DeWitt, president of Auburn’s city council, has gained a reputation locally and statewide as an advocate for better cybersecurity in rural areas. About 14,000 people live in Auburn.
As DeWitt sees it, the town is on the “cusp of massive growth” as a “bedroom community” to nearby Fort Wayne. Any major problems — including, say, a digital assault on local utilities or a broader ransomware attack — could bring negative attention and financial pain to the city, slowing the progress DeWitt and her colleagues are working toward.
“We have great things on the horizon,” she told Government Technology. “If we were to get hacked, that could divert some really great growth.”
That’s why she’s among the countless local and regional officials across the country who have embraced whole-of-state (WOS) cybersecurity — and who are depending on it to protect their civic futures.
Backed by $1 billion in federal grants, along with joint contracting, security conferences and other efforts, WOS pushes states to provide detailed help to smaller agencies that need to build up their cyber defenses. It’s a team effort in cybersecurity that involves officials from the largest state agencies all the way down to one-person local IT shops.
“Cybersecurity is everyone’s business,” said John Israel, chief information security officer for Minnesota, which kicked off its $23.5 million whole-of-state program in September 2023.
MORE HELP NEEDED
WOS is still in its early phases, but successful approaches are emerging even as concerns mount that funding won’t be sustained. Whether whole-of-state cybersecurity programs take hold will influence, in one way or another, government’s never-ending fight against cyber criminals.
Speak to public-sector tech leaders in areas with relatively small populations and you’ll sense a hunger for more cybersecurity support from larger governments. One reason is that smaller agencies often find it hard to afford a lot of IT help or to buy the newest cybersecurity software. And often, state officials might have a better grasp of the newest cyber threats that keep popping up.
“There is still a lot of progress to be made in municipalities” when it comes to cybersecurity, said Brent Birkeland, IT director for Douglas County, Minn.
And those smaller towns and counties hardly lack attractive targets.
Utilities stand as one of the largest sources of worry for Birkeland and others charged with defending public-sector tech, with election systems another huge concern, especially in 2024. WOS theory calls for bringing together experts from various agencies — as well as the necessary funding — to make the digital fortress walls protecting those tech assets higher and thicker.
You can’t have the state dictating policy to all local governments. Things are so unique that no one size fits all. The state has to work with a lot of flexibility.
State-backed or statewide training sessions and conferences, for instance, provide cybersecurity updates to IT officials in smaller agencies while also helping them expand their professional networks, which can come in handy down the line, including during emergencies.
DeWitt, for instance, appreciated the Indiana Public Sector Cybersecurity Summit,* now in its second year, for raising awareness of the issue among the more than 300 people who attended — a group that included city and county officials eager for more information about how to protect the upcoming elections. Speakers included an “ethical” hacker and tech leaders from state government, including CIO Tracy Barnes.
“We talked about cybersecurity insurance, which some communities don’t have,” said DeWitt, who as on the summit’s advisory board. “That’s a little scary.”
A more direct — and expensive — form of help came when Indiana decided to spend $20 million for endpoint detection and response services to 31 local agencies in the state.
The money originated from year one of the State and Local Cybersecurity Grant Program (SLCGP), the billion-dollar, multiyear federal effort to support WOS work, and is meant to help monitor end-user devices for cyber threats.
Texas, meanwhile, has $40 million in federal funds to spend over four years on projects that conform to the state’s SLCGP Cybersecurity Plan. Successful applicants for those grants also face other requirements, including using web application vulnerability scanning, as well as undertaking annual cybersecurity reviews, services that are free thanks to federal backing. Recipients also must join the Texas Information Sharing and Analysis Organization, a cybersecurity education and collaboration group.
New York state offers another way to do whole-of-state cybersecurity. Back in 2022, Gov. Kathy Hochul and local leaders announced the launch of the state’s Joint Security Operations Center, designed to help the state gain a broader, more comprehensive view of cyber threats while also boosting security coordination among various governments.
“There is a new type of emerging risk that threatens our daily lives, and just as we improved our physical security infrastructure in the aftermath of 9/11, we must now transform how we approach cybersecurity with that same rigor and seriousness,” Hochul said at the time.
ENTERPRISE CLASS ABILITIES
Back in Minnesota, the state — with the participation of Minnesota IT Services and the Minnesota Cybersecurity Task Force — has outlined plans to spend its $23.5 million worth of federal and state WOS funding.
We are now looking at this problem holistically. ... And with the WOS model, there is this notion of it’s not every agency for themselves.
“Getting everyone access to foundational cybersecurity abilities” stands as one of the main needs for the state, according to Israel, Minnesota’s CISO. That will involve, he added, “bringing enterprise-class abilities to small governments.”
That appeals to tech leaders in lower-level public agencies, including Douglas County. Birkeland said that while Minnesota already offers a shared-service delivery model, there are still more benefits to be had from what he called “collective buying power.”
Such a process could lead to, for instance, better security incident and monitoring tools, including real-time alerts, and more advanced digital dashboards that help officials respond even more quickly to cybersecurity threats and incidents.
