Wyoming governor requests $6.8M to expand state’s cybersecurity team

Earlier this month, Wyoming Gov. Mark Gordon sent a letter to the state legislature’s Joint Appropriation Committee requesting $6.8 million to hire 37 new cybersecurity positions.

If approved, the funds will come from the state’s 2024 fiscal budget year, with $2.3 million for hiring 14 new cybersecurity positions within the Department of Enterprise Technology Services, which is responsible for overseeing the the state’s technology projects and administering digital services.

The remaining $4.5 million would support filling non-cybersecurity roles across state agencies — such as customer support and IT operations jobs — to better support cybersecurity efforts across the state.

Gordon wrote in his letter that Wyoming’s cybersecurity team is smaller than those in other states with similarly rural populations. Alaska, for example, has an estimated population of 730,000, and 11 cybersecurity positions within its state government, while Wyoming has about 585,000 residents, according to the United States Census Bureau, making it the least populated state in the nation, but with only six dedicated cybersecurity roles in the state government.

“This disparity underscores the critical need to strengthen our cyber defenses, emphasizing a proactive and robust approach to cybersecurity to effectively monitor, detect, and swiftly respond to potential threats,” Gordon wrote, adding that since the Department of Enterprise Technology Services was created in 2012, more than 130 IT positions have been cut from state agencies. “Such vigilance is essential in protecting our digital assets and securing the sensitive information it contains.”

‘Whole of state’ cyber in Wyoming

Tim Sheehan, who is serving as Wyoming’s interim chief information officer for the second time, told StateScoop that the governor’s funding request to expand the state’s cybersecurity team follows an uptick in cyber threats across the state, including an incident in the small city of Rawlins last November.

On Nov. 8, the City of Rawlins was notified by the U.S. Department of Homeland Security and Homeland Security Investigations of a potential breach of the city’s computer servers. At the time of the notification, the extent of the possible breach was unknown, but Sheehan said a coordinated response between federal, state, and local agencies prevented the hackers from gaining a foothold in the state’s network.

Though unsuccessful, Sheehan says the thwarted cyberattack underscored the governor’s urgency to expand the cybersecurity team within Wyoming.

“The governor believes in a ‘whole-of-state’ government cyber defense, and so he [wants] to come together and create a framework to protect state and local jurisdictions and put those resources together to see how we can solve this as a unified front in Wyoming,” Sheehan said.

In addition to the $6.8 million the governor requested, Sheehan said he also hopes to use some of money the state’s received from CISA’s state and local cybersecurity grant program.

Sheehan said those grants will support cybersecurity awareness training for employees across state and local governments, who may not be as knowledgeable about cybersecurity because rural areas often have different priorities.

“When you get into rural America, they’re not focused on what phishing is. They’re focused on, ‘We’re a big agriculture.’ They’re on their ranch taking care of, especially this time of the year, their livestock,” Sheehan said.

‘Normalizing’ cyber

Sheehan said the Department of Enterprise Technology Services is trying to “normalize” cyber events and categorizes cyber incidents using the same vocabulary as other emergencies that also require an immediate government response.

“For us, a cyber event or incident is no different than a flood, a fire or other natural disaster,” Sheehan explained.  “A response is a response, boots on the ground, everybody around the table and lock it down.”

Part of normalizing cyber events, Sheehan said, is also to spread awareness to local state agencies that cyber incidents are a credible threat to Wyoming residents and state security, even if the state’s more rural municipalities fail to see it.

“We need to help relaying it back down, not only to our agencies, but local jurisdictions as well. ‘Just because you’re small, or just because you think you don’t have anything important. You do,’” Sheehan said of the local governments, which may not consider themselves high-value targets. “And we have interconnected systems, so they may not necessarily be after you, but they want to get to that next system and pivot to the state as a whole. That’s the goal there.”

Sheehan said he expects the state legislature to approve Gordon’s funding request by the end of the legislative session in March, at which time the funds to fill 14 new cybersecurity positions within his department will become immediately available.

“Wyoming is a rural state. We have a rural population, and we have a lot of local jurisdictions who, unfortunately, just don’t have the resources to do what they need to do, let alone hire an IT person,” Sheehan said.

The new hires would build on a June 2023 executive order establishing the Cyber Assistance Response Effort team, a cybersecurity emergency response team with members spread across state agencies.