State and local governments face a lot of the same challenges as the federal government and commercial companies — they operate networks, have vulnerable critical infrastructure and house a lot of sensitive data — but some experts question whether lower levels of government are fully acknowledging their cybersecurity exposure.
“As with other sectors, states are becoming more and more aware of the challenges,” Cheri Caddy, the White House National Security Council’s director for cybersecurity policy integration and outreach, told StateScoop TV in April. “The awareness has been helping them with getting them to take some action that they need to take, and we’ve been working on how we can help governors from the federal side.”
The Homeland Security Department and the FBI play a role in detecting and responding to a cyber incident at the state level. But in terms of establishing policies on cybersecurity, that’s where Caddy and the National Security Council come in.
Earlier this year, President Barack Obama issued an executive order encouraging the creation of information sharing and analysis organizations at the state level. Virginia jumped right on board, but other states have yet to follow suit — instead, those states cling to the longer-established Multi-State Information Sharing and Analysis Center, which began in 2010 from a White House and DHS effort that transitioned into a nonprofit entity operated by the Center for Internet.
“I think the challenge is awareness,” Caddy said. “But then it’s also what to do about it. Everyone now understands, because we’ve seen so many media reports on beaches, from public to private sector networks.”
According to Caddy, some states struggle in adapting effective cybersecurity policies and practices because of how they approach the issue.
“A lot of people think about it as a technical issue, they don’t quite know what to do, and they don’t know where to begin,” Caddy said. “It seems overwhelming, so I think that’s the area of concern that we’re working on — of making sure, not just that we raise awareness, but that we provide tools and the ability, and the partnership with the federal government that states can draw from and take action in this area.”
Caddy’s team at the White House regularly works alongside the National Governors Association, the Council of Governors and the National Association of State Chief Information Officers. Last summer, the council adopted a joint action plan on cybersecurity. According to Caddy, the plan sets up a way for states to collectively articulate their cyber needs.
“It sets up a way for the federal government as a whole to cooperate with states because it’s not just about what DHS can do, or what the FBI can do, or what the state can do with the National Guard,” Caddy said. “It’s about us collectively providing the tools and capabilities that are needed to the state. So this is a great way to talk about ways we can build.”