State

Connecticut calls its new Cybersecurity Action Plan a ‘call to arms’

The document outlines new programs and provides guidance to public and private institutions across the state.

May 4, 2018

A document published this week by Connecticut officials represents one of the strongest cybersecurity plans undertaken by any state. The 41-page document, called simply the Cybersecurity Action Plan, highlights a need for increased security, more cross-sector collaboration, and heightened academic focus to help fill a cybersecurity workforce gap. The plan builds on a cybersecurity strategy proposal last year that called for Connecticut to implement dozens of new programs and policies affecting government offices, law enforcement, higher education and local businesses.

The new plan’s principal authors, Chief Cybersecurity Risk Officer Arthur House and Chief Information Officer Mark Raymond, call the document a “call to arms” for statewide improvement.

The report received the support of Gov. Dannel Malloy, who said Thursday that “cyber intrusion threatens state and municipal government, every person, every business, and every organization in Connecticut.”

In addition to recommending improved planning and policy around cybersecurity response, recovery, communication, the document also calls for the creation of new offices and programs throughout Connecticut’s state government. The potential results include K-12 cybersecurity curriculum, a dedicated cybercrime unit for law enforcement and new state government reporting requirements.

Exactly how much of the plan’s provisions are requirements rather than suggestions is a “complicated question,” Raymond told StateScoop, but he said the state will be working toward everything included in the document.

“That there’s no additional dedicated funds for it makes that a complex endeavor,” Raymond said. “We’re pulling funding to do some of these things from existing sources, so our ability to make large progress on it will be dependent on our ability to make those funds available.”

Connecticut recently counted nearly $2 billion in new revenue, including almost $1.3 billion in unanticipated income tax receipts tied to capital gains and other investment earnings. While those funds are required to be deposited into the state’s emergency reserve fund, Connecticut’s short-term economic situation is less rosy as the legislature attempts to balance a budget that takes into account regional squabbles over casino revenue and a question of how much aid the state will send to Hartford, which holds $550 million in debt, to help the city avoid filing for bankruptcy.

The current legislative session will end May 9 and lawmakers are working to close a $200 million budget shortfall. Malloy, a Democrat, called on lawmakers last year to close the spending gap by early December, but they have struggled settle on a plan that both parties could agree on.

Budget shortfalls notwithstanding, Malloy has been a vocal supporter of ramping up the state’s cybersecurity efforts, particularly in light of a Wannacry ransomware attack that infected 160 Connecticut state government computers earlier this year. While no files were encrypted or data lost, according to Connecticut leaders, the incident impressed upon many in state leadership the importance of being prepared for other such attacks.

The state’s new action plan highlights as its top priority a need for “informed and engaged leadership” on the subject of cybersecurity. Top-level state leaders must “adopt an enhanced culture of cybersecurity awareness and defense,” the document reads.

“It’s something we need to have everyone pay attention to,” Raymond said, “from leaders, legislators, and businesses.”

Raymond said the plan also provides both government and non-government entities a starting point where many are unsure where to start.

Inside state government, the plan underscores the importance of digital literacy and employees using multi-factor authentication on critical systems.

The document outlines nine steps Connecticut should take to prepare for a disruptive attack, including the completion of a cyber disruption response plan by the state’s Division of Emergency Management and Homeland Security.

All state agencies are also called on to meet two new requirements by the end of the year: First, agencies must document compliance with at least the first five of the Center for Internet Security’s 20 Critical Controls. Second, all agencies are being asked to complete an inventory and classification of all data in their care.

Explaining that strengthening defense and recovery plans are “not enough,” the plan calls for new ways to verify that the state’s cybersecurity efforts are working. The state’s technology office — the Department of Administrative Service Bureau of Enterprise Systems & Technology (DAS/BEST) — is charged with joining the Auditor of Public Accounts to find effective verification processes and incorporate them into the state’s annual agency reporting process.

DAS/BEST is also directed to collect reports from each agency and provide an annual cybersecurity status report to the governor, the chief justice of the state supreme court and the general assembly.

The plan also contains chapters for municipal government, higher education, businesses and law enforcement in that are less prescriptive than the directions for state government, but still push a similar brand of urgency.

“Our goal is for municipal governments to create serious, effective cybersecurity programs to protect citizens and municipal governments and to help make Connecticut a national leader in cybersecurity defense,” the document reads.

House and Raymond direct the state education department to propose new K-12 lesson plans designed to promote safe computing concepts and practices. The plan also asks for a more direct conversation about the state’s workforce efforts.

“We need to have a candid discussion in Connecticut of whether we seriously plan to meet through our state higher education system the Connecticut demand for cybersecurity professionals,” the report states. “If so, we need concrete plans to address existing and projected demand for cyber professionals, the restructured and expanded cybersecurity curricula required and the geographic availability of the resulting programs.”

One suggestion is a website that displays the options Connecticut’s colleges and universities offer in the cybersecurity field.

For law enforcement, the report cites several goals, including the creation of a dedicated cybercrime unit within the Connecticut State Police. Details on how the unit would be funded, its size and how it would cooperate with other agencies would be determined “as it progresses,” it says. “Core cybersecurity training” would also become mandatory for incoming cadets and all sworn officers.

The full plan can be found on the Connecticut state government website.