Prioritizing cybersecurity standards and innovation, improving communication and encouraging the next generation of “cyber defenders” were among recommendations offered to lawmakers at a House Majority Policy Committee hearing at the state Capitol on Monday.
The hearing was led by Rep. Martin Causer (R-Cameron/McKean/Potter), chairman of the House Majority Policy Committee, and Rep. Valerie Gaydos (R-Allegheny), Republican chair of the House Cybersecurity Caucus.
“We’ve seen too many examples of security issues within our state agencies that have put our citizens’ personal information at risk,” Causer said. “With cyber threats on the rise, we need to advance policies that will support improved security and encourage the next generation of cybersecurity professionals.”
“When lawmakers look at issues like cybersecurity, there are generally three ways to address them: legislation, regulation and communication,” Gaydos said. “While we need to look at potential legislative and regulatory tools, it is clear from the testimony offered today that improved communication among government entities is vital to help minimize threats and protect the data entrusted to us by our citizens.”
Government organizations generally are lagging behind in security when compared to large businesses and industries, according to John Alwine, region director for Unisys Public Sector. He cited recent reports indicating public sector organizations were involved in one in five cyber incidents, and nearly half of those public sector data breaches were not discovered until years later. He cited another report that indicates at least a half dozen state governments had their computer systems compromised between May 2021 and February 2022.
“The public sector has been too slow to realize the significant threat to their own critical systems and information,” he said. “Whether it be protecting personally identifiable information such as tax records, unemployment claims or Social Security numbers, or the systems that allow the Commonwealth to administer licenses, distribute unemployment checks or collect tax receipts, for too long government has utilized outdated approaches to secure their most important assets.”
The issue has been exacerbated by the pandemic, according to Dr. Kimberlee Ann Brannock, senior security advisor, and Michael Howard, chief security advisor and head of security and analytics practice, at Hewlett Packard. They specifically cited the quick pivot to working from home and the pressure on information technology professionals to forego best practices in security to facilitate that transition.
Zackery Mahon, area manager of cybersecurity for Motorola Solutions, focused his testimony on cybersecurity threats to Public Safety Answering Points (PSAPs) and Land Mobile Radio (LMR) used by state and local governments for law enforcement and other emergency response operations. With increased threats to these vital services, he encouraged the committee to establish a baseline set of requirements for cybersecurity in these systems, and to better share threat information across state agencies and public safety environments to limit impact.
Several testifiers also highlighted the need to train people to work in the cybersecurity field.
Michael Mattmiller, senior director of State Government Affairs for Microsoft, outlined the importance of building the cybersecurity talent pipeline, noting fewer than 3% of students are specializing in cybersecurity while there are nearly 500,000 job openings in the field that pay an average of more than $100,000 per year. The company is targeting community colleges across the country to help by offering curriculum free of charge, providing training for faculty and providing scholarships and support services to an estimated 25,000 students.
“Making technical improvements is critical, but alone is not sufficient to stop the threats facing our state and country,” Mattmiller said. “Governments, like private companies, struggle to recruit and retain qualified cybersecurity professionals. We need to solve the cyber talent pipeline.”
Peter Romness, cybersecurity principal, U.S. Public Sector CTO Office for Cisco, agreed. He pointed to the overwhelming and tedious nature of cybersecurity work and the need to better integrate and automate to help improve efficiency and make the job more rewarding for those working in the field.
Omar Khawaja, vice president and chief information security officer at Highmark Health, agreed with the priorities outlined by prior testifiers but also stressed the importance of measuring the effectiveness of security systems in place and ensuring that those systems are being used properly. The answer is not always to add more tools; it is to make use of those already in place.
Written testimony and video of the hearing will be available online at www.PAGOPPolicy.com
Representative Martin T. Causer
Pennsylvania House of Representatives
Media Contact: Patricia A. Hippler