Cybersecurity grant funding from the 2021 infrastructure law — 80% of which is set aside for distribution to local governments — represents an opportunity for states to build competency in IT security practices among their broader networks of partner governments and agencies, officials said during an online event Thursday.
Trevor Timmons, chief information officer in the Colorado secretary of state’s office, said that while his relatively small office of just 150 employees is seasoned in cybersecurity practices, many of the 64 counties it supports in registering voters and administering elections can still use help on securing their systems.
“We’ve really enjoyed the opportunity to work with federal, state and local partners,” Timmons said during StateScoop and EdScoop’s Cybersecurity Modernization Summit. “I love the breakdown of the [infrastructure grant] funds. … It’s really an opportunity for us to raise the bar across the state, across local governments so that we can all get better.”
On the same panel, Anushree Bag, CIO of the Indiana Department of Child Services, said that while bad actors looking to trick government employees with phishing emails are getting “smarter by the day,” gaps in cybersecurity ability persist throughout government. She pointed to her own department, where, she said, she had an opportunity to boost awareness of a device policy that she’d helped devise in a previous role at the state’s Office of Technology.
Beyond state agencies, local governments could also be helped by increased cybersecurity awareness, she said.
“Locals have needs to make sure they have better cyber hygiene, but they may not always realize what that looks like,” Bag said, adding that improving cybersecurity requires not only education, but a larger cyber workforce. “To do all this, we need people.”
Timmons said his office works with a broad array of partners on helping government agencies gain the knowledge of all levels of government, including the Department of Homeland Security, the FBI, the state CIO’s office, a statewide fusion center and others. That expertise is a boon for local election offices, he said.
“Since we have that span, that’s our job, making sure we can tie them together and advocate for their needs with some of those federal and state partners that [local governments] might not know on a first-name basis, but we can help facilitate that,” he said.
Timmons and Bag said their efforts are to build a “culture” of cybersecurity in which everyone takes responsibility for using good IT security practices, not just outsourcing the effort to the chief information security officer’s office.
“When folks fall for an automated phishing test, we don’t shame them, we actually push them to do some more training so they can better understand the signals, the signs they can look for,” Timmons said. “If something funny happens, you need to let us know so we can actually respond and actually start to contain that.”
Corrected March 6, 2023: A previous version of this story indicated Indiana state employees had violated certain cybersecurity policies. This statement was removed from the story after Anushree Bag clarified her statements during the event to StateScoop.