Cybersecurity, as critical as it is, tends to be an underfunded part of state IT budgets...It’s a major component of states’ ability to respond and recover from this pandemic."
COVID-19-themed cyberattacks are on the rise due to an exponential increase in telework and an opportunity to exploit fear during the pandemic. Ford School alum John Guerriero (MPP ‘17) and his team at the National Governors Association Center for Best Practices (NGA Center) are guiding governors across the country in how to maintain cybersecurity in their states. As part of the National Governors Association (NGA) COVID-19 response, Guerriero provides technical assistance to governors, outlining COVID-19-related cybersecurity risks and recommended strategies for mitigating them.
According to a report he co-authored on the issue, “a successful cyberattack on state networks or critical infrastructure, especially healthcare facilities, would cripple [states’] ability to respond to and recover from COVID-19.” Guerriero offers recommendations to state governments on proper preventative measures, including a push to invest in cybersecurity technology and adding “security-by-design standards into any new IT project and public-facing websites.”
Ransomware attacks have dramatically increased, particularly preying on healthcare organizations during COVID-19 because they “may be more likely to pay ransoms given the urgency to keep critical systems and services operational.” In response, Guerriero urges state governments to support healthcare organizations during this time. Although many are non-governmental, governors can encourage them to explore federal resources and share cyber threat information with government, private sector, and other critical infrastructure entities.
“Cybersecurity, as critical as it is, tends to be an underfunded part of state IT budgets,” says Guerriero. “It’s a major component of states’ ability to respond and recover from this pandemic. State and local governments provide critical services and store large amounts of constituent data and, therefore, present ripe targets to malicious cyber actors.”
Governors have been responding positively to Guerriero and his team’s push to invest in proper cybersecurity measures. NGA’s Center now holds multiple calls each week with governors’ advisors on a variety of policy topics, including several on cybersecurity and critical infrastructure security. “Governors have been leaning on the expertise and resources that NGA is able to provide,” says Guerriero. “Effective state cybersecurity requires a whole-of-government approach, bringing all the resources the state has to bear, including IT, emergency management, Homeland Security, and sometimes, the National Guard.”
Guerriero also recommends that governors leverage their platform to raise awareness to the general public on cybersecurity best practices at home. “Threat actors have exploited the public’s fear and uncertainty around the pandemic, using COVID-themed lures to deploy malware, steal user data and credentials, or launch disinformation campaigns” he says. Guerriero recommends issuing public guidance and advisories, especially for those working from home. “Cybersecurity isn’t an IT problem anymore, it affects every aspect of state and local government and requires a similarly comprehensive approach for prevention and response.”
Read the report here and find more information on NGA’s cybersecurity work here.
John Guerriero serves as a cybersecurity policy analyst on the Homeland Security & Public Safety (HSPS) team in the NGA Center for Best Practices, where he supports governors’ staff and state policymakers on issues related to cybersecurity, including governance, workforce development, and election security. Prior to joining the HSPS team, John focused on workforce development as a part of NGA’s Economic Opportunity team. John holds a master’s degree in public policy and a bachelor’s in political science from the University of Michigan.