The commonwealth could stand to benefit tremendously from stronger cybersecurity measures and a beefed-up cyber workforce. That was the message during the House State Government Committee hearing in Pittsburgh Wednesday, where cybersecurity and blockchain experts discussed the potential impacts of technology on government operations.
The first panel at the hearing focused on ways government entities can protect themselves from ransomware attacks and discussed the need for states to develop their own cybersecurity workforces. For an aging state like Pennsylvania, cybersecurity is one sector where workforce development can not only boost the economy, but help the commonwealth develop more secure computer systems, experts said.
“We have seen cyber attacks on our federal government all the way down to local governments,” said state Rep. Seth Grove, chair of the House State Government Committee. “As technology changes, state policymakers must be up to date on the ongoing threats to its citizens and government functions from cyber attacks.”
Tyler Clark, state and local government industry manager at Microsoft, said basic digital hygiene can keep computer systems safe from up to 98% of attacks.
“According to our research last fiscal year, the government was actually the most targeted sector at 48%, followed closely by nongovernmental organizations and think tanks at 31%,” Clark said. “The key actionable learning from all the elements of our digital defense report is to minimize the impact of attacks we have to practice good security hygiene, implement architectures that support the principles of zero trust and ensure cyber risk management is integrated into every aspect of the business.”
The Pennsylvania National Guard has joint cybersecurity operations to assist the commonwealth. Its cyber protection team can provide state entities with incident response, information sharing and education and training. The team has conducted more than 30 cyber assessments at the local, county and state levels since 2014.
City & State has previously investigated the proliferation of cyberattacks and how that has prompted municipalities in the commonwealth to take extra steps to secure their systems. In that report, the City of Allentown doled out more than $1 million in remediation and recovery after a ransomware attack infiltrated the city’s computer systems in 2018. The type of “Trojan Horse” malware can disguise itself as harmless to the user, but once inside, it can steal credentials and work its way across computer systems.
Although Allentown’s payout is an example of cleaning up the mess from an attack rather than paying out a ransom to the perpetrators, payments for either scenario can be costly. The average ransomware payment still comes in at more than $111,000, according to the National Guard.
With an increase in cyberattacks comes an opportunity for an enhanced security industry. Clark noted that cybersecurity jobs are in high demand and that some entry-level positions require certificates rather than degrees.
“We need to solve the cyber talent pipeline. Annually, only 3% – or roughly 65,000 U.S. students – are security credentialed in computer and information sciences and fewer than that are specializing in cybersecurity,” Clark said. “Analysis from LinkedIn and cybersec.org shows that there are nearly half a million job openings in cybersecurity today. And these are jobs that paid an average of over $100,000.”
Grove, a Republican from York County, said the commonwealth must do more to help guide young people into cybersecurity if they’re interested in that line of work. Microsoft is among the companies with programs that help enroll students in information technology courses at community colleges.
Clark added that there’s a “great opportunity” for states to utilize federal cybersecurity funding from the Infrastructure Investment and Jobs Act to coordinate and extend cybersecurity services from the state level down to county and local governments.
“Most states have had a hard time making these investments,” he said. “It's easier to do capital funding, in a lot of cases, when you have a good deal of funding to invest. It's harder when you get to that operational side.”