NGA picks four states for latest cyber policy academy

Kansas, Missouri, Montana and Washington will work with the National Governors Association to develop policies that may one day be shared with other states.
Washington Gov. Jay Inslee
Washington Gov. Jay Inslee (John Moore / Getty Images)

The National Governors Association announced Thursday that officials from Kansas, Missouri, Montana and Washington will participate in the group’s cybersecurity policy academy.

Running through next January, the policy academy will feature a series of seminars and meetings with NGA staff in which the states will hone their information security policies. Participants from Kansas and Missouri will focus on cybersecurity governance, Montana will tackle workforce development, while Washington will take on partnerships between the state and local governments.

“I believe this is a great opportunity to help our state improve its security posture,” Washington Gov. Jay Inslee said in a press release.

Washington officials who’ll be participating in the NGA program include Chief Information Security Officer Vinod Brahmapuram and Chief Privacy Officer Katy Ruckle. Their participation comes as Washington begins to consolidate its state-government cybersecurity from a mostly federated model to a centralized operation, following the state’s exposure earlier this year to a data breach involving the software vendor Accellion.


‘I was really impressed’

The cybersecurity policy academy program was launched in 2016 as part of the NGA’s push for its members to embrace a “whole-of-state” approach that ropes in contributions from statewide agencies, local governments, the private sector, academia and nonprofits.

While last year’s program, which included officials from seven states, addressed IT security challenges raised by the COVID-19 pandemic, Maggie Brunner, the director of the NGA’s homeland security and public safety program, told StateScoop it also focused on longer-term issues.

“I was really impressed with not only how quickly they were able to deploy resources, but how they were able to refocus their attentions,” she said. “Folks didn’t lose sight of the long term.”

The policy academy, she said, is designed to set participating states on a track to develop strategies that can be implemented over a period of several years and — if successful — shared with other states. Officials from Michigan last year, for instance, used their enrollment in the program to work on K-12 cybersecurity, an agenda that included not just IT security for schools and districts, but also student curriculum and ways to get students interested in cyber careers.


Other states that’ve worked with the NGA on cyber policy used the experience to develop strategies that were used years later. In 2017, Louisiana officials worked with the association to develop policy that allows the governor to declare a state of emergency, making resources like the National Guard accessible in the event of a cyberattack, Brunner said. That policy, known internally as Emergency Support Function 17, was invoked for the first time by Gov. John Bel Edwards in June 2019, when several school districts across the state were targeted by ransomware.

‘Building a bigger table’

The academy program, which is selected competitively, is also meant to refine the “whole-of-state” model, which Brunner said has morphed in the years since the NGA first started promoting it.

“For governors, it’s not just securing the IT infrastructure, it’s all infrastructure across the state,” she said. “The past few years the hottest thing had been developing partnerships with local governments. At the same time, too, we hadn’t really been talking about K-12 two or three years ago. We’re bringing more people in.”

During the pandemic, she said, the health care sector has been brought into the mix, as hospitals have faced an onslaught of ransomware attacks similar to other sectors, like education and local government. State governments, Brunner said, are “building a bigger table.”


She also said that in addition to the familiar threats like ransomware and phishing scams, governors’ offices are paying attention to IT supply-chain incidents like the recent hacks of SolarWinds and Microsoft Exchange Server, as well as the Accellion breach that prompted Washington’s consolidation effort.

“We had our strongest and most competitive pool ever,” she said. “I think people are at the point in the pandemic they can turn to more strategic areas and they’re not just in crisis all the time.”

Latest Podcasts