The current cybersecurity landscape facing state and local government agencies is both busy and complicated. State and local governments find themselves trying to secure the networks, systems, and applications that they rely on for their operations against a seemingly endless army of cyberthieves and malicious actors. And they’re doing so with few resources at a time when digital transformation and cloud initiatives are making their networks both more essential and more complex than ever before.
Someone that is intimately familiar with the cyber struggles of state governments is Deborah Blyth, the former CISO of the State of Colorado that recently left that post for a position at the cybersecurity firm, CrowdStrike. During her seven-year tenure as the leading security expert for the nation’s eighth-largest state, she battled to increase Colorado’s investment in cybersecurity, while also facing a massive ransomware attack, head-on.
We sat down with Blyth to talk about her tenure as Colorado’s CISO, the challenges she faced in the job, the lessons she learned along the way, and why she’s excited for this next chapter in her career.
GovCyberHub (GCH): You spent almost a decade working as the CISO of the State of Colorado. What was the threat landscape like for a state like Colorado? What threats were you facing?
Deborah Blyth: As CISO of the state of Colorado, my security operations team saw 8.4 million security events each day. It was a huge volume of information that, initially, the team struggled to determine what was important verses could be safely ignored.
Eventually, we were able to resolve this issue and get much more clarity on what security events required further investigation.
Malware of all types was the primary threat, and the vast majority of it came through phishing and specially targeted emails. We also exacerbated some of our own security threats internally, as we were rapidly embracing new technologies while still running legacy technologies.
GCH: How did the threat landscape change or evolve from 2014 – when you took the job – to today? Have the types of threats changed? Have attacks become more frequent or more sophisticated in that time?
Deborah Blyth: Over the past several years, I noticed a significant uptick in phishing, and ransomware. These have definitely increased in sophistication to try to fool users and bypass traditional security tools.
Additionally, the Sunburst (SolarWinds) attack was one of the most sophisticated non-malware attacks that I’ve seen. The Sunburst attack reinforced the message that more focus is needed to ensure our identities and privileged accounts are well monitored and better protected. This attack brought to the forefront that concepts like Zero Trust architecture are extremely important for organizations and agencies to embrace.
GCH: During your tenure as CISO, the Colorado Department of Transportation was hit with a massive ransomware attack. Can you tell our readers a bit about that attack – how it was perpetrated, who was responsible, and what the state had to do to recover?
Deborah Blyth: In 2018, the Colorado Department of Transportation (CDOT) was hit by a SamSam ransomware attack, taking CDOT’s business operations offline for a month. It encrypted almost 2000 systems, forcing CDOT to resort to manual workarounds to continue to pay employees, contractors, and vendors.
An After Action Report was published a few months later in which it was acknowledged that the attack came through a misconfigured virtual server. This virtual server was a temporary test server created in public cloud infrastructure. Within 48 hours of the server being created, it had been compromised and became the attack vector that was used to push the SamSam ransomware attack throughout CDOT’s business operations.
We ended up reaching out to Colorado’s Office of Emergency Management to assist with the response. They brought in the Colorado National Guard to help create a battle plan to evict the attackers, eradicate the malware, and rebuild the environment. At one point, we had more than 120 people onsite at CDOT’s headquarters assisting with the response!
One partner onsite was the FBI. We turned over every piece of evidence we obtained to the FBI who was busy attempting to make attribution. We were very relieved when only 9 months later the Department of Justice issued an indictment for two Iranian nationals who were responsible for all SamSam ransomware attacks.
GCH: Today, CO is spending about 5 percent of its IT budget on cybersecurity. However, some states spend far less. In your opinion, is CO as invested as it should be in cybersecurity? What would it take for other states to increase their investment?
Deborah Blyth: Colorado is very fortunate to have a larger cybersecurity budget than many other states. This is due to having knowledgeable leadership in place at all levels – the legislature, the governor, the CIO, and agency leadership are well aware that it needs to be an important area of investment, and they’ve been very supportive of our program.
According to a bi-annual survey published by Deloitte and the National Association of State CIOs (NASCIO), most states are spending between 1 percent and 3 percent of their IT budget on cybersecurity. I hope most would agree that 5 percent of the IT budget is absolutely not enough investment in cybersecurity.
One of the things I’m most proud about during my time as state CISO was increasing the visibility and priority of investments in security infrastructure. We integrated a standardized framework to benchmark our cybersecurity maturity (CIS Controls), uncovering where gaps existed, and demonstrating success along the way. Most years, I was able to justify some base-building budgetary increases to help us to continue to mature our cybersecurity strategy.
