Officials from Massachusetts said Wednesday they try to remain in near-constant contact with their local counterparts on matters of cybersecurity, a relationship that became even more vital during the COVID-19 pandemic as cities and towns stared down the necessities of digital services and online education.
The events of the past year-plus have driven home a sense that that close collaboration between the state government and its municipalities is essential to bridging the “last mile” of cybersecurity, Massachusetts Chief Information Officer Curtis Wood said on a panel during the annual RSA Conference.
“What we really believe is that all of us should be working together,” he said.
Wood, who’s worked in state government for nearly his entire 45-year career, said the commonwealth has improved considerably in recent years.
“Security had always been focused on the IT aspect,” he said. “It’s matured. It’s a core competency of the executive. We cannot conduct government business as a whole without understanding the security aspect.”
People and process
Wood said the Massachusetts Executive Office of Technology Services and Security, which he’s led as a Cabinet-level secretary since 2018, now addresses cybersecurity as primarily a business function.
“The technologies we have are certainly important, but it’s more about people and process,” he said.
He credited that shift to Gov. Charlie Baker, whom Wood said is running “the first administration’s that’s invested in this” out of the nine he’s served. Baker raised IT and cybersecurity to an executive-level agency in 2017 and later created a Cybersecurity Strategy Council made up of agency, education and business executives to advise him.
But bringing up-to-speed all of Massachusetts’ 351 municipalities — which range in size from Boston to small villages — presented the state government with challenges.
“[Baker] understands the threat, made the investments,” Wood said. “Unfortunately, I don’t think that’s happened at the municipal level.”
‘Always in the communities’
Much of the communication between the state and its localities comes through the state’s homeland security office. Jeanne Benincasa Thorpe, Baker’s homeland security adviser, said that local public safety authorities she works with have become increasingly concerned with information security over the course of the pandemic.
“We were always in the communities for COVID, whether it was [personal protective equipment] or testing,” she said. “It’s intensified over COVID because of the needs of the communities. Not only were they asking for help with testing and vaccines, they were asking for cybersecurity because their schools and health facilities were being hit.”
Massachusetts has been no stranger to cyberattacks during the pandemic: Last month, public schools in Haverhill, a city about 30 miles north of Boston, canceled classes due to a ransomware incident just as students were preparing to return to in-person instruction for the first time in more than a year.
Benincasa Thorpe credited Massachusetts’ fusion centers — one run by the state government, the other by authorities in the Boston area — with “capturing information throughout the country and diffusing it to our communities.”
‘On the ground’
Massachusetts Housing and Economic Development Secretary Mike Kennealy, a member of the state’s cybersecurity advisory group, said the state-run fusion center has also run webinars and incident-response workshops for municipal leaders, though he said he’s looking forward to holding those meetings in person as the health crisis recedes. (According to the Centers for Disease Control and Prevention, 63% of Massachusetts residents have received at least one COVID-19 vaccine does, and 48% are fully vaccinated, tied for the highest of any state.)
“There’s no substitute for being there on the ground,” Kennealy said.
But the most important step, said Wood, the state CIO, is to promote the realization that cybersecurity is a governmentwide concern.
“We need to make sure our political leadership at the local level understands this, too. It’s not just the IT guy or IT gal, it’s about ownership,” Wood said. “It’s everyone’s responsibility at the municipal and state level. Bring home what the impact is to them.”