The State of Maine likely holds the personal records of the entire Maine citizenry of 1.3 million people, as well as some from our neighboring states and Canadian provinces. These records are spread across some 1,000 servers and roughly 2,000 applications. Many of these applications are open to the Internet, and increasingly, located in the cloud. The Maine state network extends across the state, all 35,000 square miles of it, covering more than 400 sites. And that network is accessed by 12,000+ knowledge workers on a daily basis, often from personal devices. This complexity presents a vast cybersecurity attack surface.
"We are acutely conscious of the burden, and continually adjusting our strategy to leverage the scarce I.T. dollars to create the best possible cybersecurity"
On an average workday, the state experiences 6 million probes on its firewall, 3000 generic spam emails, 100 spear phishing emails, and 10 social engineering phone calls. Some 15 workstations get infected with malware. On average, six hours of productivity is lost per infected workstation, which must be either disinfected or rebuilt.
Nationwide, over the last five years, more than 20 states have suffered Cybersecurity breaches, impacting more than 10 million demographic records, with remediation efforts costing more than $100 million. Therefore, a major cybersecurity event impacting the State of Maine is not a matter of if; just is a matter of when. We are acutely conscious of the burden, and continually adjusting our strategy to leverage the scarce I.T. dollars to create the best possible cybersecurity.
Cybersecurity within the Executive Branch was disorganized prior to the current governor hiring a new chief information officer in 2012. The various components of cybersecurity, such as end-user devices, applications, physical infrastructure, and the perimeter, were each their own silo, with scant coordination amongst them. Vulnerability scans were sporadic. There were no published metrics. There was no end-user training. There was no unified cybersecurity policy.
Fast forward to the present, and the various components of cybersecurity are integrated under a unified vision. Vulnerability scans are routine. Metrics are published monthly. End-users receive annual training and are routinely subjected to phishing exercises. Suspicious payload is blocked, both at the endpoints, and the perimeter. The network is continuously monitored and the device logs are correlated for trends and preset alarms. There exists a unified cybersecurity policy.
The greatest difference came from an executive order issued by Governor LePage in July 2014. Executive Order #2014-0003 launched the Statewide Information Protection Workgroup, with the mandate to analyze threats, develop defenses, and report back to the governor and the members of his cabinet. It also mandated annual cybersecurity training of all executive branch employees. It formally codified the Cybersecurity Incident Response Team. Governor LePage also directed the Maine Office of Information Technology (OIT), the Maine Emergency Management Association, and the Maine National Guard to work will all state departments and stakeholders to make sure that Maine’s cybersecurity preparedness and disaster recovery capabilities adapt to emerging threats, and adopt best practices from the public and private sector.
Currently, OIT has a 12-person integrated cybersecurity team. The Office follows a process called deployment certification, which ensures that any new application going live is secure by using industry-standard tests to expose known cybersecurity weaknesses in the code. All OIT-managed devices have aggressive anti-malware software in place. State email goes through aggressive spam filtration. OIT works with the Department of Homeland Security and commercial entities for third-party security audits.
We have witnessed a marked improvement in our phishing exercise hit-rate as a result of our efforts to improve employee education and conduct regular testing. Phishing is the single most significant cyber-attack vector. Many infamous cyber breaches started with phishing. OIT began testing executive branch agencies back in late-2014. At that time, the average hit rate was 23 percent. Since implementing this program, each executive branch agency has undergone phishing exercises at least once a year. Our testing of some agencies has been more aggressive than others, especially if those departments maintain personally identifiable information (PII).
If and when an employee identifies a phishing email, they are urged to report it back to OIT through a customized button in their email client. This same reporting workflow applies irrespective of whether it is an OIT Phishing test or an actual phishing attempt by an external actor. The phishing hit rate across the executive branch has steadily declined. For the first time since we started this program, the executive branch of state government has achieved our target hit rate below 10 percent.
Through the Statewide Information Protection Working Group established by the Governor’s executive order, we have studied the overall cybersecurity threat landscape, reviewed industry best practices, and studied innovations in other states across the nation. We also nurture a strong Cybersecurity partnership with local colleges and universities.
The University of Southern Maine Cybersecurity Cluster is becoming a solid resource for training cybersecurity personnel, conducting cybersecurity assessments, and conducting research and development. The Cluster has been acknowledged as a first-in-the-nation National Center of Academic Excellence in Information Assurance/Cybersecurity by the National Security Agency. The University of Maine System now offers a cybersecurity bachelor’s degree program. The Thomas College also offers a Security & Cyber Defense program.
In order to better protect Maine residents, OIT modified the standard I.T. contracting rider that appears in our contracts to mandate Cybersecurity insurance for cloud-based applications. The coverage is tiered, pegged to the number of PII records actually transacted as part of the contract.
The Office has also purchased a nominal commercial Cyber liability insurance for its internal assets. The most important asset this policy provides is access and referral to an independent panel of specialists in legal, incident management, forensic, consultation, and credit monitoring. During an event that triggers the policy, our underwriters will assign a data breach coach to provide immediate triage, consultative and pre-litigation services.
In a constantly evolving world of technology, no Cybersecurity posture is ever perfect. However, the policy and approach the State of Maine has adopted over the last six years have been more proactive than ever before. Beyond the technical details, OIT has also improved customer communication and involvement to engage our stakeholders in our shared vision for a secure Maine. It has been an invigorating journey, but there is absolutely no room for complacence. Just one person falling victim to a spear phishing campaign can unravel years of hard work.