It took a while to catch on, but organizations are starting to understand that cybersecurity is not just an IT problem but a C-level issue that concerns an organization’s leading executives and decision-makers. In the corporate world, this certainly includes the CEO – and in the public sector, the state-level equivalent of the CEO is the governor’s office.
Just like CEOs and the rest of the executive suite, governors cannot afford to sit on the sidelines as malicious cyber actors threaten entities operating under their purview, be they local elections, critical infrastructure, school districts or public services.
“It's the same thing in the public sector as it is in the private sector,” said Maggie Brunner, program director for homeland security and public safety issues at the National Governors Association, a nonpartisan policy think tank and advocacy organization representing all 55 U.S. state and territory governors and their interests. Brunner recalled that at a recent NGA event for new governors, one veteran chief of staff said that cybersecurity went from something that would land on his desk “maybe once a quarter” when he first started to “every single day.”
Last week, the NGA’s Center for Best Practices and its Resource Center for State Cybersecurity announced that five U.S. states have been selected for its “2021 Policy Academy to Advance Whole-of-State Cybersecurity.” The academy operates as a boot camp, designed to provide technical and strategic assistance to states, helping them develop and share best whole-of-state practices in key areas. Kansas and Missouri will focus on cybersecurity governance, Montana will concentrate on workforce development, and Indiana and Washington are looking to boost local engagement and partnerships.
In a whole-of-state approach to cybersecurity, states collaborate closely with cities, towns and municipalities within their borders to jointly defend their common interests. Cooperation between state and local governments is the policy area that has seen the most exponential growth recently, Brunner said, as state officials realize that they must partner, cooperate and share resources with local governments – in much the same way that companies share cyber intelligence with other businesses operating within their industry vertical.
In today’s climate, if a school district or small city is shut down by ransomware, “Governors aren't saying, ‘Not my problem – that's a political subdivision, that's not us.’" [Instead,] they're saying, ‘How do we help?’” she explained.
It comes down to breaking down information silos, and this is also true in terms of how cybersecurity is managed across multiple state departments. "It's not…about each individual agency, for example, having an incident response plan,” Brunner continued. Rather, it’s about: “How are we creating a whole statewide ecosystem? How are folks working together?”
“You’re going to need folks who are in economic development, you're going to need folks in the Department of Ed, you’re going to need folks like CISOs, who oftentimes provide that great technical subject matter expertise. So…this really does require a multidisciplinary team.”
Missouri Governor Mike Parson echoed these very sentiments in an email interview with SC Media, noting that as cyber threats grow in both frequency and sophistication, “a joint commitment by cybersecurity leaders in Missouri will be critical to thwart attacks and reduce risks. Missouri recognizes cyber as not merely an IT issue but a security threat requiring shared responsibilities and collaboration. The opportunity to establish a statewide model that can provide a clear governance framework with cross-organization participation will help us meet the growing cybersecurity challenges.”
Parson said that Missouri’s objective for this year is to produce six documents that collectively will constitute a preliminary draft of the state’s cyber governance model: “Missouri’s Cybersecurity Goals, Cyber Goal Metrics, Defined Cyber Terrain, Missouri Cyber Resources, Cybersecurity Resource Gaps, and finally, Framework on Roles and Responsibilities.”
Kansas Governor Laura Kelly has similar aspirations. “Kansas chose cyber governance as the primary area of focus for the NGA Cybersecurity Policy Academy because we are seeking to improve our old, antiquated systems, enhance collaboration and break down siloes between units of government in Kansas,” she told SC Media. “With more cyber events occurring at different levels of government, a holistic approach to cybersecurity across the entire state will help foster information sharing and collaborative cyber response.”
A holistic approach also helps preserve precious budgets – but to accomplish this, state and local government officials must be incentivized to pool their funds and collective intelligence. “If we can get people to collaborate and stretch their dollar, things can move a little bit more effectively,” Brunner said. For instance, the NGA has recently witnessed what Brunner termed a “huge output…in shared service contracts. ... And that's a really effective way to buy down your risk in a really tough budgetary climate.”
Past successes, future goals
Last year, seven states were selected to participate in a similar NGA Policy Academy initiative, the main objective of which was to implement best practices for advancing statewide cybersecurity. And, in 2019, six states worked with the NGA on strategies to ensure election integrity.
One of the NGA’s best recent success stories took place in Michigan. Last year, under Governor Gretchen Whitmer, the state developed what Brunner described as a cyber framework for K-12 educational districts consisting of three pillars: securing schools, building a cybersecurity curriculum and developing leaders.
“Right now, they're in the process of socializing that across the state and really getting buy-in,” Brunner said. “And that's where NGA was able to say, ‘Not only can we help you refine these policy objectives and come up with this fantastic framework, but [we can] also be that neutral facilitator to get a lot of folks around here to say yes.’”
Another notable example is NGA's past collaboration with the West Virginia's governor's office to support the drafting of legislation to centralize cybersecurity governance across the state and its agencies. "They...were looking to hone in on messaging strategies, how to catch the attention of appropriate policymakers. How do we talk about this need? How do we talk about cybersecurity in general? And so that's something we were able to assist them with...and, fortunately, that bill got passed.”
NGA’s assistance can take many forms as it consults with the governor’s office itself, as well as various stage department and agencies (including homeland security entities), and the local National Guard. Oftentimes, the organization will connect states to subject matter experts or other government entities that have experienced similar initiatives and challenges. The organization also can expose states to proven practices and policies, help them with strategic planning and setting goals, and assist with standing up governance bodies and task forces.
“We often take a look at: What are the great things that you're doing that you might want to further amplify?” Brunner said. “What are some of the challenges that you're experiencing? And where is it that you want to be? How do we get from point A to point B in a given timeframe? So, it's a lot of sort of SWOT analysis and strategic planning.”
States are chosen for the program by submitting an application that proposes an upcoming cyber initiative and corresponding objectives, along with a letter signed by the governor that confirms interest in reaching said objectives.