Cyber Maryland. PHOTO: Cybercrime Magazine.

Maryland’s TikTok Ban Highlights The Need For States To Get Proactive On Cybersecurity: Ex-Governor

Private sector collaboration provides a reality check for government

David Braue

Melbourne, Australia – Jun. 7, 2023

Bans that prevent government employees from using China-backed social-media app TikTok have become commonplace, but one of the earliest movers was the State of Maryland — whose former governor, Larry Hogan, last December issued an emergency cybersecurity directive prohibiting a range of Chinese and Russian apps on state government devices.

Maryland’s ban came on the heels of similar initiatives by the governors of South Dakota, South Carolina, and Nebraska — the first of what became a flood of jurisdictions concerned that the apps could be a gateway for state-sponsored cybercriminals to steal sensitive information.

And while many critics argued that the move was politically motivated — despite its being echoed in foreign jurisdictions such as Australia — Hogan said the concerns raised about the apps were both real and immediate.

“We took it very seriously,” Hogan told Cybercrime Magazine. “When the director of the FBI testified before Congress about how serious the threat was, and the federal government was warning us, and our state professionals were very concerned, the federal government wasn’t taking action — so we decided that it was critically important for us to try and address this with our state devices.”

Issued by state CISO Charles Stewart, Maryland Emergency Directive 2022-12-001 warns that “certain vendors and products present an unacceptable level of cybersecurity risk to the State” alleging that some products’ manufacturers may be involved with “inappropriate” collection of sensitive personal data, cyber-espionage, “algorithmic modification” to support disinformation or misinformation campaigns, “or surveillance of government entities.”

Huawei Technologies, ZTE Corp, Tencent Holdings, Alibaba, Kaspersky, and TikTok were explicitly named, setting off a marathon statewide effort to remove the named products within 14 days of the directive’s issuance — and implement tools to ensure the apps were never installed on state government devices.

“Now we’ve got to work with the private sector to try to make sure that we’ve got the right technologies to make sure these vulnerabilities aren’t still part of the networks,” Hogan said. “But I think some of the damage may already be done.”

Government bodies have increasingly become targets for cybercriminals, with CloudSEK recently reporting that the number of attacks targeting the sector increased by 95 percent in the second half of 2022 — with 40 percent of attacks targeting government entities in India, the USA, Indonesia, and China.

Those attacks are not only becoming more frequent, but more expensive: the cost of public-sector data breaches increased from an average $1.93 million in 2021 to $2.07 million in 2022, according to IBM’s latest Cost of a Data Breach analysis.

Many of these attacks “aren’t even super novel,” noted Gordon Lawson, CEO of cybersecurity firm Conceal, who has been working with government bodies at every level to help them improve their defenses.

“They’re getting more sophisticated, but it’s the same old tactics,” Lawson said. “So, we need to keep educating the state and local community that this is going to happen, and that the threat actors are going to target us specifically.”

“It’s about understanding at the policy level that this is a threat that’s only getting more severe, and that we need to work collectively to defeat it.”

Building a statewide cyber skills pipeline

For all the burden that governments now carry to protect themselves from cyber attacks, the TikTok ban was the latest in a series of proactive measures during Hogan’s governorship that saw the state further expanding its commitment to improving cybersecurity — with a $200 million investment last year building on its already standout reputation as a center of cybersecurity excellence.

“We need to work with private-sector expertise to make sure that we’re investing in the right tools to protect ourselves,” Hogan said. “Whether you’re a large state or a small state, you’ve got to put the funding into the budgets to make sure that we support and create a whole-of-state approach for cyber technologies.”

Indeed, Maryland’s proximity to the engine rooms of America’s military and government has made cybersecurity a key focus for industry development in the state — which is home to national security organizations including the National Security Agency’s home at Fort Meade, the second-largest concentration of cybersecurity expertise in the country, behind Augusta, Georgia’s Fort Gordon, home to the US Army Cyber Center of Excellence.

“It’s actually a national security imperative for commercial cyber companies — not just defense contractors, but commercial cyber companies — to be in these areas of excellence,’ said Lawson, noting that Conceal established its headquarters in Augusta to become more closely involved with the government cybersecurity apparatus, despite not being a formal defense contractor.

“We need to recruit veterans, and we need to be part of the higher education system, which I think we’ve done really, really well in Augusta,” Lawson said. “And I think it’s critical that we continue to invest in areas like this.”

That includes engaging with venture capital (VC) firms with the funding to support early-stage cybersecurity innovators.

“One of the things I’ve been working on is to bring the VC community to our headquarters, and be able to see the potential that’s there,” Lawson continued. “We really can change people’s lives by giving them an opportunity for almost unlimited employment by getting into this field.”

Maryland is already well advanced in this area, Hogan noted. With additional facilities such as the US Naval Academy (USNA), Maryland has been better positioned than most to benefit from a highly integrated skills pipeline — and he set up the state to capitalize on these natural advantages, both through direct action and by working with cybersecurity industry partners.

Cybersecurity “is one of the top two industries in the state,” Hogan explained, “and it’s very important from an economic development and commerce perspective — and for putting people to work as a big part of our educational system and higher education.”

“We’re creating more well-paying jobs for the people of our state.”

David Braue is an award-winning technology writer based in Melbourne, Australia.

Go here to read all of David’s Cybercrime Magazine articles.

About Conceal

Conceal provides a capability that protects people and critical assets against the most advanced threat actors in the world. We are fundamentally changing the approach to cybersecurity by creating a platform where security practitioners can see the latest threat vectors and implement enterprise-wide solutions that comprehensively protect their organization.

With our Conceal platform, we take those core capabilities and evolve them into a commercially available product that incorporates intelligence-grade, Zero Trust technology to protect global companies — of all sizes — from malware and ransomware.

Conceal is leading the fight to protect enterprises from cyber threats — if there is malware, we detect, defend and isolate it from users and the network.