Published on October 3rd, 2021 📆 | 5279 Views ⚑
0Whole-of-State Cybersecurity Gains Ground in Government
When the Colorado Department of Transportation got hit by a ransomware attack, state IT leaders called for backup, bringing to the table the cyber expertise of the National Guard and the crisis-response skills of the stateâs emergency management office.
âThey came in and created a battle plan: Here are the five things that we are focusing on,â said Coloradoâs CISO at the time, Deb Blyth. (Blyth has since returned to the private sector.) âThey helped us really get organized around what resources we were allocating to each thing, rather than just chasing every little blip and anomaly all over the network.â
In the present, escalated threat environment, experts agree, no one should be going it alone.
âWith a dramatic uptick in ransomware attacks across the country, governors, state chief information officers and state government executives are designing and implementing programs to strengthen local partnerships in cybersecurity,â according to a recent report from the National Association of State Chief Information Officers (NASCIO).
This âwhole of stateâ approach helps governmental entities to leverage their combined resources and expertise.
With an emphasis on partnering, state IT leaders can deliver high-impact tools to local jurisdictions. âState governments are increasingly providing services to county and municipal governments, including endpoint protection, shared service agreements for cyber defensive tools, incident response, and statewide cybersecurity awareness and training,â NASCIO reports.
At the city and county levels, the pooling of resources is proving an effective means of staying ahead in an increasingly volatile cyber environment.
What does whole-of-state cyber look like on the ground?
We asked state and local IT leaders to share their best practices.
NYC CYBER COMMAND
At the New York City Cyber Command, Senior Advisor Mitch Herckis canât imagine approaching the present situation with anything less than an all-hands-on-deck mentality.
âCyber crime affects everyone, it impacts the entirety of the city, and that means we canât be secure in isolation,â he said. âThe more resilient we all are, the better off weâll all be. For New York City to be the most cyber-resilient city in the world, that requires us all to be aware of the threat and to have the tools necessary to defend ourselves.â
With that in mind, Herckis and his team have taken steps to ensure that ordinary citizens are aligned in the fight. To that end, the NYC Secure App delivers free, real-time protection to usersâ mobile phones. The app has been downloaded more than 200,000 times.
âIt will alert you to unsecure Wi-Fi networks or unsafe apps on Android systems â the things that people experience in their daily lives that could impact their digital safety,â he said.
Cyber Command also has teamed with the nonprofit community by partnering with Quad9, a free service that replaces the default Internet service provider or enterprise domain name server configuration. Together theyâve worked to secure some 3,000 public Wi-Fi access points across the city.
âIf someoneâs connecting to these, it will block known malicious sites, ensuring people arenât steered to places that are intended to hurt them,â Herckis said. âItâs a way of trying to protect residents when theyâre utilizing public infrastructure to connect to the Internet.â
Small businesses also play a key role in Herckisâ whole-of-state vision. He has teamed with the cityâs small-business services office to deliver basic cyber hygiene information to the business community. âWe wanted to give them things that they could apply to their own businesses: small steps that they could take to be more secure,â he said.
Getting public participation in a shared cyber mission has its challenges. The problem seems so big, and individuals may have a hard time understanding how they personally can help in the fight. Herckis tries to keep the messaging simple and tangible.
âPeople quickly become overwhelmed by the scope of the problem. So what can be done? You can show them the small steps that can be taken to significantly improve their security, rather than focusing on the big, scary problem,â he said.
At the same time, NYC Cyber Command also partners with larger public and private entities, from the police department to critical infrastructure operators, in order to coordinate cyber preparedness and response. âWe need all of that coordination,â Herckis said. âWeâll all be stronger if weâre working together as a community of cyber defenders.â
YORK COUNTY, VA.
In York County, Va., one high-profile cooperative effort has the IT department working with the Department of Elections to push out basic guidance to all jurisdictions.
âIâm on the advisory board for that effort to create a set of standards for all the jurisdictions involved with elections: Here are the best practices of what everybody needs to be doing,â said Deputy Director of Information Technology Timothy Wyatt.
The team is pushing out processes and procedures, describing administrative controls and modeling system security plans. âFor a lot of these smaller and even medium-sized jurisdictions, these are all new concepts,â Wyatt said. âTheyâre not sure how to tackle it, where to start.â
With a population of 68,000, York isnât the biggest county in the state, but Wyatt said his team still has valuable know-how it can share with other counties looking to bolster their cyber efforts.
âThis isnât the private sector, weâre not in competition with each other,â he said. âWeâre all one family, and weâre all about helping the citizens. They may live in your county, but maybe they work over in one of those other jurisdictions. The more we help each other, the better it is for everyone.â
Thereâs precedent for this approach: A whole-of-state cyber strategy mirrors similar efforts in public safety. âWe do police software hosting for a neighboring city. We have a regional 911 system with various other cities and jurisdictions,â Wyatt said. âIf itâs good for the community, we embrace that very readily.â
Looking beyond the elections initiative, Wyattâs team has also engaged in direct efforts to enlist citizens and the business community in the cyber fight. Heâs worked with a regional development center for small businesses to deliver cyber basics, and has shared similar information directly with small businesses.
Wyatt has found he can build strong partnerships by making the message personal.
âWe focus on what they care about, whatâs important to them,â he said. âFor businesses, their reputation with their customers is critical. If they get hacked or they leak data, it could lead to the loss of their brand, the loss of customer confidence.â
Heâs reached out to citizens as well, for example with information about securing personal information online. Here, the best route seems to be the gentle touch. âIâm not here to tell you what to do or what not to do,â he said. âIâm here to educate on how risky a certain activity may be. Then you choose how risky or how safe you want to be. I just want to give you the tools and the knowledge.â
All these efforts â the outreach to individuals and businesses, as well as the intra-governmental push â help to drive a stronger countywide cyber environment. To Wyatt, this seems the only sensible approach to an ever-expanding problem.
