IE11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

New Cyber Challenges and Tools With Google Cloud’s Chris Hein — ICYMI

The public sector is facing changing cyber threats — not just because of remote work, but from increasing ransomware hacks and nation-state attacks as well. But there are also new tools ready to meet those challenges.

Cybersecurity is the No. 1 priority for the public sector across the board, but it has long been a moving target in an evolving landscape.

About half of state and local governments worldwide paid ransomware extortions last year, according to Sophos’ State of Ransomware 2022 report. The rate of payment was even higher for the K-12 education sector, which has had a number of high-profile data breaches and even a recent college closure which was due in part to a ransomware attack.

Last week, the Federal Trade Commission voted unanimously to release a new policy statement on the Children’s Online Privacy Protection Act (COPPA) indicating that it would prioritize enforcement of COPPA’s protections, including data security requirements. Ed-tech vendors must have procedures in place to protect the confidentiality and security of personal information and are in violation of COPPA if they lack reasonable security — even absent a breach.

Meanwhile, facing a shortage of skilled workers in the area of cybersecurity, the federal government is considering a recommendation to create a U.S. Digital Service Academy to help current and future public-sector employees become tech-savvy to counter the threat of cyber attacks.

As insurance costs rise and recent legislation imposes new data privacy requirements, the public sector faces significant challenges to managing their risks — made even more difficult by remote and hybrid workforces. Threat vectors continue to shift, requiring government agencies to respond appropriately.

Google Cloud's director of customer engineering for public sector, Chris Hein, has been with the company for nearly a decade helping states, localities and educational institutions use Google’s technologies to better serve constituents and operate more efficiently. Dustin Haisler and Joe Morris recently spoke to him about the current state of cybersecurity.



The following interview has been edited for brevity and clarity:

Q: Can you dive into some of the current security challenges and emerging threats you see as you work with agencies across the country?

A: In terms of challenges across agencies, this scales differently depending on what kind of audience we’re talking about.

At the state level, they have their own CSOs with a fairly broad program and a broad responsibility set. And for them, I think a big challenge tends to be that we’re all operating in this hybrid world. Some folks are working from the office, some are working from home, some are working from a Starbucks … your security model has had to really shift from what you could have expected two years ago to what you can expect now.

Being able to look at 10,000-20,000 government employees and say, “We want to try to make sure that all of them have the right security and the right ability to do the jobs that they need to be able to do while being in this hybrid world where we can’t assume you’re going to be on my network at all times” … that’s the first big challenge: a hybrid world with a workforce that’s all over the place.

And how do you deal with the secondary challenge of being attacked by nation-states? Attacks are coming from professionals who work in very high technology sectors which means that the response has to be similarly high. And that’s really difficult because of the difficulty in hiring cyber professionals right now.

When we talk about local governments, this is where you’ve typically got one person who is already responsible for keeping the systems running … and now she also has to somehow think about not getting hacked by Russia, right? That’s a huge problem set to put in front of somebody. There’s a whole different challenge of how we, as a public-private partnership, make sure that we’re making it possible for folks in those smaller environments to still have a really high level of security.

Q: Are the same threats impacting all public-sector agencies the same way, or are you seeing some nuances between the threats being faced by different government profiles — state versus local, K-12 versus higher education, etc.?

A: I think there are definitely differences. For some of the less sophisticated customers, K-12 and some of the smaller cities or even some smaller states, their No. 1 attack vector is still primarily going to be phishing. Just trying to get a username and a password and from that finding areas where they can get in and lock down some servers with ransomware. That tends to be where we’re still seeing a tremendous amount of activity.

I do think that some of the more sophisticated governments have done a much better job of implementing multifactor authentication. They’re getting to the point where phishing is less the No. 1 concern — it’s still a really big concern, but it may not be the overall target.

You were talking about a news item being, “You need to make sure that you’re worrying about whether these things are patched and whether you’re closing some of these security holes.” And that tends to be where some of the more sophisticated agencies are getting challenged. They’ve been operating these systems that usually don’t require a lot of maintenance and those have been sitting in the back server room for the last 10, 15, 20-plus years. How do you keep those things up to date? How do you protect a system when you didn’t even realize that there was a vulnerability in it?

Q: We’ve seen over the past two years how the cloud played such a critical role in government’s pandemic response and then recovery. But what role does the cloud play in mitigating the risk in terms of the security challenges that you’ve walked us through?

