Such an approach recognizes that cities, their counties and their states are all ultimately trying to serve the same residents, and any efforts to make those constituents more cyber safe advances all levels of governments’ mission, said Vinod Brahmapuram, senior director of security at Lumen Technologies and former state CISO for Washington, during an Oct. 26 GovLoop webinar.
Government entities also often connect with each other to deliver services, with the side effect that a risk to one entity then becomes a risk to the others.
“We are in a connected ecosystem,” Brahmapuram said. “We cannot just protect in one area and leave the other areas open. There's going to be an impact.”
North Carolina has been taking a whole-of-state approach — in it’s case, one that’s powered by a joint task force comprising various stakeholders, said North Carolina CIO Jim Weaver during the webinar.
The state’s Joint Cybersecurity Task Force pulls together the state IT and Emergency Management departments, the state National Guard and the North Carolina Local Government Information Systems Association (NCLGISA) Cybersecurity Strike Team. It provides any government entities — ranging from grade schools and higher ed to state and local agencies — with technical assistance, incident coordination and other supports.
Having a group to turn to during a crisis can make a big impact for cyber crime victims, Weaver said.
“You're at your worst moment and you're not thinking clearly when you've been ransomwared or something else like that,” Weaver said. “Having those colleagues around you to kind of work with you makes a world of difference”
Launching and maintaining a whole-of-state approach has its challenges, however. Weaver said states need to consider how to win local partners’ trust, bring the right collaborators to the table and make sure their cyber interventions and supports are having impact.
GATHERING COLLABORATORS
States need to avoid giving local governments the impression that they’re swooping in to take over. Powering the whole-of-state approach through a team that includes strong local government representation can help, however. Weaver said that the task force’s local contingent, NCLGISA, takes point on incidents impacting local entities, while state representation leads for incidents affecting state agencies.
Whole-of-state efforts should also focus on fostering ways for all levels of government to share ideas and information about risks and best practices, Brahmapuram said. He recommended raising awareness about those matters, but letting individual entities decide what actions to take to suit their particular needs.
Statewide cybersecurity programs can also benefit from looking beyond the standard government agencies.
The state National Guard is a key part of North Carolina’s task force, for example. Guard members often have access to special cyber trainings and one of their main missions is to serve the state, Weaver said.
North Carolina’s task force also occasionally reaches out to get sector-specific expertise. If a health-care organization is hit, for example, the task force can ask the Department of Health and Human Services to help assess the impact and identify any relevant federal reporting requirements.
The state has also been working to bring private-sector critical infrastructure into the conversation. That includes asking them for advice and insights about topics like threats, tabletop exercises and lessons learned, Weaver said.
THE RIGHT KIND OF SUPPORT
Cyber task forces need to ensure the support they give is enough to make a difference, Weaver said.
“Nothing's more frustrating than having our forces go out there, do a vulnerability assessment, say, ‘Hey, here's where we think you're very vulnerable.’ And the entity puts it in the filing cabinet and checks the box and says, 'I’ve got my vulnerability assessment done.’ And then six months later, they get victimized,” Weaver said. “So we want to make sure that, as we're going out there … we're also able to come back around and help them remediate the situation.”
But with the state experiencing “billions” of cyber events every day, North Carolina’s task force also has to determine when it’s time to move on so it can be ready to assist the next entity in need. It needs to stay focused on incident response and mitigation, and not get bogged down in everyday cyber tasks.
“There’s a point in time at which we have to disengage — the Joint Cyber Task Force is not there to run day-to-day operations,” Weaver explained.
RALLYING THE OTHER BRANCHES
Executive and legislative branches can make strong partners on cyber efforts, if IT engages them, Weaver said.
North Carolina’s Joint Cyber Task Force has been operating for several years, but this year finally won formal recognition from the governor and received recurring funding by the Legislature for the first time. Getting these branches on board means giving them the hard facts — not anecdotes — about the dangers and about how much progress IT can feasibly achieve in the near term and how long it’ll need to hit all its goals, Weaver said.
“You really need to be brutally honest with the governor and the administration and the legislature. They need to understand what’s occurring,” he said. “… You'd be surprised at the level of interest and the questions that you will get back.”