Q&A: Virginia governor talks cyber, warns states not to be the weakest link
Virginia Gov. Terry McAuliffe is big on cybersecurity.
As the chairman of the National Governors Association, the Democrat visited San Francisco’s RSA Conference on Tuesday to rally state leaders to implement basic cybersecurity standards and reach out across sectors for viable defenses and action plans. He said that inaction or a simple lack of awareness from states is opening the door for devastating attacks. Hackers can steal personal citizen data, cripple critical government services and inflict economic damage to companies that support local jobs.
To this end, McAuliffe said he and NGA are working across the aisle and beyond state borders to develop a set of national guidelines for cybersecurity. Some of these efforts have included NGA’s Meet the Threat, an initiative to help state governors to diagnose vulnerabilities and find remedies. While his other work has entailed support and participation in Virginia’s Cybersecurity Commission to deploy protections to cities and towns.
In an interview with StateScoop, McAuliffe elaborated on what Virginia is doing to fight cybercrime and protect government assets.
StateScoop: Looking at your current budget proposal, how is Virginia investing in cybersecurity?
Virginia Gov. Terry McAuliffe: We’re trying to lead the nation. We have over 500 cybersecurity companies now in the commonwealth and as chairman of the National Governors Association, my whole initiative is cybersecurity because states collectively have more personal data than the federal government. So we need to step out in front. And in Virginia we have the Pentagon, CIA, 27 military installations and one of the largest naval bases in the nation so we have a very unique responsibility to protect our military assets and our businesses; and of course, to protect all the personal state information we have. … We’re the first state to do the NIST [National Institute of Standards and Technology] security framework. We’re the first state to stand up an ISAO [Information Sharing and Analysis Organization], and we’ve leaned in also on the computer education piece.
We’ve now added computer science to our core, our standards of learning. We’re doing matriculation agreements between our community colleges and our four-year universities. If you take cyber courses, for example, you can automatically move those credits to a four-year school — which leads to a reduction on tuition costs. We have scholarships now. If you’re willing to give me a couple years of service to the state, we will pay for you to get your cyber degree. So we’ve put a lot of very innovative things into our budget and the things that we really need to do. We even have cyber camps in the summer so 10th, 11th and 12th graders can now go to one of our cyber camps all over the commonwealth — that we pay for — so they can begin learning about cyber and the things we’re actually doing.
I put more money in for our state police stand up a new cyber fusion center, and we just got awarded a new Air Force Command Cyber Center. We’ve really leaned in on these assets in Virginia, changed a lot legislation and we’ve led on our executive orders. I set up a cyber commission, and in fact, we were one of the first states to setup a cyber commission to bring all of our assets together to make recommendations on cyber. In this we have the private sector, public sector, we have educators, we had everybody doing seven town halls and meetings across the state. So as you can see in Virginia we are very strong on the cyber piece.
SS: What does the state do to help coordinate intelligence sharing?
McAuliffe: I’m a member of the Council of Governors. There’s 10 of us — five Democratic governors an five Republican governors appointed by the president of the United States and we meet with the Department of Homeland Security, FBI, and Department of Defense, so I’m very much involved in the whole. But we work very collaboratively with the federal government on sharing information. The Council of Governors have come up with an agreement with the federal government about sharing of information about how we guard ourselves and the threats that we need to know earlier that ever before. It’s very important to do this because, as I say, with the Pentagon, the CIA and a lot of other agencies we support we have to ensure security.
SS: What are the top cybersecurity issues that you think about daily and that might keep you up at night?
McAuliffe: All of it. I had 86 million cyber attacks last year in Virginia. That’s three every second. They are trying to disable our 911 emergency center. They’re trying to inflict pain on our hospitals and cause grief to our medical systems. So we worry, obviously, about defense and intelligence of these things. But as governor, I worry about everything. I have one of the largest ports on the East Coast with an immense amount of port activity. There is also Dulles International Airport, with its air traffic and all of those assets in that regard.
But again, at night I stay up worried that someone may try to access all of the personal data we have too. We have state tax returns, health care records from Medicaid and Medicare plans, we have drivers license information and social security numbers. That is all on our systems. And why I’ve chosen to be Chairman of the NGA, and to lean in on this, is because we can do a great job in Virginia, but if other states haven’t done much then you’re only as strong as the weakest link. We’re trying to get all 50 states to have basic protocols so they are doing the bare minimum. Because if we have the same state healthcare provider, they could come in from the back door of another state to into a Virginia system. That’s what keeps me up at night worried about making sure all 50 states have the necessary protections in place to protect what they’re doing?
SS: How do you help your local jurisdictions, those cities and counties that may need to lean on state funding and support for cybersecurity?
McAuliffe: We’ve been out front on this, but you can never do enough. It’s constantly evolving and changing. As soon as we come up with a great protocol, the cyber hackers and criminals come up with some creative way to get around it. So it’s a good question, and we’re trying to get our localities to understand more about cybersecurity. And actually, the same thing I say about other states needing to improve security, I say about our municipalities in the Commonwealth of Virginia. We have weak links in our municipal system. This is a concern because hackers can go after your water system, your electrical grid and that’s what we all have to worry about. So we have, through our Cyber Commission, brought in these localities and we’ve put money in the budget to fund them.
SS: Thinking about this collaboration, how do you also keep state legislators in the loop with these officials constantly coming and going out with each election cycle?
McAuliffe: Well, it’s interesting, because as part of my role as the NGA Chairman with cyber as my initiative, our legislators hear about cybersecurity a lot in Virginia. So I think everybody is pretty much well-versed on that in Virginia, but I think it is about constantly educating legislators and the public. Because 86 million cyber attacks in the state of Virginia, that should keep everyone up at night. In South Carolina and Utah, there have been some pretty serious breaches where citizens’ personal data was taken, so this is not hypothetical. It’s happening.
So, I try to promote collaboration, and through our Cyber Commission, constantly evolve our communication strategies and have legislators involved in that process so we’re all up to snuff. But they leave it up to our executive branch to facilitate this, as they should, through executive orders and outreach. At the state level, it’s the chief executive office that has to coordinate, has to drive it because we’re the ones who are constantly in touch with the state police and all the other assets so we can inform them about what’s being done on a daily basis.
The governor’s comments were edited lightly for readability.