In 2021, cybersecurity got more serious. Already a growing threat, ransomware exploded, with attacks becoming more frequent and costly. The volume of ransomware attacks against US targets rose 185% year over year in the first half of 2021, according to Internet security solutions provider SonicWall. Criminals also leaned hard on double extortion and turned their efforts against organisations like food supplier JBS and Colonial Pipeline, where system interruptions wouldn't just harm the victim and their clients, but also a broad swath of society.
Federal response got more serious, too, homing in on defending critical infrastructure, and states haven't sat on the sidelines, either. Several moved to ban ransom payments and direct more resources toward defending against the threats, although researchers say fully tackling the problem requires national and international coordination.
Nation-state-driven cyber espionage by Russia and China also loomed heavy in public consciousness, particularly the SolarWinds incident, attributed to Russia. That saw a compromised security patch spread malware to clients, including government agencies, and woke up the US to the need for software supply chain security. Calls for reviewing software development environments and creating a software bill of materials became more pressing.
The White House has sought to infuse fresh energy into fighting cyber crime, appointing its first-ever national cyber director and channeling new funding to state and local governments. Biden's May executive order announced plans for holding federal agencies to higher cyber hygiene standards, and the administration signalled interest in putting more pressure on private firms to support a better national cyber posture as well.
The federal government also turned attention to states and localities, where efforts to modernise legacy systems and upgrade defences are often held back by shortages of money, people and guidance on how to invest most impactfully. The Cybersecurity and Infrastructure Security Agency (CISA) has been working to become a go-to resource, however, and could gain more powers and programs next year under the National Defence Authorisation Act (NDAA) for Fiscal Year 2022, which has not yet passed at time of writing. Federal efforts like these are also unleashing more dollars, but states and municipalities will need sustained funding.
Nationwide demand for cybersecurity professionals outstrips supply, and governments struggle to lure recruits able to net more lucrative salaries in the private sector. Experts increasingly call for expanding talent pipelines by taking a more flexible approach, including considering applicants with non-traditional experience or who are permanently remote and creating alternative job and training pathways such as apprenticeships. They also recommend engaging more K-12 students in cybersecurity and ensuring that recruitment efforts go beyond the usual sources to reach underrepresented groups like people of colour and women. Some agencies are additionally turning to outsourcing and automation to supplement limited workforces.
Even so, agencies cannot just hire their way into safety. They also need to continually train and retrain existing staff about best practices for staying safe and properly implementing technologies. Artificial intelligence tools are helping scan for vulnerabilities and suspicious activity, but cyber criminals will always find plenty of traction in tricking humans. Phishing is the jumping off point for many successful scams and ransomware attacks, with one email fraud incident costing a New Hampshire town US$2.3mil (RM9.7mil). Agencies, therefore, must keep employees' cyber awareness fresh.
Not all cyber risks come from deliberate, malicious action, either. Staffs' technological mistakes can also be devastating, with failures to adhere to the correct procedures resulting in the Dallas Police Department permanently deleting troves of case materials and Wyoming leaking residents' health data, to name just two 2021 examples.
The pandemic made digital services essential to governing, with many residents and state personnel working in remote or hybrid environments and not everyone planning to go back to the old ways. This shift means agencies must be able to provide digital services without interruption and securely handle residents' data. This hasn't been easy, and 58,000 unemployment applicants in Florida saw their personal data exposed in a breach.
Agencies are becoming more attuned to the need to safeguard residents' privacy, whether through security measures intended to thwart data breaches or by simply avoiding ever collecting or retaining information beyond what's strictly necessary. States continued to add chief privacy officer posts in 2021, underscoring the growing attention put on such concerns.
Election cybersecurity and misinformation will be top of mind in 2022. Election officials sharpened skills in 2020 and shared information more closely with federal partners as they monitored and responded to potential cyber threats and physical attacks. But lingering fights over that election warn of the work ahead next year.
State and local governments are still grappling with unfounded allegations of 2020 voting fraud, with Maricopa County, Ariz.'s widely panned Cyber Ninjas election audit only concluding in September, and Wisconsin and Pennsylvania looking to launch their own.
Meanwhile, mis- and disinformation aimed at undermining trust and misleading voters spurred the Jan 6 insurrection and death threats against election workers. Advocates in 2021 have increasingly drawn attention to how social media platforms amplify falsehoods, and combatting false information as well as curbing other social media harms will remain a major concern of policymakers. – Government Technology/Tribune News Service