With the level of support for the cybersecurity program in Colorado, I am confident that the budget will continue to grow beyond 5 percent of the IT budget.
GCH: In your time as the CISO of CO, what would you say was the single largest challenge that you faced? How did you overcome it, and what lessons or best practices did you identify that you can share with other state’s CISOs?
Deborah Blyth: The SamSam ransomware attack of 2018 was the largest challenge that I faced. We overcame it by having an amazingly talented and dedicated team, great partnerships, a well-rehearsed incident response plan, and a good security program already in place.
One of the lessons learned was that we were executing too slowly on security projects. We had the right tools and technology onsite already, that would have protected us and prevented the attack, however, we were rolling it out too slowly! Once the attack occurred, we threw out the project plan and implemented improved security technology across the state to protect every agency.
I learned that I needed to be much more aggressive about the implementation timeframe. And for many projects, I needed to request dedicated resources to help implement security projects, so that they didn’t get slowed down in competing for the same resources as all of the other IT projects.
A few things that went well can also be lessons learned. We demonstrated the value of having good network segmentation in place, which kept the ransomware contained within CDOTs business operations and did not impact Traffic Operations or any other state agency. Having good backups in place meant that we didn’t have to entertain the idea of paying the ransom – we knew that we’d be able to restore all of CDOTs production data, which was indeed the case.
And, having practiced our incident response plans twice a year with our incident response partners, the Colorado National Guard, meant that when it came time to respond to an actual incident, we had already established relationships and worked well together.
GCH: Earlier this month, it was announced that you had left your position with the State of CO to work with CrowdStrike. What will your role and responsibilities be with CrowdStrike?
Deborah Blyth: As much as I truly loved my role as CISO of the state of Colorado, I’m super excited to be joining CrowdStrike since CrowdStrike was among my most valuable and strategic partnerships and Falcon was my favorite product during my time with the state!
I will be an Executive Strategist within the public sector internal business unit. This means I’ll be meeting with public sector executives as a way to learn what matters to them so that I can advocate internally to ensure that their challenges are being addressed in the products and solutions that CrowdStrike creates.
GCH: What drew you to this opportunity with CrowdStrike? What about the company and the position made it worth leaving the CISO job for?
Deborah Blyth: One of the things I loved best about my role as state CISO was the opportunity to meet with and talk with so many of my peers across the nation, and to brainstorm solutions together to the problems that we were all facing. In this position at CrowdStrike, that will essentially be my job!
Rather than using the lessons I’ve learned and the challenges I’ve faced to just help a single state, I can now share my experiences to help all state and local governments, and I can advocate for them, to ensure their voices and experiences are represented at CrowdStrike.
Additionally, over the years of doing business with CrowdStrike, I’ve had the opportunity to meet so many CrowdStrike employees and to experience their culture. When we were experiencing the ransomware incident, CrowdStrike was such a phenomenal partner – they sent a team of people, experts on the tools as well as in forensics and incident response, and leadership, who all showed up to make sure I was well supported. I even had a phone call from the CEO who assured me that I would get through it and that his team would help.
CrowdStrike has a culture of caring, they really care about their customers and I knew it was a place where we would be very aligned in our values.
GCH: Moving forward, what trends and challenges do you anticipate CISOs facing in the coming years? How will challenges – like the increasing number and sophistication of ransomware attacks – and trends – like the movement towards Zero Trust – impact their jobs and priorities in the future?
Deborah Blyth: CISOs have so much on their plates currently. They are trying to secure everything from legacy technologies to emerging technologies, and data both on-premise and in the cloud.
As agencies increase their adoption of cloud technologies, the IT organization and security team aren’t always engaged in those decisions and implementations. This means that CISOs are having to discover what is being or has been adopted and then quickly come up to speed on how to secure it, post-implementation. This puts agencies at risk, which may mean that CISOs are left responding to breaches on systems they didn’t even know existed.
Ransomware is predicted to continue to escalate as is the use of stolen and privileged credentials, which means that CISOs need to continue to move towards zero trust in order to protect their agencies.
CISOs are responsible for protecting everything that currently exists (whether they are aware of it or not) as well as protecting everything that is being thought of right now. It’s a huge challenge and it means that, in order to get in front of it, CISOs need to be looking at frameworks, standards, platforms, and automation to ensure that everything coming online is secure.
This article originally appeared on GovCyberHub on September 28, 2021.