This voluntary program enabled cities, counties and school districts to upgrade software, patch security holes and coordinate other remediations for free or at a greatly reduced cost via a combined state-local contract.
I was the Michigan chief information security officer at the time, and our team was excited to address widespread technology and cybersecurity needs by coordinating cyber defense protections throughout our state. Why? Because we recognized the interdependencies of programs, systems, networks and even business functions with local governments.
Fast forward to 2022 and local governments across the U.S. now benefit from buying cybersecurity products and services from state government contracts. There are also technology partnerships on a wide array of projects, cybersecurity training programs and more.
But the trouble with most of these state-local arrangements is that they are usually voluntary, not consistently implemented, and limited in scope and time frame. While most states offer assistance if a local government or school is hit with a ransomware attack or data breach, that help generally ends when the incident is closed.
And make no mistake, most local gov tech leaders want it that way. Locals like their autonomy from the state just as much as states like autonomy from the federal government. While more funding, training and coordination generally make sense, oversight rules, regulations and statewide policies are generally seen as “Big Brother” from powerful government neighbors.
Last October, Government Technology featured an article titled Whole of State, which gave examples of partnerships and successes in organizations that use a whole-of-state approach, and even solutions that cut across the public and private sectors. And this trend has only grown over the past year.
Now, as we head into 2023, we may reach a tipping point. Here are three factors that may drive most states to adopt a whole-of-state approach to cybersecurity governance.
Explosion in local cybersecurity needs: The relentless and growing onslaught of ransomware attacks, data breaches and other cyber incidents over the past few years has been well documented. Add in the difficulty that local governments face with attracting and retaining cybersecurity professionals and keeping cyber insurance, and help from states seems like (at least part of) a logical solution. Many local governments are turning to managed service providers that can assist in cybersecurity protections and help benefit from economies of scale.
New cybersecurity grant program: The Infrastructure Investment and Jobs Act (IIJA), which will be providing more than a billion dollars to state and local governments over the next few years, requires a statewide plan, even as 80 percent of the money is set to go to locals. This process will force federal-state-local cooperation on project oversight that is new and generally welcome.
Beyond the coming grant dollars allocated to local governments, the planning process and overall coordination will be essential to successful projects and maximizing value for the resources to be allocated. Whole-of-state cybersecurity solutions will become the norm.
Several states are already leading the way: We always have leaders, followers and laggards with new technology and cybersecurity frame-works, best practices and governance approaches. As I mentioned earlier, several states are leading in this area now, and with the support of the National Association of State Chief Information Officers, the Public Technology Institute and others, whole-of-state cybersecurity approaches should grow.
There is no doubt that resistance to change, as well as mistrust between state and local governments, will be headwinds that will slow progress toward whole-of-state cybersecurity in parts of the country. Nevertheless, the economic realities and best practice case study examples should drive states to take further steps to enable better cyber operations capabilities than what is possible if locals go it alone.