With tight budgets and limited resources, states face threats like never before including at the local government level where funding is often inadequate. Properly securing assets is expensive and competes with other priorities, which means that modernizing cybersecurity often becomes a futuristic goal.
With more grant money available than ever before, many states are looking for ways to work together with local governments to help them to improve their security environment. The key to this whole-of-state approach is communication, according to panelists at the National Association of State Chief Information Officers Association’s (NASCIO) midyear conference in early May at National Harbor in Fort Washington, Md.
The panel discussion entitled “Evolving Cybersecurity for Evolving Threats” featured New Hampshire Chief Information Officer Denis Goulet, and Steve Hodges, Chief Information Security Officer (CISO) with the Georgia Technology Authority. The panel also included Maria S. Thompson, State and Local Government Executive Government Advisor – Cybersecurity at Amazon Web Services, and Matt Singleton, Executive Strategist at CrowdStrike.
George Jackson with GovExec TV kicked off the discussion asking the state guests what role a whole-of-state approach can play in securing government assets.
“We’re at the beginning of our journey, right now,” said Georgia CISO Hodges. “We’re working to define that as well implement it. So for us, it’s starting with the executive branch and we’re looking at them and trying to roll out the tooling and expertise in those agencies.”
Georgia is looking at cybersecurity gaps so it can deploy a consistent tool set across the enterprise on a rolling basis – across the state, across the counties, and across the municipalities.
“And we can feed that information into a location, the Security Operations Center, where the state can manage and monitor that data to see what’s going on, we can see what’s happening, and we can alert those entities where there may be something going wrong on in their environment,” said Hodges. That’s where communication begins to demonstrate its value.”
While other states are looking at the problem in different ways, “the motion is pretty much the same,” stated AWS’ Thompson. “The vision, the mission is the same, which is to get that visibility broadly across state and local government entities to be able to see the threats that are coming at them, and to be able to be more proactive in how they apply those practices,” she said.
Thompson believes that represents a movement that’s been ongoing for quite some time. “And it’s starting to pick up steam, and I love it because I think it’s the right approach, and it’s where we should be going,” she said. “Because we know that in some organizations, we have immature security postures, whereas some may be a little bit more mature.”
She thinks it’s time that as an ecosystem, the entities come together and actually work – and more hopefully – visibly share threat intelligence, as well as be able to get that visibility broadly, to better understand the threat landscape.
New Hampshire CIO Goulet offered his perspective – with almost two years as NASCIO’s COVID past president – on the whole-of-state challenge. “It started back when NASCIO and the National Governors’ Association (NGA) were thinking about how we address this cyber problem in our cities, towns and county governments. That recommendation made me think about it.”
After that, Goulet did a radio interview with Margaret Byrnes, Executive Director at the New Hampshire Municipal Association, and said as a result, “we found common ground and we decided let’s do something together. So that kind of started my journey on whole-of-state.”
Goulet describes it as really a relationship building journey, bringing more and more people into the movement as AWS’ Thompson hoped. “We now have this kind of large, informal public-private partnership. There’s nothing compelling anybody to play, but we all are playing anyway. And it’s working for us,” he said. It all began with communication.
CrowdStrike’s Singleton, prior to his private sector CrowdStrike, was responsible for the cybersecurity program in Oklahoma, and really rebuilding it from the ground up. “I wish I could tell you it was a strategic plan, that we just could see into the future, and we knew exactly what needed to be done. But honestly, we kind of stumbled into it. We knew relationships were important. We knew communication was important.”
Oklahoma started rebuilding its Cyber Command, and relied heavily on Federal partners. “We brought on a new cybersecurity adviser for CISA and immediately brought him into the leadership team for Cyber Command. And that really helped us understand where the Feds were going. We started talking about a more comprehensive approach, we called it whole-of-government, not just whole-of-state, because we really felt like the Federal partners needs to be at the table with us,” said Singleton.
Oklahoma pursued an approach of intelligence first, rolling out as much as possible on generating cyber threat intelligence. “And then we really start building relationships with the localities. We started sharing that intelligence. And so what we found is, ‘Yeah, there are some folks that have mentioned concerns about Big Brother and have concerns about precedent in the state – they would do their own thing,’ but as we provided our partners in localities with intelligence and information, what we saw is more and more people got involved. And they really felt like cybersecurity teams.”
Again, it was all about communication.