A: One of the immediate benefits of cloud is that you get to abstract away a huge level of your security stack. Because when you come to Google, or to the other hyperscalers, you know that we’re protecting our own data centers to make sure that we’re never hacked. You get to inherit that level of trust. When there are threats that come out, you know Google’s going to take care of those incredibly fast because they threaten us too. So, from a migration perspective, simply moving to the cloud does up-level that security.

The other nice thing that you get out of that is the cloud tooling — being able to do threat detection at scale is just really, really good. A lot of that is now built natively into products like Google Cloud where we can basically watch your network on your behalf, using some of the same machine learning algorithms that we use to protect ourselves, to look for things that are happening.

When I talk to CIOs, one of the recommendations I make is to ask them to look at those really high-value workloads that they know are going to be targets but that they also can’t afford to have locked out. Migrate those things to the cloud to lock them down, then use that as a template for other things that may be a little bit further downstream and don’t need to necessarily get migrated right away.

Q: Let’s talk a little bit about best practices. What should security-conscious agencies be doing right now to prepare for the inevitable evolution of this threat landscape?

A: It’s a hard question because you’re dealing with an environment that is implicitly super challenging. One of the things that Google is a huge proponent of is zero trust, which is awesome, but there is no product that just gives you a zero-trust architecture. If “best practice” is zero trust, what does that even mean? How can you accomplish that? What might that look like?

You’re going to go on a multiple-step journey. First, you’ll have to worry about identity because phishing is going to be your No. 1 concern. So that means setting up multifactor authentication. And not just multifactor, but in categories where people are dealing with the really sensitive workloads and sensitive data, you’re going to want to have multifactor with a hardware authentication. Those are the types of decisions that you need to start to make as a best practice. A lot of times users don’t love having to carry something around, but it is important to really start to secure that very first level.

After that, then you start to really think about the next step from a best practice perspective — are we doing a good job of the logging of the security information that’s coming to us? Do we have a good cyber data warehouse? And that’s something that being on cloud can be helpful for, but you also can start to work on that on a multi-cloud or a hybrid environment. Pull all these data streams together from a whole bunch of different places, because your threats are going to be hitting you on your SaaS programs as well as your on-prem infrastructure. Aggregating that data and looking at it at scale is going to be one of the most important things that you can start to do because that’s where you’re going to get a better perspective as to where the attacks are coming from and what you need to take action on right away. So, those would be phase one and phase two.

I’d say your final best practice step is what I said earlier, which is that you need to start to modernize environments. You know, we’ve been attempting to take mainframes out of the equation for 20-plus years. It might be time. We need to start looking at some of these older technologies and acknowledge that they’re not enough and that it’s going to be hard to get rid of them. We have to rip those Band-Aids off and start to make the environments a little bit better.

Q: When people think of cybersecurity, there are now all these other nuances … privacy, compliance, end-user trust … that are a part of the conversation. Where do all of these things intersect with the security side?

A: When I think about compliance, I think about it in terms of “who watches the watchers?” You need to have some level of trust that when somebody like Chris Hein jumps on a call and tells you that Google Cloud is secure … that’s awesome. He seems like a nice guy. I believe him — but that doesn’t really tell you all that much about the underpinnings of the servers and of what’s going on in that environment, for example. So I think compliance, when done right, is a really good way to start asking “What are the levels that we can have audited to make sure that we can trust what’s happening right now?”

Even so, compliance does not dictate your responsibility as an IT professional. You still have a level of responsibility. We’re taking care of that bottom half of the stack, but if you’re not handling the identity and making sure that you’re logging the different events that are coming through it, or if you’re not patching at the right levels, you’re still going to end up in these tricky situations.

The other thing that I would say is that compliance can be a bit of a blocker when it comes to overuse. For example, you’ll often get agencies that end up with a CJIS workload or an IRS 1075 workload — those require a really high level of compliance for good reason (as that’s sensitive levels of information). But sometimes you’ll get a downstream effect from that, where the agency thinks “now everything has to be held to the CJIS level or IRS 1075 level.” And that drives the cost of the entire installation up dramatically, which can be a hindrance to actually getting the security that you might want.

