Americans are going to the polls Nov. 6 knowing that their votes will count. Health care, immigration and taxes will all be high priorities. Yet in a world where bad actors can use computers to target election equipment to change votes and where states are suffering millions of dollars in losses to hackers every year, voters should be demanding that their newly elected officials prioritize cybersecurity.
Ohio knows firsthand the dangers posed by cyberattacks. In 2016, hackers attacked Ohio’s election systems. The election system was not compromised — a Department of Homeland Security contractor detected the attack almost immediately — but Ohio was one of 21 states that found itself the victim of an election system hacking attempt that year.
As technology becomes increasingly prevalent and hackers become more sophisticated, state governments should expect these types of attacks to become commonplace — and should not assume that the federal government will always be available to come to their aid. Moreover, election systems are not the only targets that state government officials should worry about; both state and local governments are suffering attacks that lock employees out of their computer systems. Criminals are stealing data and posting citizens’ personal information online. Some are even conducting ransomware attacks — locking users out of systems and then demanding payments to return access to systems.
The city of Atlanta suffered one of these ransomware attacks in March 2018, with hackers demanding more than $50,000 in payment. Atlanta refused to pay the criminals, but taxpayers ended up being on the hook for as much as $17 million to replace technology and incorporate cybersecurity updates after the attack.
Unfortunately, dozens of states still have yet to fully address cyber threats. According to a 2017 report by CISCO, “Nearly 40 percent of the public sector organizations report that of the thousands of alerts they see daily, only 65 percent are investigated.” And a 2015 survey found that 71 percent of respondents from state and local governments said that cybersecurity practices were not clearly defined.
State governments are not helpless against these hackers. They can, and should, do more. In fact, taxpayers should demand it.
Many states — including Ohio — are pre-emptively preparing cyber defenses in new and creative ways. Just last year, Gov. John Kasich ordered the Ohio National Guard to create the Ohio Cyber Collaboration Committee, or “OC3” for short.
Bringing together more than 30 public, private, military and educational organizations and individuals, OC3 establishes “volunteer cyber incident response teams” that could respond to cyber threats. Most recently, OC3 created a “cyber range” — a virtual training ground where local experts can test new and existing cybersecurity infrastructure and software.
Kasich is not the only governor recently spurred to action by the threat of cyber-attacks. In 2013, Gov. Rick Synder of Michigan created the Michigan Cyber Civilian Corps (MiC3). Like Kasich’s OC3, MiC3 comprises cybersecurity experts from a variety of technical backgrounds to aid Michigan’s government during cyber-induced crises. The first state to create this type of public-private partnership to combat cyber-attacks, Michigan’s MiC3 currently consists of around 50 volunteers from a range of diverse backgrounds, including government, academia, business, finance and health care fields.
Arizona is similarly trying to bolster its defenses against a range of cyber threats. Just this year, Gov. Doug Ducey signed an executive order to form the Arizona Cybersecurity Team, which establishes a partnership between the state government and private-sector actors dedicated to bolstering Arizona’s ability to prevent and respond to cyberattacks. The team also advises the government on the best places to put taxpayer money in order to increase cybersecurity in the state.
State governments should expect to see an increasing number of cyberattacks in the future. The good news, however, is that it is possible to be proactive in facing these threats. Public-private partnerships like OC3, MiC3 and the Arizona Cybersecurity Team are one way for states to pre-emptively prepare for hacking attempts and to ward against shortages of skilled information technology staff.
State governments wishing to protect themselves and their citizens would do well to follow the examples of Govs. Kasich, Synder and Ducey.