Getting everyone in the same room is a step that states can take today to help safeguard their assets, says the association's cybersecurity guru, Tim Blute.
Tim Blute, program director for the National Governors Association's Homeland Security & Public Sector Division (Jason Shueh)
With constant reports of Russian and Chinese hacking and nonstop attacks on government systems, states and cities are waking up to the idea that cybersecurity is critical infrastructure.
The concern has prompted the National Governors Association to offer resources and programs to help states avoid potentially devastating attacks. One of these resources the Homeland Security & Public Safety Division at the NGA Center for Best Practices, led by program director Timothy Blute. A former intelligence analyst for the FBI Counterterrorism Division who was detailed to the Office of General Counsel at the National Security Law Branch, Blute acts as a guide for states building or developing their cybersecurity plans and programs.
Speaking Tuesday with StateScoop at the 2017 RSA Conference in San Francisco, Blute offered tips to localities on cybersecurity issues like funding, talent recruitment, intelligence sharing and general best practices.
StateScoop: How should states go about seeking sustainable funding for cybersecurity programs?
Tim Blute, NGA Homeland Security & Public Sector Division program director: This is an issue that a number of the states are working on. I don't think there is a state out there that would tell you that they are fully resourced. So, I think the first step is to begin to do that risk assessment, because you can't — nor do you want to — protect every single thing at the same level. You have to ask yourself, What is the most important thing you have to protect? Are you currently protecting it? And that risk analysis has to drive a strategy. We don't want states resourcing this problem without a strategic framework, and once you have that strategy, you have to engage not only the executive branch in states, but also the legislatures. The legislature in each state is a community that I think is becoming more and more aware of cyberthreats right now. The National Conference of State Legislatures has a cybersecurity task force, for example. So they are working together on this. But this requires cooperation not only between the CIO and the chief information security officer community but also with the legislature. This is so CIOs and CISOs can brief legislators on the threats they face, what is actually happening on state networks, and to make sure this is more of year-long conversation and not just based around the budgeting process.
SS: What are a few best practices states might benefit from that might seem simple, but are not always apparent?
Blute: I think the number one thing I recommend when I meet with states is that you have to take a look at your state and how it's organized and figure out who owns all the important key pieces in your state. Then get them in a room for a set amount of time and talk about what everyone is doing against cyberthreats and how you can coordinate. That seems so basic for a lot of folks in the private sector or in the federal government, but in many cases state governments have a lot of different siloed entities that are all working toward cybersecurity, but they don't get around the table and talk.
And that's a lot of what we've been doing through our work at the NGA, and through Virginia Gov. and NGA Chair Terry McAuliffe's cybersecurity initiative. We bring states together for a series of regional summits and eventually a national summit where we say to the governor, 'You need to appoint your team to come, but it should be an enterprise team.' Meaning, you want to have representatives from the National Guard, Homeland Security, the CIO, someone from the governors office, law enforcement, a chief budget officer and a few from the legislature. In some states this team might also include those from the private sector who manage critical infrastructure. That is really step one, just getting everybody at the table.
SS: How can states recruit strong cybersecurity talent?
Blute: This is a challenge that I think the public sector and the private sector face. There is just competition for the right people to work in this space. Yet one way to gather quality talent is by working with public universities and community colleges. One example of this is in Virginia they've set up their own scholarship for service program where they're willing to pay for two years of tuition in exchange for two years working for the state. We've seen another example in Indiana with the Indiana ISAC, where part of its Security Operations Center is staffed by computer science students from Purdue University. More generally, however, developing talent may require innovative pilot projects where you just work with the right group. But it is a huge struggle. Everybody is competing over the same talent but I do think there is a lot of opportunity in higher education that is increasingly centering programs around cybersecurity and computer science. These students want practical experience and the states need people so there is sort of a perfect match there.
SS: How can states foster better intelligence sharing between themselves and the private sector?
Blute: So, I think among the states as entities, the best way for them to do that is through the Multi-State Information Sharing and Analysis Center (MS-ISAC). It's the only ISAC that is devoted to sharing information between state governments. Every state is a member of that. There are different levels of engagement, but that is one of the best venues for states to share intelligence. The MS-ISAC works closely with the Department of Homeland Security and NCCIC (National Cybersecurity & Communications Integration Center) to kick out intelligence from the federal government to state governments and serves as venue to share among states.
I think with industry, that one becomes a little harder to figure out. I think in many cases it's the states working with the industries that are in their geographic area. One example I'd look at is the New Jersey Cybersecurity & Communications Integration Center, the NJCCIC. And what they've done is outreach to critical infrastructure partners in the state that include private sector partners. Here they begin to talk about what is that value proposition, what is the information that the state has or may have that the companies want, and then what is the information that the companies have that the state wants? I think you have to decide where the value is on both sides of that equation, but I think there is going to be a lot more of it. This is a solution that requires private sector and public sector corporation and engagement.
SS: Who should take point on such an effort?
Blute: We're really agnostic on who takes point. Our recommendation to governors is that they do have to have somebody, or one or two people that know that they are responsible for it. Have the authority to be responsible for it, and then to the necessary extent, have the resources to deploy it. That's really our recommendation, but each state is organized differently so it's really up to governor to make the decision of who the best person will be.
Blute's comments were edited lightly for readability.