States, cities, and localities are struggling to stay ahead of devastating cyberattacks, but some under-resourced organizations are buckling under pressure. Recent cuts to federal initiatives and policy changes mean they can’t expect help from that quarter, paving the way for independent organizations and initiatives to fill the ever-widening void.
The Cybersecurity Infrastructure and Security Agency (CISA) has seen its budget slashed and its workforce dramatically downsized over the past two years. The US government has also pulled back help for the Multi-State Information Sharing and Analysis Center, a public-private information-sharing initiative for people, businesses, and governments at the state, local, and tribal levels. And the White House’s Cyber Strategy for America encourages organizations to adopt a more offensive approach as part of their defense strategies, something that may be difficult, if not out of reach, for smaller-scale organizations lacking dedicated IT and cybersecurity teams.
The University of California Berkeley’s Center for Long-Term Cybersecurity (CLTC) aims to fill this growing gap by providing tools and services for low-resource organizations, such as nonprofits, municipalities, and schools.
“The feds have pulled back so hard on funding and support,” says Sarah Powazek, CLTC program director of public interest cybersecurity. “It’s sort of everyone for themselves at the local level.”
‘Out of Reach For Smaller Organizations’
CLTC sees the problems and provides several initiatives to help resourced-strapped entities solve them. More importantly, the research and collaboration hub understands these groups have limitations. They need services — human-to-human, hands-on help — before they need toolkits, checklists, and software.
“[We’re] in a state where there are a lot of tools for free, but very few people have free services,” Powazek tells Dark Reading.
On the research side, CLTC offers Cybersecurity for Cities and Nonprofits (CyberCAN), where nonprofits can partner with cities, counties, and state governments to conduct surveys in their regions and then share the findings. For example, research could highlight the number of attacks or the security health of nonprofits.
Coalition building, which includes cybersecurity clinics, is more hands-on. The clinics operate as a dual workforce training/cybersecurity defense program. Students, including undergraduates, learn to perform basic vulnerability or risk assessments for local organizations, while nonprofits, schools, cities, and small businesses receive similar help that they’d get from a professional service. One important note: It’s free.
“I used to work for CrowdStrike, and those engagements are very expensive and pretty much out of reach for smaller organizations,” she says. “But they’re the ones who need hands-on support and education the most.”
More Attacks, Less Support
Schools, local government, and nonprofits are dealing with cyberattacks and scams of all kinds. For example, a phony invoice is enough to get nonprofits — operating with small budgets and margins — to hand over a large chunk of money, according to Powazek. Nonprofits have to prioritize funding support operations and delivering services, which leaves little for cybersecurity. Losing $10,000 to $20,000 in this kind of a scam could be enough to put them out of business, she warns.
“The risk is higher [for these nonprofits] even though the types of threats they face are similar to enterprise organizations,” she says. “Maybe not as many nation-state attacks, but commercial attacks hit them hard enough.”
While ransomware is a huge disruptor for K-12 schools, CLTC is also seeing a growing number of supply chain attacks against K-12 vendors. CLTC convened a group of education technology vendors to discuss security next-steps shortly after cyberattackers exploited vulnerabilities in the widely used MOVEit file transfer application. The attacks resulted in one of the largest data breaches affecting K-12 schools, exposing students’ personal and health information — an attacker’s treasure trove.
“The education technology industry is behind the times with cybersecurity,” Powazek says. “They have few bug bounty programs or vulnerability disclosure programs.”
Every school uses Microsoft and Google — and less than 10 vendors account for 80% of the ed-tech market, according to Powazek. Applying the right amount of pressure on vendors to implement secure-by-design initiatives and turn on multifactor authentication by default “could have a cascading effect on the K-12 industry,” she says.
Powazek also points to CLTC’s state-run volunteering initiative. Its goal is to act as a bridge. Cyber reserve teams will deploy state volunteers to help recover from a city ransomware incident, for example.
States and localities are trying to build up the people and infrastructure to start taking care of these incidents by themselves, knowing that the feds are pulling back even more, she adds.
“It was an issue even before CISA had this exodus, but it didn’t extend the last mile,” Powazek says. “It didn’t penetrate to communities themselves.”
Community security is national security, emphasizes Powazek, and that’s what she’d like her work at CLTC to highlight. Take less-resourced organizations and large enterprises together, and “it’s a large attack surface for the US,” she says. Tackling security for the former will only benefit the larger picture.
“Understand it as a community center issue — homeless services, legal aids, food banks — all those types of organizations that really don’t have IT staff but are integral to the community,” she says.
