“CIO Tracy Barnes was interested in having an understanding of ‘Where are we in terms of cybersecurity incidents across the state of Indiana, including local government?’” Graig Lubsen, director of communication and external affairs for the Indiana Office of Technology, told Government Technology. “We obviously have a handle on state incidents, but understanding where we are on local government was sort of a blind spot.”
One year later, North Dakota and Indiana officials say these laws are helping them better understand the threat landscape and better target some resources, although they still have work to do to ensure all local entities are aware of the reporting requirements.
NORTH DAKOTA SHARES CYBER TOOLS
Laws like these can help state governments know where to direct their supports, according to North Dakota CISO Michael Gregg.
In North Dakota, the state oversees cybersecurity for all its political subdivisions, ranging from libraries to county governments. Requiring these entities to report cyber incidents has allowed the state to better direct supports to meet local partners’ needs. That’s included providing them with antivirus software, vulnerability analysis tools and user awareness training, Gregg said.
“[The law has] allowed us to get that intel in and build a better picture of what’s going on inside the state, and help us move those resources to where we really need it,” Gregg told GovTech. “One of the results of getting that law out there was it really helped us with pushing our tools… to other entities that didn’t have them so far. So, we had a 200 percent growth in our deployment of our basic tools.”
Some of the tools also automatically alert the state’s Cyber Operations Center about incidents, helping it respond faster, and public entities’ reports also bring incidents to the state’s attention more quickly. This prepares the state to warn other potential victims and intervene to block further attacks, Gregg said.
INDIANA MAPS THE THREATS
Indiana’s law has been helping officials get a more accurate picture of the threats facing localities. State officials are likely to learn about highly visible, disruptive attacks like ransomware, but other incidents might pass by unreported, and the policy helps correct that, said Tad Stahl, executive director of the Indiana Information Sharing and Analysis Center (IN-ISAC), in a conversation with GovTech.
Since the law’s passage, the state’s received about 175 incident reports, Lubsen said, and these have revealed a surprising amount of business email compromise (BEC) attempts. Indiana officials responded to findings like these by providing local governments with free training about phishing, through licenses available on a state contract.
Along with using the reporting to alert localities to potential attacks, the state aims to periodically update them about the kinds of threats that have been confronting their peers. Stahl said the state anonymizes information to be able to share insights without revealing the specific affected organizations.
CRAFTING THE LAWS
Cyber reporting laws can spark plenty of debate over the details, if federal lawmakers’ experiences are anything to go by. The past year saw federal legislators and industry debate what level of incidents warrant reporting as well as how promptly those reports should be made.
Lubsen said Indiana officials consulted with local government groups to craft the state policy and found localities were concerned that reporting requirements could become burdensome.
The state asks to be told about both incidents that caused harm and those that the local governments effectively stopped, and it strove to create a simple reporting process that could be finished within 5-6 minutes.
Indiana originally envisioned asking local governments to report if they experienced any of eight types of cyber incidents, but later trimmed this down to just six. Lubsen said one of the incident types they dropped from the list was “password attacks.”
“Some of the groups we talked to were worried [that] every time somebody tried to input a bad password — like five, six times — [we] wanted [them] to report that, which certainly wasn’t what we’re seeking,” Lubsen said.
Some also wanted to be allowed to take a week or more to report an incident, but the state decided that receiving the intel sooner would better prevent other localities from falling victim, Lubsen said. Policymakers ultimately settled on 48 hours, which Stahl said gives localities space to react to a major incident like a ransomware attack while ensuring the state gets timely information, should it need to send out an alert.
North Dakota, meanwhile, asks public entities to alert the state to incidents “as soon as they find out” that one occurred so the state can act before more entities are compromised, Gregg said. To make compliance easier, North Dakota offers trainings on how to use its system for reporting breaches and features spots on internal websites where government entities can click to request help.
Localities haven’t pushed back against the reporting requirements, officials from both states said, and getting compliance largely is a matter of raising awareness about the laws.
Indiana officials have been visiting counties in person to explain the policy and the ways it could benefit local government entities. As of late May 2022, they’d visited 44 of 92 counties, Lubsen said. At these meetings, the state encourages any relevant player to sign up to report incidents, including local officials and representatives of any third-party cybersecurity or IT vendors with which they contract, said Taylor Hollenbeck, director of intergovernmental affairs for the Indiana Office of Technology. At latest count, about 600 local governments had signed on to report.