Gaining access to better tools, including through joint contracting efforts, promises to prove even more vital over the next couple years. As Birkeland pointed out, more systems in the very near future will run on artificial intelligence, presenting fresh challenges to public-sector IT and security leaders.
CONTRACTING BENEFITS
North Carolina, too, has made contracting a big part of its whole-of-state cybersecurity work, according to Torry Crass, the state’s chief risk officer.
The North Carolina Department of Information Technology (NCDIT) “has developed a comprehensive state term contract that provides a flexible portfolio of cybersecurity software, products and services,” Crass said via email. “This contract is intended to be an option across all government entities within the state. In turn, this will help reduce costs, improve adoption of best-in-class cybersecurity technologies and reduce the risk across the state.”
On July 2, NCDIT put out a request for proposals for what will become the cybersecurity products and services contract, he said. Such contracts are “pre-negotiated agreements between the state and a vendor,” allowing eligible agencies to choose tools and services that best fit their needs.
By having the department purchase such tools in bulk, the state can get a lower price than individual agencies could, with that lower price being passed along to NCDIT customers. They include local governments who can leverage a particular contract.
“Most local governments need a much smaller quantity and acquiring these services on their own would translate to higher prices per unit,” Crass said. “These lower costs also enable recipients of grants such as the state and local cybersecurity grants to stretch funds further.”
As all that happens, NCDIT continues to seek more funding that could help small governments fight off cyber criminals.
Crass said the state’s FY 2024 budget will “centrally fund” a web application firewall that offers edge protection for applications and services. The budget also has money for two years for what he called “generation endpoint protection.”
While that money will go to executive branch agencies, local governments could also get a piece of the pie, so to speak, even if indirectly.
“We have been able to extend these tools to local governments in a few instances where funding has been available,” he said. “In addition, state agencies and local governments have connected systems. Protections on the state network have downstream benefits to the local governments who are connected or rely on those systems to provide services.”
Adobe Stock
FLEXIBILITY AND STANDARDS
Contracting and other types of cooperation are vital to the future of whole-of-state cybersecurity, according to Kent Kroft, the CIO of Tippecanoe County in Indiana.
“You can’t have the state dictating policy to all local governments,” he said. “Things are so unique that no one size fits all. The state has to work with a lot of flexibility.”
From his point of view, it’s also important that state officials offer guidance on cybersecurity — help on how to achieve the common goal of protecting the public’s digital properties — without trying to assign blame to smaller agencies that might be behind the curve. Common standards also go a long way toward strengthening defenses.
Indeed, recognizing the specific needs of communities before handing out federal funds is the approach that New Hampshire took during its first year in the SLCGP.
The state received $2.5 million in cybersecurity funding and could have simply distributed the funds to local agencies directly. Instead, officials took a hard look at what specific areas needed, using feedback and other data points as part of the analysis, and then used the grant money to fill cybersecurity gaps.
One of the gaps had a relatively simple fix: getting local agencies to adopt the .gov domain, generally considered safer against criminals and more legitimate by constituents than other domain options. The New Hampshire WOS plan also calls for more multifactor authentication and security training, along with other defenses.
WILL IT LAST?
All good things come to an end. That is what some WOS and public-sector tech leaders worry might happen to those cybersecurity improvements, and just as these efforts are really starting to catch air.
From a gov tech supplier perspective, whole-of-state cybersecurity software is a growing source of revenue, according to Drew Bagley, vice president and counsel of privacy and cyber policy for CrowdStrike, which has sold WOS-related software to such clients as New York state, Minnesota and Wyoming.
Speaking to GT in early July (before the company’s flawed update impacted systems across the world), Bagley said a big change is happening now in whole-of-state cybersecurity. The change roughly reflects ongoing trends in emergency dispatch, community engagement and other tools used by state and local governments.
“We are now looking at this problem holistically,” he said. “That is the revolutionary part. There is a unified visibility into the threats. And with the WOS model, there is this notion of it’s not every agency for themselves.”
CrowdStrike sells its tool and works with states in a variety of ways; in Minnesota, for instance, the company functions as a managed services provider, which helps states deal with staffing shortages. But as such relationships progress, there is the looming worry that funding won’t last.
One of the big questions, Bagley said, is states being unsure if WOS funding will hold, especially given that cybersecurity tends to find more strength via long-term strategies instead of ad hoc, year-to-year responses.
An eventual lack of funding — SLCGP money could run out in 2025 — could take away some of the fuel for serious cybersecurity work that, really, is just getting started in some places. That includes parts of Indiana, where officials are working to expand WOS to many more towns, cities, counties, townships and other relatively small governments.
DeWitt, for instance, worries about an attack on the local water utility in Auburn as she works for more cybersecurity resources and lobbies for state laws that would help officials like her better defend their towns. Even fresh “best practices” regarding cybersecurity would help.
“I hope we can build in more of a [cybersecurity] budget for small, rural communities,” she said.
*The Indiana Public Sector Cybersecurity Summit is hosted by Government Technology.
This story originally appeared in the September/October 2024 issue of Government Technology magazine. Click here to view the full digital edition online.
