IE11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

State CISO: As Hacking and Phishing Risks Shift, State Must Unite on Security

In a virtual Techwire Member Briefing, state Chief Information Security Officer Vitaliy Panych reviewed how cybersecurity has changed in the past year — and how it must continue adapting to new and expanded threats.

The state’s chief information security officer (CISO) sees challenges ahead as government continues to work amid COVID-19 workplace restrictions, but there’s also “a bright spot,” he says. 

Vitaliy Panych offered an overview of the cybersecurity landscape Tuesday during a virtual Techwire Member Briefing, moderated by Alan Cox, executive vice president of e.Republic, Techwire’s parent company. Panych’s takeaways:

  • Shifting the majority of state government employees to remote work at this time last year posed a raft of challenges involving hardware, software, apps and identity management.
  • The return to the office, which some departments are already planning to a limited degree, poses a separate set of challenges for cybersecurity technologists like Panych and his CISO counterparts in the state’s 140 agencies and departments.
  • Machine learning and behavior-based endpoint security will be the tools of the future as Panych and other state leaders continue working toward a single sign-on identity management environment for residents doing business online with government.
  • A unified resolve among all in state government to tighten the security leaks is what’s needed, and that can happen most efficiently through centralization of security services and protocols.
“The point is, the more we unify and fight this fight, the more effective we’ll be — the less chance there will be that there’s a ‘weakest link’ in our supply chain of how we deliver state services and state government,” Panych told Cox in the virtual briefing. “The more we get centralized and unify and do things consistently, the better off we’ll be, the more effective we’ll be, the more resilient and secure we’ll be as a state.”

With a state the size of California, he said, “There’s no shortage of threats. Our attack surface keeps expanding — exponentially, actually, as we innovate and as we rely more on IT and technology to augment and enable efficiencies at scale and how we deliver services. So there’s more opportunities to attack a given business process or a given innovation; there’s more opportunities to facilitate and implement fraud by … our adversaries.”

And the nature of those incursions is also changing, he said.

“It’s not your traditional cyber adversary in a basement with a dark hoodie; it’s commoditized these days. Any person off the street does not have to have technical chops to go out and facilitate fraud, (but can) go on the dark web, buy an instruction manual on how to commit fraud, and it’s widely available. That’s what I mean by it being commoditized. So we’re dealing with more types of adversaries — not just your traditional hacker in a hoodie, not your nation-state adversary, but a lot of fraudsters that are willing to subvert our business process.”

He acknowledged the difficulties many residents have with managing multiple online usernames and passwords for various departments. 

“Security is difficult. … It’s tough to implement,” he said. “It causes a lot of friction within the user base, within the business, within the program. Yeah, sure, it’s hard to maintain 50 different passwords, 15 characters in length, throughout all these systems — and oh, by the way, you tack on MFA (multifactor authentication) and another way to log in — it makes it difficult.” 

Panych noted that along with tighter security, state leaders want to continue being a leader among states in protecting residents’ digital privacy.

“Ultimately, this is a really privacy-cautious state, in my opinion, so we definitely need to be respectful of privacy as much as possible,” he said. “One example we were involved with was the [COVID-19] exposure notification effort during the ramp-up of the pandemic, as well as contact tracing. Those applications, obviously built in partnership with Google and Apple, there was some really in-depth discussions at the highest level of the executive branch on how do we make this process and this technology be as privacy-preserving as possible.

“We’re having top legal experts, top folks from the Governor’s Office, all having risk-minded discussions on privacy and threats, and that’s something I’m definitely excited about — that we’re actually getting more non-security folks, non-tech folks, being really risk-cautious and risk-minded and being considerate of privacy controls.”

And on the return to work, Panych said: “We need to be concerned about drift — asset drift, configuration drift, software drift — what changed during the time when an asset was off-site? We really need to be cognizant about devices coming back in. We are working with departments to mitigate some of those issues, discussing things like always-on VPNs and software-defined networking, so when you are off-site, it does appear as if your device or asset is managed to that same level.”

As for how the industry can help, Panych had one simple ask: He urged vendors — “our force multipliers” — to “treat us as one organization, and not treat the state as multiple federated, siloed organizations.” And on the government side, Panych said, he would like agency and department security officers to freely consult him and his team about cybersecurity issues, tools and solutions.

“Bring us into the talks with AISOs and CIOs at the agency level, the local level,” he said.

Dennis Noone is Executive Editor of Industry Insider. He is a career journalist, having worked at small-town newspapers and major metropolitan dailies including USA Today in Washington, D.C.