Governors across the country are increasingly pulling together panels of experts to help them confront cybersecurity conundrums, yet it’s an open question how effective these commissions prove to be in making states more secure.
Colorado and Indiana are the most recent states to convene these cyber-focused commissions, creating groups of administration officials, academics and private sector experts to discuss security threats facing their respective states within the last month, but they’re hardly the only ones. A StateScoop analysis of executive orders and other documents revealed that governors in 21 states presided over the meetings of similar cyber task forces in the course of the last year.
From California to Delaware, these groups have gathered to advise the nation’s chief executives on everything from the health of state networks to the development of cybersecurity legislation. Each state sets up these commissions a bit differently, but state IT leaders, like the chief information officer, normally get a seat at the table alongside public safety agency heads, executives from cyber companies and even federal officials.
Timothy Blute, senior policy analyst in the Homeland Security and Public Safety Division of the National Governors Association’s Center for Best Practices, told StateScoop he’s seen a proliferation of these groups recently as governors try to understand a highly technical issue.
“We’ve seen it in a number of states, and there was a real uptick in 2015,” Blute said. “It really meshes with what we’ve been asking and telling states, that this has to be an enterprisewide team approach.”
Though lawmakers in two states — Maryland and Colorado — convened these groups with legislation, it tends to be governors creating the councils through executive action.
“One of the advantages of approaching this problem through a commission is that governors can act immediately,” said Jeffrey McLeod, director of the NGA’s homeland security division. “It gives them an opportunity, because this is a threat that is growing, to react and get in front of this issue.”
Yet many outside observers, particularly those in the private sector, are skeptical that these groups accomplish much.
“Putting together committees of politicians and former government officials to address the cybersecurity problem is futile,” said Greg Scott, a senior technical account manager for the software company Red Hat.
But even in the face of that pessimism, participants on these panels charge that the right group of people with the right guidance can help generate meaningful cybersecurity changes.
While many of these task forces have just begun their work, Blute sees the “Virginia Cybersecurity Commission” as an example of what these groups can do.
Gov. Terry McAuliffe convened the group with a 2014 executive order, charging Secretary of Technology Karen Jackson with co-chairing the group of cabinet secretaries and private sector executives to review the state’s networks and develop a series of recommendations on how to strengthen them.
“If you can say you had a commission that had input, evaluated things and came up with recommendations, it’s much more powerful than me saying, ‘This is what we should do,’” Jackson said.
But beyond just advising McAuliffe on the issue, Jackson pointed to the group’s work with lawmakers as evidence of its real value. Through March, when the commission dissolved, Jackson said the task force was able to team up with the Legislature to pass seven cyber-focused bills, covering everything from cybercrime prosecutions to public records law.
Considering that Virginia law bars McAuliffe from running for re-election, she believes it was essential for the group to act quickly and generate results before he leaves office in 2018.
“We are on a compressed timeframe to get things done,” Jackson said. “Losing a year is the equivalent of losing a decade, and so you have to go in with the idea of the commission is not about a paper report that’s going on a shelf, these have to be actionable items.”
Potential political stumbling blocks
But Jackson concedes that, in the past, she’s been on some public sector commissions that feature nothing but members “getting together and talking for a year.” Alan Guinn, managing director of the Guinn Consultancy Group, worries that kind of result tends to be the norm, rather than the exception, based on his work with state governments.
“The commission will report back to the governor and some level of action will be taken, but the actions taken … will just bandage the problem,” Guinn said. “Everything goes on, somewhat similar to what was occurring previously.”
Peter Hutchinson, managing director for public services strategy at Accenture, also suggested that these commissions can be political tools for governors rather than dedicated efforts to get things done. He sat on several task forces during his years working to reform Minnesota’s public school system, and he found that governors may be sincere in their desire to use the groups to solve problems, they could also be designed to provide “political cover.”