âOverall, we have to take a collective stance to try to fight against the wave of cyber hackers and everything else,â he said. âWe have to share resources. We have to collaborate and work as a team.â
COLORADO
Thereâs often profound inequality among local jurisdictions when it comes to cybersecurity capabilities.
âSome have cybersecurity teams that have funding, that have good security programs â and then some have nothing,â said former Colorado CISO Deb Blyth. âThey may have no IT staff, no security personnel, no funding, no security program. There is a huge pendulum swing between the haves and the have-nots.â
From a statewide perspective, itâs imperative to find means to close that gap. That includes taking cooperative steps to share information and insights. âThe local governments provide critical services to their communities,â Blyth said. âWe canât just leave them out to dry.â
At present there is no formal mechanism for driving a whole-of-state approach in Colorado, but itâs coming. The Governorâs Office of Information Technology, the Secretary of Stateâs Office, emergency management officials and others are all working to define the rules of the road for a formal collaborative approach.
âWe would like folks from across state and local government to be able to sign up, to self-select in order to become incident responders. We would give them some consistent training and then have agreements in place so that when someone calls us, we can all help,â Blyth said.
Details have yet to be worked out. There are jurisdictional questions: Will the effort reside in the Governorâs Office of Information Technology, or elsewhere? And how will it be funded?
âOne challenge has to do with statutory authority,â Blyth said. âRight now, no one is really in charge of cybersecurity standards at an overarching policy level. Each local government is sort of in charge of their own domain.â
In the long term, jurisdiction will have to be made explicit.
Then there are the budgetary questions. Blyth doesnât want to create an unfunded mandate â telling jurisdictions how to conduct their cyber efforts without giving them adequate means. One possibility is for a state entity to aggregate homeland security funds that are designated for cyber defense. By pooling those resources, the state could potentially get bigger bang for the buck, sharing common solution sets among multiple local entities.
Thatâs just one possible approach. State-level officials and local leaders are still working out potential funding schemes, which will eventually be brought to the Legislature. The goal is to have a formal plan in place by summer 2022.
If this vision comes to fruition, it could change the nature of cyber response across state and local authorities.
âIt would mean we could be less about responding to emergencies, and instead be more proactive,â Blyth said. âRight now, weâve got 60 people from a state and local perspective who share cybersecurity threat intelligence information across the state. But there are about 3,000 local governments in Colorado. We can improve the cybersecurity landscape significantly, if we can just get more participation.â
The 2018 ransomware attack on the stateâs Department of Transportation helped to prove the point. By collaborating with others, the IT team was able to have a state of emergency declared around that incident â the first time that had ever been done for a cyber breach.
âThat gave me access to the Colorado National Guard. It gave me funding and resources that I needed to recover,â Blyth said. âThe Guard, they are cyber-trained warriors. They are really good at finding the holes in the environment, creating a battle plan, getting systems back online. We had great success with that approach at the state level, and now we want to replicate it at the local level.â
NORTH CAROLINA
In North Carolina, three county and town CIOs are spearheading an effort to drive greater collaboration around cybersecurity issues. The North Carolina Local Government Information Systems Association (NCLGISA) has assembled an âIT strike teamâ led by Rowan County CIO Randy Cress, Henderson County CIO Mark Seelenbacher and Scott Clark, CIO in the town of Fuquay-Varina.
The CIOs agree that a cooperative approach is the best way to ensure an adequate defensive posture across disparate state and local entities, where the availability of skills and resources can vary widely.
âEspecially during cyber events, thereâs a lack of resources around incident response,â Cress said. âIt requires a diverse skill set, and the whole-of-state approach is what brings together all those resources.â
The effort here involves the state IT department, the emergency management agency, the National Guard and law enforcement, including the FBI and others. In addition, the Center for Public Technology at the University of North Carolina School of Government plays a leading role in coordinating efforts.
State legislation requires local governments to report all cyber attacks to the state Department of Information Technology, which works with the North Carolina National Guard and the emergency management agency to coordinate the response.
In practice, that initial report sets the wheels in motion, with key players huddling to assess the scale of the issue. âWe start with a scoping call to assess the impact on the agency,â Seelenbacher said. âAll relevant responders will work to determine the total impact of the event.â
These formal conclaves have given rise to a strong peer-to-peer network, through which local cyber pros are able to pool their intellectual capital. âAt the local level thereâs always someone who knows that they can contact the strike team,â Seelenbacher said. âEven if they donât know [who] to call up to at the state level, they at least get to us.â
Clark described an incident in which all these pieces came together: a ransomware attack on a North Carolina city. The local emergency management team was already active in support of COVID-19 needs, and the strike force was able to leverage that presence to help drive the response.
âEmergency management helped run the incident. They were basically the incident commander, while the IT staff got all the resources focused on the job at hand and repairing. It was a very good model of interagency and interdepartmental support,â he said. âWorking together, they were able to rebuild the system, and it is in better shape now than it was before.â
As a result of that event, the local CIO has now stepped up to share his expertise with others who may find themselves under attack. âIt shows how this can be a real win-win,â Clark said. âWe threw all these resources at it, and now heâs giving back to the community and helping others that had the misfortune of having a cyber attack. It shows how this approach helps improve the state as a whole.â
Gloss