State

Fun and games can raise cybersecurity awareness in state government

North Carolina's capture-the-flag exercise is extending cybersecurity concerns beyond the office of the chief information officer.

By Ryan Johnston

October 24, 2019

Bill Rowan addresses the crowd at CyberScoop's CyberTalks event in Washington D.C.on October 24, 2019. (StateScoop)

To get state employees interested in emerging cybersecurity techniques, state agencies are trying old games — like capture the flag — in cyber ranges that can simulate different cybersecurity scenarios. Bill Rowan, a vice president of federal sales at the software company VMware told a conference audience on Thursday that such efforts are helpful in raising awareness for the industry.

The idea, he said, is to allow state employees, students or those looking for a career change a chance to gain insight into what it is that a cybersecurity official does. The North Carolina Department of Information Technology, for example, partnered with VMware during a state-led event earlier this month to conduct a 30-person, cybersecurity-driven capture-the-flag game. The exercise is designed to simulate offensive and defensive tactics that the state’s cybersecurity teams would perform in a real emergency, like a ransomware attack.

“Think of the cyber range as a simulator,” Rowan said. “It gives us the ability to try different areas.”

Exercises like the capture-the-flag game help engage participants and get them talking, he said, raising awareness of cybersecurity outside the offices of technology departments.

“Cybersecurity and cyber awareness is the responsibility of everyone in the organization, not just people who work under the [chief information officer] or [chief information security officer],” Rowan said.

Though technology is gaining broader attention from politicians, State CIOs have historically struggled with asserting the importance of cybersecurity to their governors. James Collins, Delaware’s CIO, said at a hearing this week that he often felt as if he was “below deck” making decisions about technology behind the scenes. Now, as governors are taking cybersecurity more seriously, he said his position has effectively been elevated such that cybersecurity is now embedded in state policy.

Rowan said that technology without built-in cybersecurity is a hacker’s dream.

“There’s never been a more exciting time to be a technologist, but really, there’s never been a more important time to be a technologist,” Rowan said.