Across the United States, state, local, tribal, and territorial governments (“SLTTs”), small- and medium-sized businesses (“SMBs”), and nonprofits are frequently targeted in cyber attacks, leading to significant financial costs and societal impacts. Yet while they may manage critical infrastructure and deliver essential services, many of these organizations lack the financial resources and human expertise to defend themselves online.
A new CLTC report, A Path to Long-Term Cyber Resilience for Under-Resourced Organizations, examines how IT and security service providers (ITSSPs) — including managed service providers (MSPs), managed security service providers (MSSPs), and other types of IT and security service providers — can improve the long-term cyber resilience of these under-resourced organizations.
The report was authored by Michael Razeeq, a Non-Resident Fellow, Public Interest Cybersecurity at the Center for Long-Term Cybersecurity. Razeeq is a data governance, strategy, and privacy attorney with experience working for global financial services, media, and energy companies, and a multinational law firm; he was previously a 2024 New America #SharetheMicinCyber Fellow.
To produce the report, Razeeq examined existing research and conducted semi-structured interviews with individuals from a range of ITSSPs, as well as two state government officials with experience working with IT and information security service providers. The study examines the roles of different types of ITSSPs and how ITSSPs serve their clients, and offers recommendations to position more ITSSPs to be able to support under-resourced organizations, with calls to action to carry out these recommendations.
Razeeq focused his research on the water and wastewater systems (“WWS”) sector, because “water is a key dependency for many other critical infrastructure and key resource sectors (such as healthcare and public health, emergency services, food and agriculture, and chemicals), and it includes government, nonprofit, and for-profit entities,” he explains in the report. He also notes that WWS infrastructure is vulnerable to cyber attacks because it comprises both IT and operational technology (“OT”); water and wastewater systems are complex, geographically distributed operations, and often have few or no staff members with specialized cybersecurity experience.
The report explores pathways for organizations in the WWS and other sectors to outsource IT and information security services, thereby reducing internal costs and gaining access to skilled IT and information security professionals. “Outsourcing those services can also allow under-resourced organizations to quickly adapt to evolving external factors, for example by obtaining up-to-date threat and vulnerability information and increasing the manpower available to address those issues,” Razeeq writes. “Further, outsourcing enables under-resourced organizations to indirectly share the costs for those services with the service providers’ other clients.”
The report recommends a range of “demand-side actions” that under-resourced organizations and the communities that work with them can take to improve the awareness and procurement of ITSSP services, such as:
- Expanding the availability of cybersecurity awareness and training, for example by modeling initiatives like Take9, a public awareness campaign focused on promoting safe cyber practices;
- Establishing a matching service to help under-resourced organizations find ITSSPs, based on models such as the Cyber Resilience Corps, a nationwide force of cyber volunteers launched by CLTC and Cyber Peace Institute;
- Developing purchasing pools or collaboratives as a way to increase the market power of under-resourced organizations to procure ITSSP services; and
- Working with investors and donors to prioritize cybersecurity as part of their investments or funding.
The report also recommends “supply-side actions” that can help increase the availability and ability of ITSSPs to support under-resourced organizations, including:
- Increasing community engagement and outreach by ITSSPs;
- Expanding pro bono and discounted services by ITSSPs for under-resourced organizations; and
- Enhancing information sharing and collaboration among ITSSPs.
“ITSSPs deliver services designed to safeguard their clients’ information and information systems and can help under-resourced organizations improve their long-term cyber resilience,” Razeeq concludes. “However, not enough under-resourced organizations and ITSSPs work together today. No single recommendation in this report will remedy that, but in aggregate, implementation of these recommendations will help improve the cyber resilience of under-resourced organizations. This report should serve as a call to action for the stakeholders referenced to take steps to help secure under-resourced organizations and, by extension, to secure U.S. critical infrastructure.”
A Path to Long-Term Cyber Resilience for Under-Resourced Organizations
