We have an IT steering committee, which consists of our county executive, the management and budget folks, of course our chief of IT and some of the other county exec deputies that he has that deal with the other businesses. I give them a monthly briefing. They get to see the number of attacks. We brief on everything from external attacks to the Internet use of our employees so they see what’s going on and if there are any trends. I can pretty much graph that out for them at their level so they see. And then, based on business needs as well, if we have a business that is going to have data that is sensitive to a certain degree, then I would brief them on what that means and what costs are going to be associated with protecting that data.
What kinds of security technologies and procedures do you utilize to keep county workers protected on the network?
We use Internet filters that protect them from themselves and the sites they try to go to. We use intrusion detection systems, intrusion prevention systems and firewalls. A lot of the new technologies and applications coming out have application firewalls. To me, one way to really get the employees to understand is to have a good awareness program. We have had an annual security awareness day up until this year. We’re deploying an online security awareness program that the users will be required to take by policy annually.
With all the cyber security threats that local governments are up against, how can they adequately prepare and prevent network intrusions without the proper funding?
A lot of it stems on making sure that you’re knowledgeable about what’s going on in the world. That’s a huge part of it, especially for the people in our position. If you’re not aware of what’s going on, you don’t have any way of identifying the countermeasures that you can put in place. Having a budget is always the best thing in the world, but the first and foremost for me would be the awareness of your employees because they’re going to be your first line of defense when they’re using your systems. And then two, working with your businesses to ensure they understand the data they have and knowing what level they need to protect to it, trying to get investment into securing those before they’re data is available or out there for use is a big thing that we stress now. While we centralize security, we also try to emphasize to the businesses that it is their data, we are the stewards of their data, but as the data owners they have an obligation to invest as well in protecting their data and not just leaving it up to the IT shop or security shop to do it.
What kind of landscape do you see as it relates to network security on a local government level in the future? Do you see the same hazards that the DHS feels may be headed out way in terms of hackers breaking into utilities and other critical infrastructure if stronger measures aren’t implemented?
If stronger measures aren’t taken and people in our positions don’t take it a little bit more seriously, it’s going to affect the nation as a whole. While we’re Fairfax County and we do most of our infrastructure for wastewater treatment to the electric grids and all, we have an obligation to our partners that are around us here in the national capital region. We have an ability to communicate in our jurisdiction and I have to be able to trust my partner jurisdictions that they’re doing what they’re supposed to. We do a lot of check and balance on that by using a central policy on that network we use for that that we all agree to and we all stand with and we follow. If I were to feel there was vulnerability on my side, I’m duty-bound and obligated to let my partners know. I expect the same from the partner jurisdictions that we have. If I were to let the wastewater treatment plant we have here Fairfax County be hacked or attacked, the possibility of what could happen to I-95, which would affect the East Coast up and down, I don’t even want to think about what could happen. With that said, we’ve taken extreme measures to protect that infrastructure. We almost treat it separately or individually from all others.