A new report published jointly this week by the National Association of State Chief Information Officers and National Governors Association urges state governments to embrace partnerships with their localities to beef up the cybersecurity postures of all parties. The document comes after a year in which many state IT organizations were called upon by counties and cities for assistance following incidents like ransomware attacks.
Both NASCIO and NGA have been nudging their members to embrace what the groups call a “whole-of-state” approach on cybersecurity, in which all stakeholders — including IT agencies and other departments with roles in business operations, public safety and emergency management — collaborate on information security.
“Cybersecurity is not just an ‘IT problem’ anymore,” says the report, titled “Stronger Together: State and Local Cybersecurity Collaboration.” “It is a critical business risk, homeland security and public safety threat, voter confidence issue and economic development opportunity.”
Several of the biggest ransomware incidents resulted in local governments leaning on their states for support, such as an attack last July in which numerous school districts across Louisiana were hit just a few weeks before the start of classes, prompting Gov. John Bel Edwards to declare a statewide emergency. That decision triggered deployment of the state’s cybersecurity response team, a group that includes members of the Office of Technology Services, the Governor’s Office of Homeland Security, Louisiana State Police and the National Guard. A similar situation followed last August in Texas, when 23 local governments were infected at once, triggering another multi-agency response.
Those episodes serve as examples because Louisiana and Texas had previously put into place mechanisms that allow state resources to assist a local emergency. Yet some IT agencies, the report states, “have little to no engagement with their local counterparts” on cybersecurity. A 2019 survey of NASCIO’s membership did find that 65 percent of states are providing security infrastructure and services to their local governments, including elements like endpoint detection, cyber hygiene training and incident response.
But, the document continues, the conversations around cybersecurity need to expand beyond CIOs and chief information officers. Only 31 percent of states have formal campaigns to make their localities aware of their cybersecurity offerings, the same NASCIO survey found.
“We always say cyber is a team sport,” said Meredith Ward, NASCIO’s policy and research director, and one of the report’s authors. “A message that we’re trying to get through to these folks is that silos of excellence don’t really work. It’s an issue that touches everything in the states.”
The report lists 13 states where statewide and local authorities are engaging each other more on cybersecurity matters. Along with Louisiana and Texas, it includes states such as Michigan, which has recruited a volunteer Cyber Civilian Corps to assist in responses to attacks against state or local networks, and is relaunching a “CISO-as-a-service” program for small jurisdictions that can’t afford full-time IT security staffs. It also includes New Jersey, where a statewide fusion center, modeled after the National Cybersecurity and Communications Integration Center, distributes advisories and alerts to government, businesses and residents. Also included is North Carolina, where new legislation year requires county and municipal agencies to report cybersecurity incidents to the state Department of Information Technology.
While some states have been able to take a more top-down approach — like North Dakota, where the IT agency handles information security for all public-sector institutions from the state Capitol to local libraries — the NASCIO-NGA report focuses more on programs that promote collaboration and conversation. Most states’ IT organizations don’t have statutory authority to call the shots for counties and cities, but they can share tips and best practices, and create channels for local governments to call for aid when they’ve suffered a cyberattack.
“It’s heavy on relationship building,” Ward said. “That doesn’t have to be a statute. I want to make sure we know each other.”