The governor calls cybersecurity America's greatest risk as his state unveils a plan to protect an organization that had been in a state of "security neglect."
Illinois Gov. Bruce Rauner waves to the audience during his introduction at his inauguration ceremony in Springfield, Illinois, Jan. 12, 2015. (Wikimedia)
Illinois launched a new statewide cybersecurity strategy Tuesday that will eliminate the "patchwork" of policies spread across the state's 62 agencies and create a consistent approach to protecting infrastructure and citizen data, Gov. Bruce Rauner said at a press conference.
"Cyber attacks are the number one risk facing the people of the United States and facing the people of Illinois," Rauner, a Republican, said.
The new strategy contains goals and associated plans designed to provide consistent governance of the state's cybersecurity posture. The state was suffering from "security neglect," said state Chief Information Security Officer Kirk Lonbom, but the new strategy is "aggressive" and will ultimately instill long-term change across the state.
The five goals of the strategy are to:
- Protect State of Illinois Information and Systems
- Reduce Cyber Risk
- [Attain] Best-in-Class Cybersecurity Capabilities
- [Take an] Enterprise Approach to Cybersecurity
- [Build] A Cyber Secure Illinois
The fifth goal — created under the guidance of the National Association of State Chief Information Officers (NASCIO) — is the most exciting, Lonbom said, because it provides the technology office a chance to extend beyond its role as a leader within government and reach across the entire state via a "disruption plan" that treats certain events — like power outages — the same as an emergency management agency might treat a tornado or earthquake.
"We are brining together not just state agencies but other public sector partners, owners of critical infrastructure to protect the state should there be a major outage for electricity or utilities or critical state systems are attacked and we can't provide the services like we normally would," Lonbom said.
Illinois developed its strategy through heavy collaboration with other states, organizations and "other multinational corporations with offices in Illinois," state Chief Information Officer Hardik Bhatt reported. As one of five recipients of a National Governors Association (NGA) Policy Academy for State Cybersecurity, Illinois used the opportunity to draw on the experience of others.
"We're looking beyond state agencies," Lonbom said. "We're looking at how do we make Illinois a cyber secure state. … Those are the things that are really going to continue to impact the citizens beyond us protecting state services."
Using a "core executive team" of officials that included the state's director of public safety, general of the Illinois National Guard, director of the emergency management agency, and intelligence chief of the state police, the state consulted with other states in both in-state and out-of-state meetings, received mentorship from NGA and continues to attend cybersecurity workshops and breakout sessions.
"It was awesome," Lonbom said of the academy.
Of the state's 62 agencies, 38 are consolidated under the Department of Innovation & Technology, and their technology budgets and operations are centralized. For the other 24 bodies, the technology department serves in an advisory capacity.
The state reported it does not know how much the plan will cost, but the funding will come from DoIT — the state has allocated $900 million put toward IT for the coming budget cycle.