I had the unique opportunity last week to participate in a daylong policy discussion titled “A Symposium on Cybersecurity and Privacy: What the Public Sector Can Learn from the Private Sector” hosted by the Texas Tribune. The Texas Tribune is the only member-supported, digital-first, nonpartisan media organization that informs Texans — and engages with them — about public policy, politics, government, and statewide issues. The backdrop for the symposium was the University of Texas at San Antonio, San Antonio’s largest public university and one of the largest collections of undergraduate and graduate programs addressing cybersecurity.
Encouraged by Dr. Romo’s right hand man at UTSA, Albert Carrisalez, Texas Tribune CEO and Editor-in-Chief Evan Smith made the decision to host its first event on the policy aspects of cybersecurity and to answer the question – Is our state prepared for a cyber attack? Evan reached out to me in early November to get input from someone in the trenches. A wildly talented moderator and interviewer, Evan wanted some panel ideas to provoke discussion and provide key insights into the cybersecurity policy world for participants and audience members alike.
Given my role as Chairman of Cybersecurity San Antonio, I jumped at the idea to help – I very much wanted the Tribune’s first event based on cybersecurity to be in San Antonio, given our city’s critical mass of DoD, corporate cybersecurity assets, and UTSA’s decades long leadership within the UT System on the topic. I provided Evan some ideas for panel discussions on federal, local, and privacy matters. I also suggested the symposium include a panel made up of commercial security experts who might be able to characterize some of the bleeding edge security challenges they encounter.
The symposium itself shaped up nicely, including panels on the following topics:
- Privacy, the Cloud, and State Government
- How Cybersecure Are Our Cities?
- The Medical Privacy Paradox
- The End of Secrets (a panel on privacy)
- What the Public Sector Can Learn from the Private Sector
The complete agenda can be found here.
There were some interesting takeaways from the symposium, including a few highlights below:
- State agency leaders do not have to sign off on cybersecurity risk, unlike their peers at the federal level or most corporate CEOs, in the form of annual audits. This is an area for potential legislation during the next Texas legislature in 2017.
- State agencies still focus on training, awareness, and leadership buy-in. Most commercial companies have included these areas in their baseline activities and are focusing more on speeding up the tempo of their security responses.
- Leadership buy-in at the state and local level seems to be lagging behind that of the private sector, where the threats are perhaps more pronounced. Several public sector CIOs and CISOs at the symposium lamented the fact.
- Secrets have become harder to protect (as it related to privacy). Technology makes the back-and-forth between protecting private information and sophisticated attackers more problematic.
The panel I was on wrapped up the symposium and focused on what the State of Texas, as well as other governments, could learn from the commercial sector. The assumption was the many commercial organization are on the leading edge of cybersecurity practices, given the constant attacks they endure and the sophisticated nature of the attackers. We were lucky to get Vic Diaz from USAA and Paul Williams from Rackspace to represent. Perhaps not so unusual, since the three of us are in San Antonio and in the security business, all three of us came from the Air Force (as Evan highlighted in the introductions).
Evan jumped right into eliciting responses from the three of us. Some of the key takeaways of our panel were:
- Threats arrayed against commercial entities are sophisticated, opportunistic, motivated by money, and highly, highly organized. The “bad guys” are so organized they even have an online help desk.
- Public sector security players might be behind their commercial brethren in threat intelligence realm. Understanding the threat and potential attackers is likely tougher for state and local security players. For example, the attackers who broke into OPM had a very focused goal, in all likelihood.
- Commercial players might have more flexibility responding to certain types of cybersecurity attacks. Public sector security organizations inherit more legacy technologies and processes which make it harder to adapt quickly.
- Technologies like multi-factor authentication have eclipsed simple username/passwords for access to system. OPM, apparently, used only usernames and password.
- There’s no such thing as 100% security! Accepting this is the first step towards managing ambiguous threats in a rapidly changing security world.
- Watch the panel discussion here.
All in all, the symposium provided public focus at the state level on the important aspects of cybersecurity. Although there’s much chatter at the federal level, there’s been far less dialogue about such matters at the state level. The Texas Tribune did a great job taking cybersecurity and pulling it into the center of policy discussions during its first event on the topic. Whether or not the participants sufficiently answered the question (“What the Public Sector Can Learn from the Private Sector”) is to be seen, but certainly elected and appointed officials in Austin will likely take more notice. In that regard, the Tribune’s event was a success.
In addition, Lynn Brezosky from the San Antonio Express-News wrote a great recap.