Linville is the lead sponsor behind the Creating WV Cyber Incident Reporting bill, which the governor signed this week. The legislation is designed to lay the groundwork for tightening up cyber defenses and enable faster response to threats by helping state officials better understand the scope of problems impacting various agencies, learn about attacks soon after they happen and regularly review defense strategies.
Streamlined reporting
The new legislation is designed to cut through confusion that surrounds incident reporting and fill knowledge gaps. At present, it can be hard to get a clear understanding of security statuses and vulnerabilities, Linville said.
“Reporting is a bit hodgepodge right now,” Linville said. “Information and messaging goes to various and sundry agencies — some federal, some at the local level.”
The new legislation takes aim at this problem by requiring agencies in all branches of government — from county boards of education to the state Supreme Court — to alert the Cybersecurity Office of incidents within 10 days, and the policy lays out a definition of what qualifies as a reporting-worthy event.
The state Office of Technology — which houses the Cybersecurity Office — oversees most of the state executive branch’s technology, but has thus far lacked that same kind of visibility when ransomware attacks or other issues hit local levels of government, said state CISO Danielle Cox. Those agencies have had no obligation to inform the state when incidents happened.
“People were dealing with issues and not telling anybody,” she said.
This approach left reporting gaps, which can impede the state’s ability to get a deeper understanding of threats and understand where state support is most needed.
“Maybe we do need to dedicate more state resources to the education institutes [or] maybe it’s the cities that are really struggling with cyber attacks,” Cox said. “We don’t know right now, and we can’t fix what we don’t know.”
Under the new law, local entities will retain control over how they respond to the cyber incidents. Still, the new reporting standards will likely make it easier for states to offer them help, Cox said. The increased communication with other agencies means the state is better positioned to inform those entities about available tools and contacts, such as the state’s cyber insurance coverage or relevant federal agencies.
Cox said the legislation goes into effect on July 5, 2021, and the state is rolling out a tool intended to ease compliance by helping agencies quickly assess whether incidents are serious enough to warrant reporting.
Shared risks
The reporting procedures introduced by the legislation can also better ensure agencies are alerted to developing threats that may impact them. Many public agencies often use the same or similar software, meaning that warnings about attacks that breached one user’s defenses must be quickly relayed to other users before they are hit, Linville said.
“[We need to have] a better understanding of the similar systems in place at branches of government so if we see a threat at one level of government, we can quickly and efficiently respond to that for other branches or levels of government that may have common systems and experiences and common vulnerabilities,” Linville said.
This is likely to become only more important going forward, due to procurement trends that increasingly see state officials contract with vendors for tools to serve their and local governments’ needs, Linville said. Having the same vendors to supply a large swath of agencies can be more efficient than requiring all government organizations to individually vet vendor applications and manage contracts, and using common systems can also lead to greater interoperability across agencies, Linville said. But having so many parties use the same tools also means that a weakness in one solution impacts a greater number of entities — unless the intel is available to allow interventions to be enacted rapidly.
“If you have those common or identical setups, from hardware to software, one vulnerability exposed in one system — for example, in one political subdivision — could be an indicator of potential compromise in systems and software all across the state,” Linville said.
On the horizon
Better cyber incident reporting standards will help the state more accurately assess its security strengths and weaknesses and rethink its overall approach. The bill calls for members of the state Cybersecurity Office to regularly update the Legislature about the volume and kinds of cyberattacks being levied against public agencies, as well as provide their recommendations for strengthening defenses.
Linville said that bill supporters particularly wanted to prevent data breaches and that this may lead West Virginia to take a fresh look at the data it is trying to defend — including reconsidering what information it gathers and stores and how long it holds any sensitive data.
“Simply by living in or traveling through West Virginia, there’s certain information that’s potentially collected where the [person] doesn’t have a choice about whether they must share that information,” he said. “[With] a private company, a consumer has generally a choice to do business with that company or not. That’s not true with government.”
That puts an especially strong onus on public agencies to safeguard the identifying information they obligate individuals to provide — a duty that has become trickier during the pandemic. The public health-necessitated shift to have more public employees working from home and connecting via personal networks during the pandemic raises risks when compared to having staff operating in an office and using just the on-site network, making such security decisions particularly pressing, he said.
The new legislation also sets the stage for broader efforts to improve cybersecurity through stronger communication, Cox said. She hopes to later establish a cybersecurity group where members share threat intelligence and participate in cybersecurity exercises. Such efforts could be a boon to cybersecurity professionals throughout the state, she added.
“West Virginia is a fairly small state and hiring for cyber professionals is hard,” Cox said. “We need to make sure we’re encouraging those professionals in those areas and providing them with the resources they need to succeed.”