Cybersecurity continues to be a struggle for most state governments, but a report from New America highlights novel approaches in Arizona, New Jersey, and Washington.
Washington has one of the more robust cybersecurity strategies of any state, according to a New America report. (Getty Images)
Cybersecurity experts often say that there are only computer systems that have already been hacked, and those that haven't been hacked yet. The maxim applies equally to every level of government. In the past six months, governments in Colorado, Connecticut and North Carolina have been the victims of ransomware hacks, to say nothing of the wide-ranging attack in March that crippled Atlanta's government for weeks.
With every state having its own information security strategy, there's no uniform approach when a cybercrime occurs. But a few have established teams and bureaucratic structures that are better equipped to respond to hackers, according to a new report from the think tank New America.
Arizona, New Jersey and Washington state have made strides in positioning themselves to deal with cyberattacks, write the report's authors, Natasha Cohen and Bruce Nussbaum. While the federal government needs to take the lead in establishing a national cybersecurity strategy, state governments — and the municipalities they support — are most often the ones on the ground delivering people services.
"...[S]tate agencies are on the front lines of communication and response whenever there is an incident," Cohen and Nussbaum write. "While historically this role has sometimes expanded to federal agencies for cybersecurity, with the prevalence of threats and their widespread impact, this primary role shifts back towards state action in most cases. In this sense, even when states are not on the front lines of cyber incidents, they often are expected to support other jurisdictions; all this despite the fact that many states are in nascent or flux states in terms of their own cybersecurity."
But the states Cohen and Nussbaum highlight have established better strategies than others. While there's no perfect approach, the New America report says they're worth studying.
Arizona takes what Cohen and Nussbaum describe as a "community approach," with cybersecurity operations coordinated between the state government and the Arizona Cyber Threat Response Alliance (ACTRA), a nonprofit coalition of businesses and universities. ACTRA grew out of the the AZ Infragard Program, a 2000 FBI program designed to share information about cyberthreats between the public and private sectors.
The group runs workforce development programs and facilitates communication between the tech industry, academia and law enforcement, while the state's chief information security officer, Mike Lettman, runs the government's cybersecurity posture. In April, for instance, he hired a single vendor, RiskSense, to monitor risk across all 133 state agencies.
Still, a robust public-private partnership isn't without dangers, the New America report warns: "Members must trust that they have anonymity when desired, and also that their counterparts in other organizations and across the government are sharing back into the system just as they are." But the authors credit ACTRA with creating a "buffer that engenders faith" in that anonymity and the community it serves.
The Garden State's strategy runs on bureaucratic consolidation, led by the state's Cybersecurity & Communications Integration Cell (NJCCIC), created in 2015 by then-Gov. Chris Christie and modeled after the U.S. Department of Homeland Security's Computer Emergency Readiness Team. The NJCCIC takes the lead on all cybersecurity issues for the state, and often also in cities and townships that aren't equipped to deal with computer crimes.
"At the municipality level, who gets the call?" Cohen told StateScoop. "It’s often the local police department. In most cases they do not have the resources to respond. The NJCCIC has the resources to respond."
As a statewide cybersecurity coordinator, the NJCCIC has taken a role in operations ranging from responding to a hacking attack against Rutgers University to monitoring cyberthreats pegged to Pope Francis's 2015 visit to the United States.
But the most crucial detail about NJCCIC, the New America report says, is where it falls within the New Jersey state government. The agency, and the state's chief information security officer, answer to the state homeland security office, rather than the IT bureau, as is the case for many state CISOs.
"Placing the CISO under the aegis of the Homeland Security Office in New Jersey sends a strong message that cybersecurity is not just an IT problem, and gives the state CISO a mandate to expand cybersecurity planning across state agencies," the report reads.
Washington is one of the states furthest along in developing shared IT and cybersecurity services, the report states. Rather than a single bureaucracy or a public-private partnership, Washington coordinates its cybersecurity measures with a CISO who reports directly to the state chief information office, but also assigns significant roles to emergency management and state military agencies like the National Guard. The multidisciplinary model gives organizations like the National Guard a better handle on protecting critical infrastructure across the state, Cohen and Nussbaum write.
A decentralized approach is not without faults, though, especially when it comes to communications in an emergency. "The bifurcation between the office of the CIO and the Departments of Emergency Management and Military Affairs, however, has created occasional friction resulting from conflicting priorities and authorities," the report says.
But even with heads butting sometimes, Washington's system for cybersecurity management has created a deeper bench of personnel capable of responding to incidents when they arise. Ultimately, there's no one-size-fits-all state cybersecurity strategy, but Cohen told StateScoop the three examples her report analyzed have lessons that can be applied broadly. The report's conclusion recommends developing cybersecurity strategies with multiple stakeholders, bringing in government offices beyond the IT bureau and developing relationships with the private sector.
"Every state has to have priorities, but there needs to be pieces of each of these to have a comprehensive program," Cohen said.
Read New America's full report here.