My answer, going back to at least 2018, always includes North Dakota as one of the top states in cybersecurity. Their centralized cybersecurity model that includes all levels of government and education, a multistate cybersecurity operations center, and an upcoming mandatory cybersecurity education program are exemplary models to follow for the nation.
And while there are many other reasons for North Dakota’s excellent cybersecurity program, I always like to start with the people leading the charge. Put simply, North Dakota has been blessed with amazing CISOs over the past seven-plus years.
Sean Wiese was North Dakota CISO from 2016 to 2019. He is now the director of cybersecurity operations for MDU Resources Group Inc. I interviewed Sean back in early 2019 on North Dakota’s cybersecurity program and vision at that time.
Kevin Ford was North Dakota CISO after Sean left, and he is now the CISO at Esri. Kevin helped develop the NIST Cybersecurity Framework, and I included several of his stories in my book Cyber Mayday and the Day After.
And now, drumroll, please … North Dakota’s cybersecurity team is being lead by another very talented CISO, Michael Gregg, who has held that position since 2021.
Before becoming North Dakota CISO, Michael was the director of cybersecurity operations for the state government. Earlier in his career, he was the global chief information security director for International Container Terminal Services Inc., the lead for cyber programs at Villanova University and CISO for Superior Solutions Inc. in Houston, Texas.
I was able to catch up with Michael during several long conversations at the recent NASCIO Midyear conference in Maryland, and he agreed to an interview.
Michael Gregg (MG): One of the key accomplishments has been automation and machine learning. With the passage of Senate Bill 2110 in 2019, my team had the cyber authority to engage and defend the seven branches of government. My challenge was to grow coverage from about 20,000 endpoints to 250,000 endpoints. I needed a way to accomplish this with a fixed staff and budget. We have automated many of the repetitive tasks that SOC analysts typically perform and deployed AI/machine learning to work all of our phishing incidents. We currently operate at about half the staff as a similar-sized Fortune 30 company.
Another key accomplishment is our whole-of-state approach. Getting buy-in from multiple state entities for a unified approach to security is not an easy task. We held multiple listening sessions with our customers to understand their needs and the barriers that would prevent the deployment of our core tools. We customized our tools to meet their needs and further encourage adoption. We also worked with the state insurance entity and the North Dakota Insurance Reserve Fund (NDIRF) to get a 4 percent reduction in cost to those that adopted our tools.
DL: What are your top cybersecurity priorities for 2023-2024?
MG: My goals have shifted to governance, risk and compliance (GRC). We are tackling data governance. Working with partners such as the data division, I want to move upstream and reduce risk before it ever has a chance to impact the state. We have adopted NIST 800-53, joined StateRAMP and will have all 57 state agencies onboarded to third-party risk management by July 2023. Data classification and data loss prevention are other items on the agenda. Better control of data at rest and in transit can reduce breach impact. The key is to create systems that are easy to use and transparent to the end user.
DL: Tell us more about North Dakota’s interstate cyber operations center. How many states are now a part of your efforts?
MG: We have signed up 20 percent of U.S. states with the joint SOC and have memorandums of understanding (MOUs) out to several more. The idea was simple: Get the states to talk directly to each other, learn from each other and reduce the learning curve. Federal entities like MS-ISAC are great partners; however, what was missing was the state-to-state conversations. All member states share indicators of compromise (IOC) so that threat actors can be blocked quickly. All IOCs are tagged using the VERIS standard which allows us to map the findings to the Verizon breach report, the joint SOC and our internal SOC.
In June, we will be holding our second annual joint SOC tabletop exercise. We divided the participants into multistate teams, which allows cross pollination of skills. Analysts from each state get to spend time with others outside of their normal operational silos. We had pages of lessons learned last year and expect many more this time.
DL: How do you see that center evolving over the next year or two?
MG: Ultimately, this will be up to the state members. I want the state CISOs to determine the direction and activities this could grow into. The biggest, immediate goal is to have the teams continue to practice together, increase skills and better communicate during multistate incidents.
DL: You were just recognized by Government Technology magazine for your approach to “Building a Next-Generation Labor Force in North Dakota.” Do you think this could work nationwide? Or are there aspects that are unique to North Dakota?
MG: While North Dakota is unique in its vision and drive, I believe this is possible on a national scale. We need this as a nation. Tell me one job that does not touch cyber in some way! Where I see much promise is in growing educational cyber sports to increase student skills. In North Dakota, our current cyber games are held at the junior high and high school levels. I would like to see this expansion in all states across this great country.
Each state could have a cyber championship. Then, the best of each state can move forward to a national playoff. E-sports can provide the model by moving it to an educational-focused activity with prizes and scholarships for those going to college. My blue-sky vision is to grow this vision to international games. Get students focused on cyber, get them learning and help them defray the cost of their education!
DL: How do you think AI (and more near-term generative AI) impact technology and cybersecurity in America? Are you more fearful of attacks and misuses or embracing the new technology?
MG: Currently, we use AI to work on reported phishing and we’re the first state SOC in the nation to do this. Keep in mind, AI can also be used to create more convincing phishing emails. AI is going to have a huge impact and, like all technologies, it can be both good and bad.
DL: Is North Dakota working on any policies, procedures and/or ethics guidelines surrounding generative AI?
MG: Yes, the GRC team is currently working on a risk profile to help educate state agencies and schools so they are better educated and can help create policies up front. Let’s be honest, many times, technology races ahead, while laws and policies catch up.
DL: Is ransomware still growing, staying the same or shrinking in importance as a cyber threat in North Dakota? Is it the same in the other states you are working with?
MG: Ransomware is not going anywhere. It will continue to grow and evolve. Everyone has to be prepared to deal with ransomware before it hits. This takes focus and effort. We hold multiple business continuity and disaster recovery exercises to prep for this and other large-scale events.
DL: What new technology excites you the most? What cyber threats or developments do you fear the most?
MG: AI is at the top of the list. AI presents a great opportunity for automation and threat detection; however, it will be equally powerful for cyber criminals. AI will allow them to further automate their attacks and make it harder for the average user to spot threats.
DL: Anything else you want to mention?
MG: My closing thoughts would be for others in state and local governments not to give up and to continue pushing forward. There are innovative ways to accomplish tasks and achieve cyber goals. Work through what is possible and determine what actually can be executed and build metrics to track progress and move forward incrementally.
DL: Thank you, Michael, for taking the time for this interview. Also, thank you for your leadership in cybersecurity and your public service. The nation is benefiting from your efforts.