According to the National Conference of State Legislatures website, at least 30 states have created a statewide cybersecurity task force, commission, advisory council, or similar group in the past several years. Most were established through executive orders, the website states, but at least eight states created these initiatives through legislation.
The states that have implemented these types of working groups include Arizona, Arkansas, California, Colorado, Connecticut, Delaware, Florida, Georgia, Idaho, Illinois, Indiana, Iowa, Kansas, Louisiana, Maine, Maryland, Minnesota, Mississippi, Missouri, Montana, New Hampshire, New York, North Carolina, North Dakota, Oregon, Rhode Island, Texas, Utah, Vermont and Virginia.
A PERSISTENT THREAT
When it comes to cybersecurity in state and local government, industry experts point to myriad challenges, including ransomware attacks, open source software vulnerabilities, phishing emails, outdated legacy code and other issues.
Some of these issues were recently discussed at the RSA Conference, where experts weighed in onzero-trust security architectures, long-awaited cybersecurity grant funding, cyber insurance and addressing misinformation.
To put the issue further into perspective, computer security service company SecuLore Solutions found that 49 states and Washington, D.C., have been affected by cyber attacks in the past 24 months. Similar threats have also impacted 90 public safety agencies and 199 local governments.
Other statistics from a November 2021 international report from CyberEdge reaffirmed this trend stating that more than 68 percent of surveyed government organizations were compromised by one or more cyber attacks within the past 12 months. The report surveyed 1,200 public- and private-sector IT security professionals from 17 countries and focused on organizations with at least 500 employees. Government respondents made up more than 4 percent of respondents, or roughly 49 individuals.
IDAHO STREAMLINES CYBERSECURITY EFFORTS
In August 2021, Idaho Gov. Brad Little formed the state’s cybersecurity task force, comprised of 19 members, each representing different state institutions such as the Idaho National Laboratory; the Idaho Department of Commerce; the Idaho Office of Emergency Management; Idaho Power; Micron Technology; Bank of Idaho; Boise State University; the University of Idaho; Idaho State University; and several state lawmakers.
In March, the group shared a 34-page cybersecurity task force report detailing 18 recommendations.
“One of the first big projects we did the first year that the governor was in office was establish the broadband task force to look at our gaps and assess what we have around the state,” Tom Kealey, director of the state’s commerce department, said. “As we started looking at going from sort of agrarian or advanced manufacturing to more of a digital economy, the cyber risk increases, so we thought about creating the task force and announced it last summer.”
As for the report itself, the recommendations fall under five strategic objectives: safeguarding Idaho’s infrastructure and providing active cyber deterrence; increasing investments for cybersecurity professionals; ensuring election integrity; engaging the public in cybersecurity education; and continuing the task force’s efforts.
“One of the things that we came out early with is we recommended dollars to help support election security, which we knew was a key area,” Kealey said. “The governor got it approved for $12 million to go into helping shore up defenses to address any potential issues with elections.”
In addition to election security, the report also suggests creating a cyber fusion center to act as a centralized hub for all cyber threat information and to coordinate information sharing.
Another recommendation the report shares is to create a cyber response and defense fund for organizations to respond to cybersecurity compromises.
Outside of that, the report also suggests allocating funds for additional cybersecurity faculty; and adding instructors and infrastructure at Idaho’s colleges and universities and developing a statewide cybersecurity strategy and road map.
As for what comes next, Kealey pointed to meeting benchmarks and achieving goals listed in the report.
“Come back in three to six months and see how we’ve been taking it to that next level of implementation or benchmarks,” Kealy said. “Are we making a dent in what we need regarding workforce development or curriculum? Because I think this is again a long game, but you have to be pretty serious about it on the front end, which we are.”
VIRGINIA CENTRALIZES CYBER EFFORTS
Cyber experts and representatives are engaged in the Commonwealth Cyber Initiative (CCI) in Virginia to promote cybersecurity, provide educational programs and recruit top talent for commonwealth opportunities, a spokesperson from the Virginia Information Technologies Agency said.
According to the CCI website, the goal is to create a commonwealth-wide ecosystem of innovation geared toward cybersecurity, autonomous systems and data. To achieve this, the CCI will focus on research, innovation, workforce development and partnering with organizations to fulfill this goal.
Recently, though, the state created a Cyber Incident Reporting Work Group to address the state’s cybersecurity posture.
“The work group is designed to bring together state-level leadership, localities, state agencies, school systems, higher education institutions and more to build a comprehensive cyber ecosystem to learn more about collective strengths and opportunities and be ready to respond to cyber threats, if necessary,” an agency spokesperson said via email.
“The work group held its first meeting last month and will continue to meet, sharing information and ideas in partnership and cooperation as we work to protect the commonwealth and the 8.6 million people in Virginia from cyber threats,” they added.