The biennial cybersecurity survey that the National Association of State Chief Information Officers published this week found that most chief information security officers would prefer that their states centralized their missions. But in practice, only about 40% of states consolidate cybersecurity operations under a single umbrella, while half opt for a federated model spreading responsibilities across agencies.
But during a session Wednesday as part of NASCIO’s online conference, New Jersey CISO Michael Geraghty made the case for centralization, while also detailing the Garden State’s distinct approach. While the centralized model poses many financial and operational advantages, Geraghty also explained that, unique among states, New Jersey organizes cybersecurity under the homeland security office, rather than the main IT agency.
“It’s not just IT we’re trying to protect,” he said in a conversation with James Yeager, a vice president at CrowdStrike. “It’s everything that’s critical infrastructure.”
The 2016 consolidation process left Geraghty in charge of the New Jersey Cybersecurity and Communications Integration Cell, a fusion center modeled after the U.S. Department of Homeland Security’s National Cybersecurity and Communications Integration Center. From the NJCCIC, Geraghty’s team oversees information security across the state’s entire executive branch, issues advisories and intelligence to be used by local governments and the private sector and coordinates with federal authorities like the Department of Homeland Security and the FBI.
A top-down model, he said, means individual agencies don’t have to scrape together resources or compete for talent.
“Prior to this, each department, each agency ran their own cybersecurity function,” he said. “We are stretched thin for cybersecurity talent. That doesn’t make sense that we’re going to have a capable cybersecurity functions in all the little agencies.”
‘Collect all the logs’
Geraghty said centralization also enabled New Jersey to scrub its cybersecurity inventory of overpriced and underused tools.
“We were spending hundreds of thousands of dollars on things that had never been implemented because we didn’t have the staff for it, and money on tools that provided no value but we had because the vendor recommended it,” he said.
For example, he said, each agency once had its own endpoint detection and response product; now the entirety of the Garden State Network — New Jersey’s statewide network — uses CrowdStrike’s EDR platform.
The NJCCIC is also able to more efficiently intercept cyber threats and alert the rest of the state, Geraghty said. He cited an incident in January, when he was informed by a “trusted third party” that an actor based in Russia was claiming on the dark web that it could sell access to the Garden State Network.
Geraghty said the NJCCIC responded by ordering password resets at nearly 70 state agencies. Later, he said, his team detected that a malicious actor had attempted to use a command-line tool that provides remote administrative access to older versions of Microsoft Windows Server, after which a vulnerable port was closed.
Geraghty chalked up this mitigation effort to what he called an “idiot savant”-like obsession over network logs he first developed in the 1990s as a cybercrime investigator with the New Jersey State Police.
“We collect all the logs we possibly can,” he said. “This year alone, we’ve already got 400 terabytes’ worth.”
‘Not a New Jersey feel-good story’
Centralization also proved handy in March when the COVID-19 pandemic — which walloped New Jersey — sent nearly all 70,000 state workers home, where they largely remain now. While the state had to navigate overstressed supply chains for laptops and mobile devices, Geraghty said having statewide identity and access management policies in place at least made it easier to scale up remote work.
“When it was time to go from a no-work-from-home environment to a you-will-work-at-home environment, we were ready,” he said. “We didn’t have laptops for everyone, but we did have remote access tools, we just needed to scale them.”
Still, Geraghty conceded that even with his state’s relatively advanced centralization model, it will never run out of security challenges to face. He said cybersecurity organizations should focus on what their customer agencies need, rather than attempt to build an idealized model for which a state may not be mature enough.
“This is not a New Jersey feel-good story,” he said. “We have the same challenges as any other state. But if we work together, we have a better chance at being resilient.”