EDITOR’S NOTE: This is the first in a three-part series focused on information security and the public sector – more specifically, local government.
The critical infrastructure that local governments maintain and operate is enabled by and dependent upon information technology systems. These technologies support running water, electrical grids, and first responder telecommunications. They are of utmost importance.
If an incident disrupts one of the critical security systems within the public sector, the potential impact to the safety of the citizenry is on an order of magnitude that really matters. We're talking about the actual impact to people’s lives.
Given the importance of the technology systems, we need to keep our eyes on the trends in how they are managed. In Part 1 of this series, I call out the practices of yesterday that will disappear, and I take a first look at where those practices are going.
Change Is Coming for Local Government
“Local government” (LG) is defined here as cities, counties, school districts, public utilities, and maritime and air ports; generally, we consider these to be “special purpose districts”.
In my experience, large local governments are willing to be innovative and adopt new technology earlier than most. This takes advantage of new ways of doing things, like SaaS, cloud storage, and virtual private clouds. Largely, this early adoption is because large localities are sales targets for technology vendors. Small jurisdictions tend to be later adopters and do procurement as a group as much as possible.
There are a variety of changes on the near horizon that have the potential to drastically change what it means to provide IT to LG. These are the technology changes likely to ensue.
Going the Way of the Buffalo (not Extinct, but Rare): the Workstation, Phone, Network, and Data Center
In today’s local government office space, not much has changed. The typical stereotypes of working on an old version of Windows on a PC that is 5 years old are still true. Yes, they still use Outlook 2007, and yes, they will still call you from their business phone.
- Everyone Has a Computer on or under the Desk
This is standard issue. It uses power even when not being useful, is a portal for free access to a booby-trapped Internet, and is used mainly for messaging, entertainment, and creating spreadsheets, and media/presentation creation. In that order.
- Everyone Has a Phone on the Desk
While a significant fraction of the U.S. population has gone completely wireless, local governments insist on large, wired phones. As a bonus, VoIP usage invites denial of service attacks, putting critical communications at the mercy of an Internet built on 1970’s source code.
- Servers Are in the Same Building as Your Office
The data center may be no bigger than a 10’x12’ room. Making the wiring clear is always a challenge. Security patching for network infrastructure is hard to get done. You’re awash in logs. Organizational database and application servers run in your own data center, with varying levels of virtualization and hardware consolidation.
- The Network Is Generally Static
In terms of configuration (segmentation, addressing), the network doesn’t change that much. Occasionally an agency will need a new website or additional IP address space, but most changes are performed to solve performance problems or manage security settings (e.g., a firewall block list).
- Multiple IT Organizations May Be Supporting All That
In a reasonably-sized organization, IT support covers desktops, servers, and network support, and provides a help desk. In smaller organizations, the IT staff is 2-5 people or completely outsourced. Regardless, there are generally IT functions that are specific to certain agencies. They may be focused on application development and management, database operations, or other operational requirements that are not shared by other agencies. Reasons given for maintaining distributed IT functions are generally unspecific references to regulatory requirements. NERC, HIPAA, and CJIS – we’re looking at you.
We’ve Seen the Future of Local Government
Successful technologies that emerge from disruptive innovation have been embraced as ways to grow revenue in the private sector. Meanwhile, those same innovations create new incentives for the public sector to stay ahead of the curve in order to support their constituents’ technological advancements.
With shrinking budgets and increasing demands for emergency planning, smart investments in technological solutions that create operational efficiencies rise to the top of the list of capital investment priorities. These are also the driving forces that motivate local government to embrace new ways to provide critical services to the public without disruption.
- That PC Will Soon Be a Thin-Client/Phone/Video Conferencing Device
It will boot a cloud-hosted virtual desktop. It will have lots of available policy controls and be much more secure than the PC. It's also going to be less expensive, because people that manage those desktops in your organization will be redirected to areas closer to the core activities of your success. Unified communications will nullify the need for actual phones that are anything other than network devices.
- SaaS Applications Are in Everyday Use
While SaaS is a relatively new development, the unmanaged adoption of SaaS services is already a complex problem that needs to be solved. LGs use everything from Office 365 to payment and banking applications, not to mention cloud versions of all manner of tools for things like scheduling space in parks or management of neighborhood gardens. Additionally, employees engage in personal use of Internet “applications” that run into the thousands, even for a small organization, and represent new ways for malware to enter, and data to leave LG organizations. Some of these are formally contracted, many are not.
- The Application and Database Servers Are Moving to the Cloud
The toe in the SaaS water has emboldened many local governments to begin locating their failover and nonessential data operations to the cloud. We’re not there yet with criminal justice data or health records, but it won't be long before those transitions occur.
- More IoT Will Be Deployed for “Smart” Operations
Traffic management, building energy management, automated metering, micro-grids, gas & water leak detection, pervasive cameras (+/- facial recognition), street lighting, intelligent parking – these all require the implementation of devices that, while not “computers” per se, will require integration, administration, and ongoing security.
- IT Organizations Are Going to Be Consolidated
Out of necessity, this is already happening with larger jurisdictions. It’s become too expensive to duplicate efforts, and we now understand that the cloud is plenty secure. Regulatory requirements can now be met without the old pearl-clutching that used to delay procurement decisions.
These changes have implications for a variety of issues – not the least of which is security. In Part 2, I’ll talk about who will do what, and how information security management by local government will change as a result.