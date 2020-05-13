Why is there a government? The most staunch Live-free-or-die and Don’t-tread-on-me types actually ask that question earnestly. Otherwise, it’s a rhetorical question that, if needed, only warrants big-picture answers. We need government to maintain the rule of law and provide critical public services. That one-two punch is not culled from a formal research project, or digested from thousands of pages of literature on governance. Rather, it’s just the pair that rushes to mind, colored by the pandemic’s overtones. Government is important, in my opinion, though to a limited degree. Within those limitations lie security of person and possession. Again, zealous pooh-poohers of “big government” take on security independently as they see every facet of society, or lack thereof, so I’ll excuse them from our discussion.
Here, assuming you’re still with me, I want to explain from a mile high some of the various things that the government, to wit, the Commonwealth of Kentucky does to help secure your personal information and to therefore help maintain privacy of your data. You only need to open one newspaper or magazine page, or click into one news link online at any given moment to quickly begin tallying numerous cybersecurity incidents that affect information security and privacy. Every day in every jurisdiction there is a tragedy—health and safety, financial, or legal—on the highways. Thus, every state has its rules of the road and criminal codes to keep that in check as best it can. Likewise, Kentucky has many rules of the information superhighway, and laws and regulations about cybersecurity on the books. Enforcement? Well, that may have to wait until another day.
I wondered where to start. The governor’s office? That’s as big as Kentucky’s governance gets, literally I suppose. But, cybersecurity must only be but one of many, many points of focus for Gov. Beshear. The “thin gray line” of KSP? Seems like that agency of the people of Kentucky, charged with safeguarding lives and property, would be apt. But then, there’s this interesting agency known as the Kentucky Office of Homeland Security that carries out missions directed by two complementary governmental forces: the U.S. Department of Homeland Security as well as Kentucky’s General Assembly. Now, there’s a component within the awesome system that is American governance, eh? A federal-state combo with “security” as half of its Homeland Security name. It must include some cybersecurity solutions for the people.
In fact, the KOHS does indeed home in on cyber issues as explained in its 2019 Annual Report. Going back to 2013, Kentucky codified KOHS’s Kentucky Intelligence Fusion Center as “the strategic center of gravity for information related to criminal and/or terrorist activity” in the Commonwealth. One of KIFC’s six areas of focus is cybersecurity (sometimes, as in KIFC’s case, separated into “cyber security”). Part of KOHS’s function, common to many state-level offices, is to fund local agencies. Its State Homeland Security Grant program attracts nearly universal interest among Kentucky’s local governments. By the 2019 closing date for applications 162 cities, counties, and special tax or school districts sought over $10 million for first responder, critical infrastructure, communications or cybersecurity equipment. Laurel County Fiscal Court earned a $45,000 infrastructure grant, and Clay County’s Board of Education got a similar amount for physical security. Otherwise our area’s governmental agencies were unable to take advantage last year with Knox County never applying in the first instance.
Frankfort doesn’t merely fund cybersecurity solutions. The state government itself has many programs and initiatives that defend against cybercrime, or which otherwise mitigate the risks inherent to the digital age of information security. Within the Public Protection Cabinet there sits the Financial Cybercrime Task Force of Kentucky. Its raison d'être is “to identify and address emerging threats in cybercrime and security and to protect the integrity of the Kentucky financial system.” While it’s a noble effort by the Commonwealth, one striking limitation is that as of this writing, its website touts as a “New Resource” the fact that in 2015 it published and distributed to banking officials across Kentucky “Cybersecurity 101: A Resource Guide for Bank Executives.” Likewise, it publishes its “Advisories” although the most recent notice was in November 2015. Much has happened in financial cybercrimes since. May I present to the Task Force the animal known as ransomware, for example?
Then, we have the Commonwealth Office of Technology, which is like the state government’s IT department. Its mission to “support agency partners in the fulfillment of their core mission by providing technology leadership, services, and solutions in a secure, transparent, and fiscally responsible manner.” The COT includes an Office of the Chief Information Security Office, which in my business in pronounced as the office of the “sciss-oh.” A company’s (or government’s) CISO is the top dog in information security, and in the healthiest of organizations they’re separate from the Chief Information Technology Officer, or CIO. Kentucky’s CISO is one David J. Carter, who within the COT oversees its compliance and forensics branches among other departments. One seemingly helpful area of COT could be its “Alerts” program that shares COT’s Security Administration’s Branch intelligence with the various administrative bodies of state governance, and you too if you want to subscribe to its security alerts. Don’t worry though if you’re afraid that you’ll be inundated with monthly, or weekly, or daily emails about internet security risks. So far this year there was but one. In January COT alerted about a Microsoft vulnerability (one of many that Microsoft published). In 2019 there were three altogether.
This short piece can’t comprehensively discuss what Kentucky’s government is doing to protect information security and privacy. With a quick look, I see that the structure is in place, but the activity within seems sparse. That’s a “win” for those who despise government. For others … it’s an opportunity in this cybersecurity fella’s view.
Ed is a professor of cybersecurity, an attorney, and a trained ethicist. Reach him at edzugeresq@gmail.com.