“How many task forces have been empaneled because, at the end of the legislative session, you can’t get anything passed, so you create a task force?” Hutchinson said. “Political leaders claim they’re addressing the problem because they’ve created a task force, but in fact, what they’re doing is stalling.”
Indeed, Guinn also sees the influence of politics in who gets appointed to cybersecurity commissions, charging that a governor will typically include “a political hack or two who really aren’t good at management, but can sure raise the campaign dollars” in the group. But that’s hardly the only issue he’s noticed with members of these task forces.
“The panel is often composed of an outside IT expert, often an owner of a software company, who may know his or her product, but no other, an academic who probably hasn’t written code since DOS, and law enforcement officials who are obviously clueless since a cybersecurity issue has probably occurred,” Guinn said.
Carl Herberger, vice president of security solutions for Radware, suggested that a lack of specific goals and expectations can plague these groups as well.
“There’s no real focus point,” Herberger said. “This results in distributed management and no one really responsible for the optimum performance of the program, from defining the technical architecture to deployment of controls to operational adherence to emergency response to policy and awareness orchestration.”
Checklist for success
But despite these potential trouble spots, many experts agree there is immense potential for cyber commissions if they’re constructed correctly and managed well.
Jackson thinks her task force was so efficient largely because of its leadership — she tabbed retired Rear Adm. Robert Day, who previously served as CIO for the Coast Guard, to help manage the commission as its executive director.
“He was the one that was responsible for keeping the momentum going,” Jackson said. “Having somebody that’s dedicated to it and understands the space is extremely important.”
She added that dividing the commission into five working groups and tasking each with a focus area helped the group’s members hone in on the issues they were most knowledgeable about and generate targeted policies.
Hutchinson said that kind of direction and a sense of urgency from the governor can also help these groups hammer out meaningful policy changes.
“I’ve seen many, many examples where executives bring together knowledgeable people who have a stake in the problem, and who have very serious disagreements about the right answer, and metaphorically lock them in the room and tell them they can’t come out until they do agree,” Hutchinson said.
By contrast, Guinn thinks a radically different approach to delegating cybersecurity responsibilities would be considerably more effective for governors.
“Appoint three individuals to coordinate cybersecurity planning, cybersecurity assessment, cybersecurity response,” Guinn said. “Pay them well. Have them in constant contact via secure lines or state-owned cell phones … Bring your law enforcement and investigatory groups into the mix only to advise and direct as required, and set realistic time windows for responses.”
Indiana’s way forward
John Hill, deputy chief of staff for public safety for Indiana Gov. Mike Pence, plans to weigh just these issues as he sets up his state’s “Executive Council on Cybersecurity.”
“Frankly, we’ve had a lot more interest than we have positions,” Hill said. “One of the challenges we’re going to have is not be exclusive. We want to be inclusive of people, but if we get it too large, we’re going to inhibit dialogue.”
Hill is also cognizant of the need for a central vision for what the group can accomplish. Pence’s order charged the council with developing a “strategic framework document” and an “implementation plan” for hitting specific cybersecurity benchmarks, but Hill hopes the group can push agencies to adopt some immediate changes.
Not only does he think the council can help establish cybersecurity-focused “performance metrics for agencies,” but he also wants to see the group start leading regular statewide cyberattack simulations.
For all the challenges facing these groups, Hill is optimistic that the urgency of cyberthreats will push his council to act decisively and develop “good cyber policy.”
McLeod, the NGA analyst, has the same outlook. Even with the potential for inaction from these commissions, he expects that they’ll start generating meaningful change nationwide soon.
“Because so many states are really at an early phase in terms of their maturity in addressing this issue, a lot of them are just forming the task forces, gathering feedback from stakeholders and developing recommendations,” McLeod said. “We can expect to see more states passing legislation, maybe next year to make pretty significant systemwide changes.”
Contact the reporter at firstname.lastname@example.org, and follow him on Twitter @AlexKomaSNG.