As the speed and scale of cyberthreats keep rising, it’s only become more urgent for state and local governments to mount a collective defense, several current and former statewide cybersecurity leaders said Thursday.
The officials’ comments, made at an Amazon Web Services conference in Washington, echoed a continued embrace of the “whole-of-state” strategy, an approach in which better-resourced state governments share their tools and capabilities with local governments and other critical entities. That approach is growing in popularity, particularly as states start receiving their funds from a federal cybersecurity grant program.
“Our borders are getting smaller,” said Meredith Ward, the deputy executive director of the National Association of State Chief Information Officers. “It’s collaborate or perish.”
Speaking alongside Ward, Arizona interim CISO Ryan Murray said his agency has for years offered key cybersecurity tools — including endpoint protection, multi-factor authentication and anti-phishing training — to local governments and school districts.
“We’ve been doing this whole-of-state thing for six years,” Murray said, noting that the program was initially funded with a U.S. Department of Homeland Security grant, but turned “up to 11” once it was given dedicated state funding.
That approach helps to alleviate the “cybersecurity poverty line,” Murray said, referencing a term coined about a decade ago by the longtime cyber industry leader Wendy Nather.
‘Take the money’
That line has only grown starker over the years, particularly as adversaries become more prolific and efficient in carrying out attacks. Matt Singleton, a former Oklahoma CISO who is now an executive strategist at CrowdStrike, the endpoint-management vendor, said during the panel that the average time it takes for a malicious actor to break out from its initial point of compromise to other systems on a network has fallen to 84 minutes.
More states might make progress on that front as the new cyber grant program — created by the 2021 infrastructure law — takes hold, though Murray and others on the AWS panel noted states’ awards from the four-year, $1 billion fund are rather modest.
“It’s $2 million to the State of Arizona in the first year,” Murray said. “We will absolutely take the money but it’s not enough.”
Maria Thompson, a former North Carolina chief risk officer who’s been a leading advocate for whole-of-state strategies, said states should use the federal grants to “kickstart” their programs, then back them up with state money over the longer term. Thompson is now an executive government adviser for cybersecurity at AWS.
‘Pain in the butt’
There are other, practical advantages for states using their DHS cyber grants to fund shared services, rather than issue sub-grants that could wind up scattered across hundreds or thousands of jurisdictions, the panelists said.
“Instead of a local government going out and using the $5 they might get as a pass-through, the money is spent on shared service,” said Ward.
Murray also called the amount of paperwork and required reporting that accompanies federal funding programs is a “pain in the butt for us at the state level.”
And the panelists noted there can be other pain points when trying to establish longer-term cyber funding in state budgets.
“Look for procurement vehicles that have reporting tools so you can see who is using the [software] licenses,” Thompson said. “Get your legislators involved, especially when you’re talking about state funding.
Those conversations can be notoriously tricky.
“When I speak to legislators,” Ward said, “it’s like, ‘When is this cybersecurity thing going to be over?'”
Laughter erupted across the crowded convention hall.