This past summer, you or someone you know may have been affected by the CrowdStrike outage, a global tech outage caused by a failed automated cybersecurity software update. An estimated 8.5 million computers around the world running Microsoft Windows crashed due to the automated update’s interaction with Windows, which resulted in the Blue Screen of Death for many of them. It’s been described as the largest IT outage in history. 

All over the United States, businesses in both the public and private sectors were affected- banks, universities, airlines, and even states and local municipalities. Many public agencies saw portions of their websites and accompanying municipal services go offline. They had to resort to using their social media pages to notify their constituents. The most surprising aspect of the outage wasn’t just the sheer number of companies and industries worldwide that were affected by the outage. It wasn’t the number of days those companies and industries were left without usable computer systems, and it wasn’t the jaw-dropping dollar amount lost due to the outage. It was the jaw-dropping number of companies that solely relied on CrowdStrike’s Falcon software for their cybersecurity needs. 

The companies that used additional cybersecurity software and other backup strategies in tandem with CrowdStrike’s Falcon software had a lessened impact from the outage and were able to recover relatively quickly. These companies had a high degree of cyber resilience already planned for their operations. The companies that didn’t use additional cybersecurity measures besides Falcon… well, you’ve heard the horror stories. Saddle up, because cybersecurity has officially become the Wild West. 

Planning is Key 

What’s that saying? “An ounce of prevention is worth a pound of cure.” Or, how about this one, “Failure to plan is planning to fail.” Cyber resilience is a combination of both of those approaches. It’s a robust cybersecurity strategy that includes a multifaceted plan (e.g., using Managed SOC services along with multiple complementary antivirus software, especially AI-driven packages) as well as a thorough data protection and recovery strategy that ideally should include things like  

• multi-factor authentication (MFA), 

• cloud-based backup storage,  

• off-site data storage, and 

•  virtualization.  

All of these cyber resilience procedures should be planned well in advance to keep the agency’s IT system architecture up and running and ensure agency continuity while simultaneously dealing with any cyber incidents, if necessary.

The cybersecurity industry has been trying for decades to prevent phishing, hacking, ransomware, and other cyberattacks, working off of the idea that those threats were something that could potentially be avoided. However, in 2018, the National Institute of Standards and Technology (NIST) and the National Cybersecurity Center of Excellence (NCCoE) worked together to publish the nation’s first NIST Zero Trust Architecture, which essentially states that no system is invulnerable to cyber threats.   

The US Cybersecurity & Infrastructure Security Agency (CISA) wants to help public agencies get to Zero Trust or at least be as secure as possible. To do that, they’ve provided a roadmap called the Zero Trust Maturity Model that public agencies can reference as they develop their cyber resilience strategies and implementation plans to transition towards the NIST Zero Trust Architecture. They’re trying to ensure that you do not die of dysentery along the Oregon Trail. (Bonus points if you’ve ever played that video game.) 

“Conservation means development as much as it does protection.” 

This is a quote by the great Frontiersman and 26th president, Theodore Roosevelt. Since it has been established that cyber threats are nearly a guarantee, it’s important that public agencies continuously develop their cyber resiliency plans. In the spirit of Cybersecurity Month, it’s a good idea to look at your agency’s current plan and conduct a gap analysis to see where improvements can be made in your overall security framework. The places where there are gaps between what your current plan can do for your agency and what the newly available cybersecurity technology can do for your agency are great places to start making updates.  

A well-conceived cyber resiliency plan should include a detailed incident response plan that uses the steps of the Computer Security Incident Handling Guide published by NIST:  

• Prevention and preparation  

• Creating a response team 

• Incident detection and analysis 

• Containment, eradication and recovery 

• Post-Incident reporting 

It should also include up-to-date standard operating procedures that clearly define the roles and responsibilities of everyone in the agency in the event of a cybersecurity incident- not just the IT department, but the agency employees, the software or hardware supplier(s), and the agency’s Legal/Risk, Contracts/Procurement, and Marketing/Communications departments. After all, cybersecurity is everyone’s responsibility.  

If your agency outsources the creation or update of a cyber resiliency plan to a consultant, or you are relying on a cyber liability insurance provider, be careful. It’s important to know the full details of what a plan created by a third party will actually mean for your agency in the event of an incident. It’s not uncommon for those plans to have requirements that are not necessarily in the agency’s best interest in emergency situations.

Even though research released by Sophos in August 2024 shows that ransomware attacks are becoming less common in state and local government, as with anything technology-related, a commitment to continuous improvement is always the smartest way forward.  

 

Additional Resources: 

Buyer Be Aware: Integrating Cybersecurity into the Acquisition Process 

Cybersecurity + Procurement 

Procurement U Cybersecurity Course

Pulse Cybersecurity Podcast: Cybersecurity, CIO-CPO Relationships, and the NASCIO/NASPO Paper – NASPO