Colorado Gov. John Hickenlooper warned on Monday that unless states take a proactive approach to cybersecurity education and investment, leaders will find themselves susceptible to crippling attacks from hackers and organized cybercrime.
Hickenlooper addressed an audience in San Francisco at RSA’s Public Sector Day where he outlined his administration’s digital security efforts and appealed to the private and public sector to work together on defense. As a reference point, the Democratic governor summarized how his state is constructing a National Cybersecurity Center (NCC) in Colorado Springs, a nonprofit funded through the state that seeks to be a hub and first responder for state defense and outreach.
“I think that the magnitude of risk and vulnerability is at the same scale as climate change and if we go back 15 or 20 years ago when climate change was very poorly understood and very rarely accurately communicated to the public, that’s where we are now with cybersecurity,” Hickenlooper said. “I think we are at that very early stage of people’s awareness of just what the vulnerabilities are, what the threats are and what the risks are.”
A trip to Israel’s cyber command center was a catalyst for Colorado to launch its own Cybercrime Commission, to meet with legislators to gain funding and begin development of the NCC, a center that will be funded both by the state and private sector companies interested in cybersecurity advancement.
The center will provide a leadership education program for counties, cities and businesses, a research center for businesses and academia, and a rapid response service for small businesses and cities uncertain of how to react after a major attack. Hickenlooper said he believed Colorado’s NCC would be one of just four or five centers around country to adopt such a broad mission profile.
“When municipalities and small governments get hacked, breached or there is some form of ransomware, they don’t know what to do. They don’t have any sense of who to call, what their avenues of response are or how to mitigate risk,” Hickenlooper said. “Another challenge we continue to have is that local municipalities don’t have funding for this, which is just an absolute reflection of the lack of understanding for the threat, the risk and the vulnerability.”
Hickenlooper was adamant that collaboration needs to extend beyond basic exchanges and be embedded in the process that state governments use when answering attacks. Based on the flow of intelligence and evolving tools in the industry, he noted that in the future governments are unlikely to be the first responders for cyber-incidents, and so they should gear up for that future.
“We’re used to having the military, the CIA and the FBI as our first line of defense and I’m not sure that’s going to work around cybersecurity.” Hickenlooper said. “We’re going to have to depend on this amalgam of the private sector and that’s going to require a more rapid sharing of standards and platforms.”
Yet to accomplish such an objective, state policies and information sharing platforms must ensure intelligence sharing can be done so company’s can do it safely, without fears that hackers can duplicate past attacks, and that the sharing would not jeopardize a company’s credibility or proprietary technology, he said — all complicated concerns.
“Right now, [the private sector’s] entire self-interest is making sure nobody knows about attacks or that they talk about incidents as late as possible and with as little information as possible.” Hickenlooper said. “That’s not the best way for the private sector to be the first line of defense.”
Going forward, the governor said Colorado will continue to work with its industry partners, across state borders and with the federal government to establish cybersecurity standards and generate communication channels for best practices.
“We can’t just keep sitting here talking about it,” Hickenlooper said. “We’ve got to fix it”