Lance Bellers - Fotolia
Agnes Kirk has played a key part in the security posture of Washington state for 12 years. The CSO role was created in 2004, and she took the position in 2005. But the work included ever-growing cybersecurity responsibilities as more and more government functions moved online. When the separate role of CISO was created, Kirk got the job.
Appointed by the state CIO, Kirk serves in both the role of CISO and as head of the Washington State Office of Cyber Security. The OCS, which is part of Washington Technology Solutions, sets the strategic direction for protecting the state's information and infrastructure -- transportation networks, power systems and financial services. Kirk also chairs the state of Washington Cyber Incident Response Center and serves on multiple boards and committees. In July 2017, the Washington state National Guard's cybersecurity unit indicated plans to become more involved in national and local incident response.
Like many states, Washington has weathered its share of damaging cyberattacks. In October 2016, attackers partially disabled the 911 system in Washington and a dozen other states by clogging the emergency lines with calls from "zombie" smartphones. Experience has taught Kirk that "you are not going to stop them all." So rather than fixate on a single incident, she has emphasized building resilience.
How did you end up in the role of CISO?
Agnes Kirk: Security is my passion. Early in my career here, I was involved with creating our public key infrastructure for authentication and online transaction. PKI was one of the things we stood up to see how it would work with citizens and business. I also brought in developers to create SecureAccess Washington, which provides self-administered single sign-on access to multiple agency applications. It was the first in the nation for a state government. Today it just passed five million active users. That was a real positive for citizens and business, allowing access to all kinds of things, from paying taxes to filing claims using a single credential. My responsibilities eventually grew, leading to creation of the CISO position.
After a few years in the role of CISO, the legislature and governor recognized that we needed some key things handled at the statewide level. We created the state Office of Cyber Security in 2015, which I lead. I report to the state CIO and advise the governor, elected officials and cabinet directors on strategy, policy and incident management. I have a team that handles incident response, conducts security assessments for agencies and helps train [their] staff, and mitigates problems. We also have a team that manages the state's security operations center, which monitors the state's networks in near real time. In addition, we have four security architects that conduct design reviews of applications and systems. Anything agencies want to launch or relaunch, we review to ensure it complies with the state's security architecture and has appropriate security controls in place, so at least when it gets launched it meets those standards.
How do you stay on top of so many challenges?
Agnes KirkCISO, State of Washington
Kirk: I have been part of the Multi-State ISAC [Information Sharing and Analysis Center] for years. Our relationships and partnerships across states and across the nation with peers and federal partners are super important. I spend a lot of my time continuing to mature those connections and develop new ones. I sit on several boards, such as DHS [Department of Homeland Security] State, Local, Tribal and Private Sector Policy Advisory Committee (SLTPS-PAC), as well as many others. Those appointments give me an opportunity to represent the state's perspective at the national level.
It sounds like you and your organization have been out in front on many of these issues.
Kirk: I do believe we have been on the leading edge of many things. We have had good executive support. I would love to tell you that I have all the funding I need, but I can't do that. There's not enough money to go around to fund all the requests made of the legislature. But this work is vital. It is important to note that half of SMBs that get hit by a cyberattack go out of business within 12 months. That is a critical statistic. That means we need to partner and do the right things. Government has to help ensure continuity of commerce. If we can't keep the economy going, it doesn't matter if government is up and running and vice versa. The feds have a role, but they can't do it alone.
What is most unique about the security challenges you face in the role of CISO for Washington state, compared with large, private-sector organizations?
Kirk: The first is that although many businesses today collect PII [personally identifiable information], it is generally one or two kinds [of data], like credit card or healthcare. The state is unique in that it collects all kinds of data from birth through death, so that makes us a more attractive target. Also, because the public sector is open government, there are challenges around disclosure requests. It is hard to explain in layman's terms that one record may not be a risk, but releasing multiple records containing the same information can greatly increase cyber-risk.
Has the state's tech sector played any role in helping to address cyber challenges?
Kirk: Having a high-tech workforce helps, but we still have to educate many others. Microsoft, along with most of the other high-tech organizations, and even private-sector peers in retail and healthcare, have been good at information sharing through a consortium I helped start 10 years ago. The security community is a tight group and have relationships based on trust. Those trust relationships are valuable. Of course, I don't like it when they hire away my people! We all compete for [the same] talent pool, and they are winning on the salary side.
What do you see as the most significant threats in cybersecurity at present?
Kirk: I think my biggest concern is what I call the advent of cybercrime as a service. The Shadow Brokers have been releasing the tools and hacking information that was stolen from the federal government. They are providing a subscription service. Once a month, you get a new hacking tool with a user-friendly interface, so you don't have to have a real skill set anymore. So we have seen a big uptick in those kinds of attacks, and it makes our need to be vigilant even greater.
It is the same with ransomware; you don't need to write software, just subscribe with one click. As long as it has revenue-generation power, it will be problematic. The [internet of things] also concerns me. They have not been developed with security in mind. So a lot of DoS [denial of service] attacks happened because these devices were compromised, and the owners weren't even aware of it.
CISO responsibilities expand, now what?
Strategies to set up a cybersecurity team