County & Local

Small counties serious about cybersecurity should meet their state CIOs

Speakers at a county leaders conference also urged IT officials to find people in their own organizations who are equally serious about cybersecurity.

By Benjamin Freed

March 5, 2019

Latah County, Idaho, IT Director Laurel Caldwell; Stevens County, Washington, IT Director Mark Curtis; NASCIO analyst Meredith Ward; and Center for Internet Security program manger Jamie Ward speak at a cybersecurity panel at the National Association of Counties legislative conference in Washington, D.C. (StateScoop)

Small counties, many of which have only a few information technology professionals on staff, still have cybersecurity needs. But without the funding to buy tools of their own, county officials ought to foster stronger relationships with their states’ top IT leaders, speakers at the National Association of Counties winter conference in Washington, D.C., said Tuesday.

“We bring state agencies in one day every six months,” said Mark Curtis, the IT director in Stevens County, Washington, which has a population of about 45,000 in the rural state’s rural northwestern corner. “But there’s a disconnect after the meeting because of the distance from Olympia.”

Only a few hands went up when Meredith Ward, a senior policy analyst with the National Association of State Chief Information Officers, asked the room of about 50 conference attendees if they knew who their state CIOs are. But that needs to change, she said, for resource-strapped counties to mount credible defenses against phishing attacks, ransomware and other online threats.

“Cybersecurity is a team sport,” she said.

Some largely rural states are making progress in helping their counties improve their cybersecurity. Laurel Caldwell, the IT director in Latah County, Idaho, said the state recently adopted two polices designed to help its counties. One requires every county to use the same incident response plan when a cyberattack occurs, and another created an insurance pool that she said nearly all of Idaho’s 44 counties have joined.

Idaho also has statewide adoption of the Center for Internet Security Controls — a set of 20 tasks and preventative measures designed to boost network protections — under an executive order signed last year by Gov. Butch Otter.

But not all collaborative cybersecurity efforts need to come from mandates. Curtis said that while the semi-annual visits from state officials are helpful, his county benefits from participation in a program in which computer-science students at Western Washington University conduct security monitoring for five rural counties and cities. The program, known as the Public Infrastructure Security Collaboration and Exchange System, or PISCES, was launched last year by Michael Hamilton, a former chief information security officer for Seattle.

Still, the panelists agreed better cybersecurity is dependent on everyone in the organization sitting in front of a computer screen.

“You could all have a billion dollars given to you right now and all it takes is one person to mess up,” said Jamie Ward, an IT security manager for the Multi-State Information Sharing and Analysis Center, which operates out of CIS’ Upstate New York headquarters.

Meredith Ward said NASCIO has found that the states that have built the best cybersecurity partnerships with their localities are the ones where CIOs play bigger roles in their governments.

“It comes down to authority,” she said. “Cybersecurity in the past three or four years has really become part of state policy. We’ve gotten governors to pay attention.”

But she also told the audience not to wait on someone from the state capital to call up about cybersecurity. Rather, county IT managers need to find the people in their organizations that share their concerns.

“Know your tribe, and if you don’t know, go out and figure out who that is,” she said. “Talking — that’s one of the greatest resources you all have.”