‘Whole-of-state’ approach on cybersecurity growing in popularity

More state governments are overhauling their cybersecurity policies to bring in additional stakeholders beyond their main technology agencies, officials from several states said Tuesday.

That policy approach, known as “whole-of-state” and which can include local governments, the private sector and educational institutions, is becoming increasingly popular as governments face a near-constant barrage of ransomware, denial-of-service attacks, election hacking and other cyberthreats, panel speakers said at a National Governors Association cybersecurity conference in Shreveport, Louisiana.

In many cases, whole-of-state cybersecurity planning begins with the establishment of fusion centers that can share threat information between different levels of government, or creation of commissions tasked with setting policy, which 23 states have done since 2014. And some, like North Dakota, are going even further by putting the state government in direct control of all public-sector cybersecurity activity.

At the very least, a whole-of-state model can break down organizational walls that prevent collaboration, as Maj. Gen. Glenn H. Curtis, the adjutant general of the Louisiana National Guard, said his state learned in 2017, when Gov. John Bel Edwards created a cybersecurity commission.

“Everyone was pretty much working in their own stovepipes,” said Curtis, who co-chairs the 15-member commission, which includes members from the state’s law-enforcement agencies, local governments, major industries and public universities.

In the 18 months since the panel was formed, Curtis said Louisiana has improved the information sharing between its various sectors, many of which faced common threats but had not been communicating sufficiently. Now, Curtis said, the state incorporates cybersecurity into its disaster planning, such as adding simulated cyberattacks into its hurricane preparation drills.

“The cyber realm has become no different than air, land and sea,” he said.

Echoing Curtis’s focus on incorporating cybersecurity into natural-disaster planning, North Carolina Chief Information Officer Eric Boyette said his office issued advisories to its fellow agencies and the state’s residents alike ahead of Hurricane Florence last year.

“Our chief risk officer [Maria Thompson] said don’t forget this is when the bad guys will take advantage of us and our citizens,” Boyette said. “So we made sure we were not only getting our citizens out of harm’s way, but making sure they were cyber-aware.”

‘Sick of talking about it’

Jared Maples, director of the New Jersey Office of Homeland Security & Preparedness, said that his state has been able to collaborate more effectively with counties and municipalities by offering local officials access to the work of the New Jersey Cybersecurity and Communications Integration Cell, a fusion center the state opened in 2015. Among resources offered by the NJCCIC, which is modeled after the U.S. Department of Homeland Security’s National Cybersecurity and Communications Integration Center, is a database containing more than half of the known de-encryption codes for ransomware viruses, which Maples said have been particularly costly to the Garden State.

“It’s becoming a big drain on local economies,” he said. “I think everyone in here is sick of talking about it, but that’s a huge part of getting through ransomware.”

Maples estimated that at least half of New Jersey’s 566 municipal governments have been targeted, if not actually affected, by ransomware, including Newark, which paid a $30,000 ransom to unlock data that had been encrypted by the SamSam virus in 2017.

Virginia’s chief information security officer, Mike Watson, said he holds regular meetings and teleconferences with other cybersecurity officials throughout the commonwealth, including those from local governments. Watson said that while more developed parts of Virginia, like the Washington, D.C. suburbs, are robust enough to handle many of their own issues, his office has taken on a broker role in pulling together resources for the “not-very-well-infrastructured” communities.

Seeking a statewide consensus

But it’s North Dakota that’s come the furthest in implementing a “whole-of-state” approach, following Gov. Doug Burgum’s signing of a law that puts the state in charge of cybersecurity for all levels of government, including counties, towns, courts and schools.

Speaking from the audience, North Dakota CIO Shawn Riley said the goal was “all [governments in the state] getting together and shaking their head up and down that cybersecurity is important.” To that end, he said the state government is allowing other public entities to join its IT purchasing agreements, which officials hope will help the state’s many small, rural communities acquire better security tools at lower costs.

Riley later told StateScoop that under the new plan, which takes full effect July 1, the state has already started conducting vulnerability assessments for local governments and trained 750 grade-school teachers on cybersecurity education, a figure he said may double within the next year. He also predicted a majority of North Dakota’s local governments would join the state’s purchasing plan as their own contracts expire.

As for states that aren’t as far along as North Dakota in coordinating a statewide cybersecurity policy, Tuesday’s panelists all agreed the best way to start is by building comprehensive plans. Asked by the moderator, National Association of State Chief Information Officers executive director Doug Robinson, for his advice, Maples offered a pugilistic reference.

“Everyone has a plan until they get punched in the mouth,” he said, quoting Mike Tyson. “Have partnerships, have a plan.”