City, state cybersecurity programs follow Washington’s lead
Hackers’ expanding offensive capabilities have broadened the cyber threat landscape, with state and local agencies facing funding and resources constraints. However, federal guidance can shore up efforts at the state level, one official said.
President Joe Biden’s executive order on improving the nation’s cybersecurity and the Shields Up guidance from the Cybersecurity and Infrastructure Security Agency (CISA) have helped local measures, said Chetrice Mosley-Romero, Indiana’s cybersecurity program director.
“Any of those types of guidances that come from the federal government, while it may add some components to our day-to-day operations … it most certainly also adds a level of validation to what we do and why we are doing it,” she said, speaking at FCW’s May 2 cybersecurity webinar.
Increased transparency from federal partners about potential critical infrastructure threats has also helped. Previously, federal guidance would be “hit or miss,” she said. Plus, when CISA outlined how to securely shift to remote work, it helped smaller agencies and local governments that, for example, will never have the budget for a chief information officer, she said.
Mosley-Romero also pushed for a revised understanding of which tools are truly “free.” Though CISA provides free resources, these tools often have hidden costs, due to what she called the “human factor” of cybersecurity.
“Even a free resource is costly,” she said. “It's costly with time, costly with staff, and then to get everybody on board and communicate it in an educated way is costly. So I think we have to be considerate of the fact that these resources are great, but how can we make them digestible and how can we support local governments with getting the additional resources, funding and support to implement those free resources?”
To ensure that agencies are effectively prepared for cyberattacks, she stressed the need for leaders to have a comprehensive view of the security aspects. Even though cybersecurity is complicated, it can be broken down into simple steps – the key is making sure that people in leadership “understand how everything is connected,” she said, acknowledging the effect the state’s preparations can have on cities and counties.
“When it comes to emergency preparedness, Indiana has really been very lucky,” Mosley-Romero said. There is always a state committee focusing on “what kind of preparedness materials we can provide in an easy, turnkey fashion – it's about communicating, training, workshopping and exercising that plan through tabletop and even informal tabletop exercises,” she said. “A cyber incident response plan is often not enough.”
Gloss