When New Hampshire Gov. Chris Sununu signed a new law last summer requiring local governments to report cybersecurity incidents to the state Department of Information Technology, it cemented a partnership between the state and its municipalities first formed on a public-radio show in 2019.
Speaking at the National Association of State Chief Information Officers midyear conference on Tuesday, Margaret Byrnes, the executive director of the New Hampshire Municipal Association, said she was barely aware of state CIO Denis Goulet, let alone the entire IT department, when the two were booked on a public affairs show focusing on cyber threats to local governments. Byrnes was a regular guest on the program, which covered issues of the day affecting New Hampshire — her previous appearance was on regulations of backyard chickens.
“Frankly, I was not aware of our Department of Information Technology before we did the radio show together,” Byrnes said Tuesday, eliciting gasps from the NASCIO crowd.
But that radio show about cyber challenges turned out to be a jumping-off point for what’s developed into New Hampshire’s approach to a whole-of-state cybersecurity strategy.
“I broached the idea of us continuing this conversation,” Byrnes said.
Since that 2019 broadcast, Byrnes said, she and Goulet have talked about how the state IT department can help defend New Hampshire’s local governments, school districts and other public-sector agencies, ranging from tiny water districts near the Canadian border to bigger towns and cities.
“Even though we were from different points of view, we were thinking the same thing,” Goulet said at the NASCIO session. “That’s how it kind of started.”
Over the next several years, Goulet and Byrnes said, they discussed how to get local governments to share more cyber-related information with the state, without ruffling relationships.
“As a municipal association we advocate against additional mandates on cities and towns,” Byrnes said. “Denis had a goal of increasing transparency and reporting for municipalities. We worked together. How can we come to a good compromise but doesn’t create onerous mandates?”
The one-page bill Sununu signed last June put New Hampshire among an expanding group of states that’ve imposed similar reporting requirements on their local jurisdictions. Byrnes said by working with Goulet, she was able to win over the Municipal Association’s 25-member board.
“I think there’s been a really good increase in the credibility of the state with the municipal association,” she said. “No crazy mandates are happening.”
New Hampshire CISO Ken Weeks, who was also on Tuesday’s panel, said the reporting legislation was supported by a “coalition of the willing” that included K-12 school districts and the New Hampshire Public Risk Management Exchange, or Primex, which provides the state’s public entities with pooled coverage.
“It’s not a great place to be to have Margaret opposing your legislation,” Goulet said.