Among the first items the North Dakota legislature will consider when it convenes Thursday is a radical overhaul of the state’s information technology budget, proposed earlier this year by the state’s top technology officials, to unify IT and cybersecurity polices for nearly every public institution across the state under a single agency.
The proposal would give North Dakota an information technology structure unlike that of any other state. While it takes the relatively common step of consolidating all of the the state government’s IT operations under a single office, the North Dakota Information Technology Department is also proposing it be responsible for managing cybersecurity operations across all of the state’s public entities, including local governments, schools, courts and the state legislature. If successful, the project would leave ITD with a broader security mission than any other statewide IT agency in the country.
North Dakota’s universities and local governments manage their cybersecurity needs individually, though often with shortages of staff and resources, particularly at educational institutions. Moving cybersecurity under ITD, state officials argue, will bring unity and more rigorous governance to those efforts.
Gov. Doug Burgum’s proposed two-year budget for the 2019-21 fiscal cycle includes $174 million for technology, including allocations for upgrading voting integrity, public safety and technologies that improve residents’ interactions with government. It also includes $16.4 million for the state’s IT consolidation efforts and funding to hire 17 new full-time cybersecurity employees, most of whom would focus on the state’s educational institutions.
While that’s less than half the 37 positions ITD asked for in September, Chief Information Officer Shawn Riley told StateScoop that he may eventually get all of those employees once his office establishes the state’s technological infrastructure around cybersecurity first. ITD’s proposal addresses an issue of IT security that all governments grapple with daily, but it’s taking a unique approach to handle North Dakota’s high level of connectivity and number of potential targets.
Changing the conversation
By the state’s own measure, it needs to improve its cybersecurity. A statewide assessment in September of North Dakota’s cybersecurity maturity — a measure of the its governance policies and how well they’re adhered to — gave the state failing marks. That, combined with the 5.6 million attempted cyberattacks the state says targets it each month, could present the legislature with an opportunity to improve that maturity level. Current threats notwithstanding, Riley said Burgum’s administration is aiming decades into the future.
“We’re really trying to change the conversation completely around cyber,” Riley said. North Dakota, he said, could become the home base for the “cybersecurity moonshot,” referring to a federal advisory panel’s report recommending a national mission to secure the internet.
Making cybersecurity a priority in North Dakota, Riley said, includes improvements to the state’s existing infrastructure and policy, but also to the minds of its residents. North Dakota’s “K20W” initiative, which in November launched computing and cybersecurity standards into K-12 education throughout the state, is now extending to the state’s public universities, where partnerships are being formed that officials say will enable new technical degrees and certifications to be offered. “It doesn’t matter if you’re a welder, farmer or engineer,” Riley said, students will find themselves in a “cyber-aware world.”
Highly connected, highly targeted
In North Dakota, cybersecurity presents a vast challenge for administrators because the state is already responsible for more than 250,000 users — including state and local government employees, students and university staff from across more than 400 organizations — on a shared network called STAGEnet. The network’s shared nature comes with benefits, Riley said, but its user base also makes the network comparable to that used by a company the size of Starbucks Coffee. Officials say that makes North Dakota a target.
Further compounding North Dakota’s cybersecurity challenge, it’s connected at an abnormally high density despite being one of the most sparsely populated states. A 2014 study by the U.S. Department of Agriculture’s rural utilities service found that North Dakota has more fiberoptic cable per square mile than any other state in the country.
That is owed in part to the Broadband Technology Opportunities Program, an Obama administration initiative that created a statewide broadband office and funneled hundreds of millions of dollars into it. North Dakota’s political and cultural environment has also allowed local utilities cooperatives to blanket the state.
As a result, 60 percent of North Dakota households have direct fiber-to-the-home access, compared to an average of 24 percent of households in the Midwest, according to the Council of State Governments. Officials say that, too, makes North Dakota a target.
North Dakota has plenty of targets for hackers seeking to sow chaos. It’s home to many military facilities, including the Grand Forks Air Force Base, which houses a major drone research facility. While the military bases are outside ITD’s purview, state officials say they’re still high-profile targets that raise the state’s potential as a cyberattack target.
Riley said North Dakota could also be targeted because of its status as a top agricultural and energy producer. The state is the country’s leading source of flaxseed and canola and the biggest producer of crude oil after Texas.
‘A huge opportunity’
The state’s target-rich online environment necessitates innovative thinking in cybersecurity across the state, Riley said, starting with the government’s own networks. One of the first steps in North Dakota’s strategy revolves around automating processes like network inventory that are today done by hand. Riley said the state is meeting with companies like Palo Alto Networks and Microsoft to understand the technical challenges of implementing such solutions and the potential time-savings that could be accrued. Before the state adds new IT employees, he said, he wants to ensure operations are highly efficient.
The technology office also needs to reform policy that currently limits its authority at the level of the wide area network, or WAN, before it’s able to secure outside organizations on the state’s network. The plan isn’t to take control of all STAGEnet infrastructure and devices across the state, Riley said, but to become a “partner” that can provide support to smaller organizations where and when they need it.
Many of the state’s universities, for example, already have cybersecurity personnel in place, but they may be missing some tools that the state can now provide. Riley said the state also wants to provide its partners with improved threat intelligence and remediation services “in a very different way than in the past.”
Government’s current approach to cybersecurity is unsustainable, Riley said, and North Dakota is setting an example that he hopes other states will follow, whether they’re home to canola farms or not.
“I think states across the nation are going to have to come up with new and innovative ways to be able to defend themselves,” he said. “There’s a huge opportunity here.”
This story was updated on Jan. 3, 2019 to clarify that the role of universities in the K20W initiative does not involve standards, but partnerships.