A new strategy document contains principles that "can be applied to every person, organization, government agency, and business in Connecticut," according to the governor's office.
After nearly a year of planning, Connecticut Gov. Dannel Malloy announced a new cybersecurity resource Monday, emphasizing that the tenets contained within are versatile enough for use both in and out of government.
When Malloy created the position of chief cybersecurity risk officer and appointed Arthur House to the role last October, he tasked House, state Chief Information Officer Mark Raymond and the Department of Administrative Services (DAS) to prioritize a strategy to protect residents. One of the outcomes is a new resource that highlights seven broadly-worded cybersecurity principles around leadership, cyber literacy, preparation, response, recovery, communication and verification. The state reported that its next steps are to launch an action plan that delineates technical steps and processes to follow.
“We receive daily reminders that we are living in a time of cyber insecurity, and we need to be proactive in this effort,” Malloy said in a press release. “The federal government, our national intelligence, and homeland security officials are doing their part, but states have a vital role to play. Connecticut is leading the way in taking action that will allow us to be prepared for any contingency and safeguard our residents from cybersecurity threats to critical infrastructure.”
House stressed that the state had to act if it wanted to shield itself from the hundreds of diverse and potentially devastating cyberattacks.
“We have a plan, but we also have a lot of work to do,” House said. “Cybersecurity is a process, not an end state. We must continue to take threats seriously and defend the people of Connecticut. ... Everyone should join in a common effort to create a culture of cybersecurity awareness.”
The state cybersecurity strategy and the future actions plan will lay a foundation for this “common effort” by institutionalizing goals and practices that may later increase access to cybersecurity funding. That was the case in Colorado after its chief information security officer, Debbi Blyth, built on past efforts to cement a statewide strategy. Colorado’s cyber initiative went from a bare-bones budget to a $9.6 million threat detection and prevention program. This happened, Byth said, because legislators could see where money was going and what the state wanted to achieve. Now Colorado spends an average of about 3 percent of its total IT spending — $350 million — on cybersecurity, placing it in the top 20 percent of states for cybersecurity spending.
Connecticut's announcement closely follows a cybersecurity strategy signed into law last month in Oregon that's designed to centralize cybersecurity policymaking and establish new advisory bodies that convene the wisdom of public and private sector experts from around the state. Eventually, state leaders said they hope to create a nonprofit called the Cybersecurity Center for Excellence that — among other things — drives funding for research to understand which offices around the state are most vulnerable.
Malloy, a Democrat, stated in the strategy that investment into a long-term cybersecurity planning was needed to combat an evolving class of threats.
“This strategy makes it clear that we cannot ignore the problem of digital insecurity,” Malloy said. “We cannot wish it away. And we cannot wait for someone else to solve it for us. I firmly believe that, if we embrace cybersecurity as a perennial priority — as a daily responsibility — the safety and competitive advantage we can gain for our state could be immeasurable.”