‘Whole-of-state’ cybersecurity efforts rely on good communications
Although nearly everyone is working from home right now, that hasn’t stopped the need for statewide and local governments to collaborate closely on cybersecurity efforts, officials from North Carolina said Monday on a webcast presented by the National Association of State Chief Information Officers.
Nationally, a “whole-of-state” approach, in which all stakeholders — including IT agencies and other departments with roles in business operations, public safety and emergency management — is continuing to gain popularity. In North Carolina, it’s resulted in local officials being more comfortable with assistance and intervention from higher rungs of government, said Maria Thompson, North Carolina’s chief risk officer.
“‘State’ is in our title, but ‘state’ doesn’t necessarily just mean state agencies,” she said.
The session, part of NASCIO’s virtual replacement of the midyear conference it canceled due to the COVID-19 pandemic, followed themes laid out in a January document published by NASCIO and the National Governors Association. That report praised North Carolina’s work in establishing a statewide incident-response plan and modifying laws to require local governments to immediately report cybersecurity incidents to the state Department of Information Technology.
“Whenever an alert goes about a new ransomware attack, we have a list of people who are automatically notified,” Thompson said. “You can close your eyes and you know what’s going to happen. It’s a checklist, a playbook for what we do.”
Some state IT agencies, like Texas’, have had to tiptoe around legal statutes when assisting local governments with responding to cyberattacks. But Thompson said engagement with North Carolina’s cities and counties was made easier by an existing “IT Strike Team” created by the North Carolina Local Government Information Systems Association, a NASCIO-like organization for local IT officials.
She said the partnership was especially busy in 2018 and 2019, as ransomware attacks against local governments and school systems surged. IT officials have also responded to at least six public-sector attacks so far in 2020, Thompson added.
Randy Cress, the CIO and assistant manager of Rowan County, in the central part of the state, said the strike team was originally established to provide mutual aid to jurisdictions after hurricanes and other natural disasters. He also said its existing relationship with the North Carolina Department of Emergency Management made it easy to begin working with NCDIT on cybersecurity matters.
“There are lot of parallels between emergency management and cyber,” he said.
Efficient communications between government agencies might be one of the most crucial of those similarities, Cress added. “You can’t have 100 unique individuals coming at a particular time. Develop a few liaisons who can have those conversations.”
Cress said the IT Strike Team originally had a single person serving as a point-of-contact with the state government, but has since expanded to three liaisons, each representing a different region of North Carolina. Thompson said those liaisons, like Cress, in turn help the state get its guidance on information security down to local levels.
“It’s tough, but you have to find an evangelist who’s trusted,” she said. “Find someone held in high regard in the local counties who can help you build bridges.”