Cybersecurity policy academy highlights importance of state-local collaboration

Participants in the National Governors Association’s second cybersecurity policy academy, a yearlong training program held in four states, say the importance of states working more closely with their local governments has emerged as a prominent trend.

The policy academy, which began last May, included officials from Indiana, North Carolina, West Virginia and Wisconsin. While each state had its own unique challenges to solve, they all found value in assisting and collaborating with local governments, universities and grade schools, Michael Garcia, a senior policy analyst in NGA’s homeland security division, told StateScoop.

“Regardless of challenge or solution, it requires multiple stakeholders to achieve that end goal,” Garcia said. “The common mechanism was that they have robust relationships across the state.”

Wisconsin Chief Information Officer David Cagigal said the program helped his state articulate new goals around cybersecurity, one of them being working more closely with local government.

“They need a lot of help,” Cagigal said. “So we issued a page and a half of guidelines to all the cities, towns and counties.”

As state CIO, Cagigal said he has no authority over local governments, so the guidelines are intended to be a helpful resource — on basic IT security hygiene, passwords, and backup practices — that he hopes local governments will follow. Especially where local governments are connecting to state systems, Cagigal said he is concerned with the current state of local cybersecurity practices.

The increasing connectedness of public and private institutions in recent years has led to a growing number of facilities, such as state or regional fusion centers, to coordinate security efforts. An even newer trend is embodied in attempts by state governments to standardize and centralize management of IT security through legislation or executive action.

North Dakota Gov. Doug Burgum signed a bill last month that makes the state IT department responsible for cybersecurity operations across all of the state’s public organizations, including local governments, schools, courts and the state legislature — a first for any state. West Virginia, a participant in the NGA academy, enacted legislation in March to create a new cybersecurity office tasked with designing standards to centralize assessments, reporting, projects and other elements of IT security across the state government.

Maggie Brunner, program director for NGA’s homeland security division, told StateScoop that it’s valuable for states to have an organization in place, such as a group that includes a state’s National Guard, that can provide a centralized vantage point for the various organizations across the state.

“We have been seeing an understanding that there can be some great efficiencies if they have a statewide response team,” Brunner said.

Similarly, she said NGA anticipates more states will begin to create formal roles, such as “chief risk officer” or “cyber policy adviser,” to ensure that someone is ultimately responsible for a broad cybersecurity mission.

For Wisconsin, the academy effectively began last August, when Cagigal and other state officials met with leaders from NGA for two days to evaluate the state’s cybersecurity posture. A second meeting with other states was held in October to share best practices and talk about common challenges. The Wisconsin officials held their third meeting with NGA in February to summarize the work that had been done and to establish how the state will proceed.

In addition to the heightened focus on local government, Cagigal said the state also set three other goals. One is to improve general communications about the state’s current cybersecurity challenges and ensure that what the state is doing aligns with best practices seen in other states. The second relates to the formation of a new working group comprised of more than 100 public and private-sector leaders, including from the National Guard, to share information. The last is to support the state’s cybersecurity workforce by working more closely with universities, helping to develop pertinent curriculums and offer internships.

Cagigal’s group will complete its participation in the academy this month by writing Gov. Tony Evers a letter explaining the work it had done and the plan it created.

“We’ve been running down the highway at 100 miles per hour,” Cagigal said. “It was a good moment of reflection.”

The NGA is now accepting applications for its next policy academy, which will focus on election security. Participants will be announced in June, Brunner said.