[BreachExchange] 'Whole-of-state' approach on cybersecurity growing in popularity

[Audrey McNeil]

https://statescoop.com/whole-of-state-approach-on-cybersecurity-growing-in-popularity/

More state governments are overhauling their cybersecurity policies to
bring in additional stakeholders beyond their main technology agencies,
officials from several states said Tuesday.

That policy approach, known as “whole-of-state” and which can include local
governments, the private sector and educational institutions, is becoming
increasingly popular as governments face a near-constant barrage of
ransomware, denial-of-service attacks, election hacking and other
cyberthreats, panel speakers said at a National Governors Association
cybersecurity conference in Shreveport, Louisiana.

In many cases, whole-of-state cybersecurity planning begins with the
establishment of fusion centers that can share threat information between
different levels of government, or creation of commissions tasked with
setting policy, which 23 states have done since 2014. And some, like North
Dakota, are going even further by putting the state government in direct
control of all public-sector cybersecurity activity.

At the very least, a whole-of-state model can break down organizational
walls that prevent collaboration, as Maj. Gen. Glenn H. Curtis, the
adjutant general of the Louisiana National Guard, said his state learned in
2017, when Gov. John Bel Edwards created a cybersecurity commission.

“Everyone was pretty much working in their own stovepipes,” said Curtis,
who co-chairs the 15-member commission, which includes members from the
state’s law-enforcement agencies, local governments, major industries and
public universities.

In the 18 months since the panel was formed, Curtis said Louisiana has
improved the information sharing between its various sectors, many of which
faced common threats but had not been communicating sufficiently. Now,
Curtis said, the state incorporates cybersecurity into its disaster
planning, such as adding simulated cyberattacks into its hurricane
preparation drills.

“The cyber realm has become no different than air, land and sea,” he said.

Echoing Curtis’s focus on incorporating cybersecurity into natural-disaster
planning, North Carolina Chief Information Officer Eric Boyette said his
office issued advisories to its fellow agencies and the state’s residents
alike ahead of Hurricane Florence last year.

“Our chief risk officer [Maria Thompson] said don’t forget this is when the
bad guys will take advantage of us and our citizens,” Boyette said. “So we
made sure we were not only getting our citizens out of harm’s way, but
making sure they were cyber-aware.”

‘Sick of talking about it’

Jared Maples, director of the New Jersey Office of Homeland Security &
Preparedness, said that his state has been able to collaborate more
effectively with counties and municipalities by offering local officials
access to the work of the New Jersey Cybersecurity and Communications
Integration Cell, a fusion center the state opened in 2015. Among resources
offered by the NJCCIC, which is modeled after the U.S. Department of
Homeland Security’s National Cybersecurity and Communications Integration
Center, is a database containing more than half of the known de-encryption
codes for ransomware viruses, which Maples said have been particularly
costly to the Garden State.

“It’s becoming a big drain on local economies,” he said. “I think everyone
in here is sick of talking about it, but that’s a huge part of getting
through ransomware.”

Maples estimated that at least half of New Jersey’s 566 municipal
governments have been targeted, if not actually affected, by ransomware,
including Newark, which paid a $30,000 ransom to unlock data that had been
encrypted by the SamSam virus in 2017.

Virginia’s chief information security officer, Mike Watson, said he holds
regular meetings and teleconferences with other cybersecurity officials
throughout the commonwealth, including those from local governments. Watson
said that while more developed parts of Virginia, like the Washington, D.C.
suburbs, are robust enough to handle many of their own issues, his office
has taken on a broker role in pulling together resources for the
“not-very-well-infrastructured” communities.

Seeking a statewide consensus

But it’s North Dakota that’s come the furthest in implementing a
“whole-of-state” approach, following Gov. Doug Burgum’s signing of a law
that puts the state in charge of cybersecurity for all levels of
government, including counties, towns, courts and schools.

Speaking from the audience, North Dakota CIO Shawn Riley said the goal was
“all [governments in the state] getting together and shaking their head up
and down that cybersecurity is important.” To that end, he said the state
government is allowing other public entities to join its IT purchasing
agreements, which officials hope will help the state’s many small, rural
communities acquire better security tools at lower costs.

Riley later told StateScoop that under the new plan, which takes full
effect July 1, the state has already started conducting vulnerability
assessments for local governments and trained 750 grade-school teachers on
cybersecurity education, a figure he said may double within the next year.
He also predicted a majority of North Dakota’s local governments would join
the state’s purchasing plan as their own contracts expire.

As for states that aren’t as far along as North Dakota in coordinating a
statewide cybersecurity policy, Tuesday’s panelists all agreed the best way
to start is by building comprehensive plans. Asked by the moderator,
National Association of State Chief Information Officers executive director
Doug Robinson, for his advice, Maples offered a pugilistic reference.

“Everyone has a plan until they get punched in the mouth,” he said, quoting
Mike Tyson. “Have partnerships, have a plan.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20190517/b05ecfb4/attachment.html>