing on hardening the security of executive branch agencies and on building out what we called our Ohio Comprehensive Cyber Plan, which is our whole-of-state plan and all of the capabilities we’ve knitted together.

We now have the Ohio Cyber Range Institute at the University of Cincinnati [which just received $6.5 million from the State of Ohio] and its affiliate, the Ohio Persistent Cyber Improvement (OPCI) program, which is an assessment training program that is currently at the county level. We already have over 1,000 public sector employees going through this cyber training. This latter program in particular has proved critical to getting government leaders to understand the risks and empower them to own the solutions.  

Finally, there are the cyber grants. We have about $7 million in cyber grants for local governments [which were open to bid through September 16, 2024]. And this is really to give people the capability of getting, among other things,multifactor authentication and email protections. 

Dan, you have a unique view from Deloitte working with state government agencies and local governments in Ohio and across the country. How special or unique do you think CyberOhio is and what Kirk is leading? 

Dan: I’m not aware of any other state that actually has somebody reporting directly to the governor like Kirk does. In that way, Ohio is very unique. Then, when you look at the statewide programs by the InnovateOhio Platform, the overall effort is quite powerful. 

A lot of states are trying to figure out how to get to that level of maturity. Everybody is trying to figure out how to get their cybersecurity right, but the level of commitment varies greatly.