As I was saying earlier, just shifting to cloud will up-level most installation security profiles. But if you have to uplift into clouds that are a much higher price point, you do have to be careful when you look at things like compliance to make sure you’re doing it smartly for the right data sets at the right time. Also, look at the history of the vendor that you’re working with to make sure that they have done the right things to keep folks out of the “bad places” as best they can.

Q: Digital experience is everything and agencies are leaning into finding ways to leverage new technology to serve people differently. How are you helping agencies realize the potential of this seamless digital experience while maintaining security in the process?

A: That ends up being one of the blockers, right? Because you end up with these problem sets where folks will sacrifice one or the other. And I would hope that we can get to a place where we can do a “yes and” scenario when we think about digital user experience and the security on the back end.

What we really focus on is taking some of those technologies that Google has built ourselves to run our applications that everyone uses — whether it’s Google Search, Gmail, YouTube, etc. We’ve really invested over the long 20-year history of our company trying to figure out how can we make those experiences as frictionless as possible to the person coming at it. We’re always going to work with these three core tenets of simplicity, security and speed.

I would argue that governments can do those same three things. Make it simple for someone to interact with your service. Make it fast — really emphasize the fact that it’s going to turn around quickly and give user feedback as quickly as it possibly can. But keep security as an underlying principle. As you’re building out an architecture, really look at how you can get information from the user in a way that they’re going to trust. How can I make sure that I’m giving the end user feedback on where they are in the process? How do I, as a government employee, make sure that I’m securing that data through transit, at rest and all of those kinds of things?

Again, cloud can be a huge enabler for this because of the fact that Google is encrypted in transit and at rest at all times. But then you can also look at scenarios where you’re going to need to bring your own encryption keys. What are the times where it needs to stay on U.S. data centers only and making sure that you make the right trade-offs on the underlying infrastructure? I would challenge a lot of the CIOs and the agency directors that I talk to — are you using best-in-breed technologies for what the constituent is used to interacting with?

I was speaking with somebody this week that was mentioning that one of their primary challenges is workforce inside the governmental agencies. They’re having to do more work with less people because, just like everybody else, they’re in this post-pandemic situation where folks are shifting from career to career. And it’s hard to get people in and get them trained on these older ways of doing things. So, one of the things I recommend is making sure that we’re building processes that allow the government agency employees to do more work with less people … and that requires things like AI and machine learning and being able to use some of those cool digital transformation technologies that are out in the market today.

Q: What’s Google Cloud’s vision for the future of security operations?

A: There’s a great article that’s out there about autonomic security operations (ASO). The idea behind ASO is that you’re trying to make security invisible. You’re saying that you are never going to solve the challenge of being able to staff to the threat level that is out there because that’s an arms race that you won’t win. What we believe is that you need to start to invest really, really strongly in building up a security practice that can work through all the threats it is seeing and only call attention to the ones that are real threats which a human being needs to take a look at.

There are good automated systems that can really start to parse that for you so that you don’t have to say “Oh well. Sorry we missed it — it’s a needle in the haystack.” Make it so that you’re looking through a pile of needles instead of a pile of hay with a needle in it. That’s part of where we think that this is all going now, and part of our recommendation for governments is that you need to make sure that you are building a big enough community so that you’re doing the threat sharing … so that you know what the needles are inside that haystack. Because right now there’s oftentimes too much of a wall even just between agencies. Trying to get access to the security login information from one to another can still be a huge challenge.

We need to start to break down some of those barriers. And I actually saw that there was another federal bill that’s just coming out now to try to promote that — better sharing both from the localities to the states to the feds. We need to really be encouraging that more. And from a technology side, we need to be doing a better job of making that possible…making it a little bit easier for us to port from one system to the next system, being in these hybrid and multi-cloud environments. We absolutely need to make that possible because right now it’s a significant challenge and it’s something that we need to work on together. There’s a lot of federal funding right now. It’s time to invest. It’s time to make that possible.


Read blog posts discussing modernization of security operations centers and announcing autonomic security operations for the U.S. public sector.

Learn more about Google Cloud solutions for state and local government.

Watch the recent Google Cloud Security Summit on demand.
Google is a trusted technology partner who understands how to help agencies transition from legacy architectures and utilize their data to fuel true mission success. Google Cloud Platform provides cloud-native infrastructure with layered security, machine learning and analytics at web-scale to rapidly innovate and advance agency goals.