“They came in and created a battle plan: Here are the five things that we are focusing on,” said Colorado’s CISO at the time, Deb Blyth. (Blyth has since returned to the private sector.) “They helped us really get organized around what resources we were allocating to each thing, rather than just chasing every little blip and anomaly all over the network.”
In the present, escalated threat environment, experts agree, no one should be going it alone.
“With a dramatic uptick in ransomware attacks across the country, governors, state chief information officers and state government executives are designing and implementing programs to strengthen local partnerships in cybersecurity,” according to a recent report from the National Association of State Chief Information Officers (NASCIO).
This “whole of state” approach helps governmental entities to leverage their combined resources and expertise.
With an emphasis on partnering, state IT leaders can deliver high-impact tools to local jurisdictions. “State governments are increasingly providing services to county and municipal governments, including endpoint protection, shared service agreements for cyber defensive tools, incident response, and statewide cybersecurity awareness and training,” NASCIO reports.
At the city and county levels, the pooling of resources is proving an effective means of staying ahead in an increasingly volatile cyber environment.
What does whole-of-state cyber look like on the ground?
We asked state and local IT leaders to share their best practices.
NYC CYBER COMMAND
At the New York City Cyber Command, Senior Advisor Mitch Herckis can’t imagine approaching the present situation with anything less than an all-hands-on-deck mentality.
“Cyber crime affects everyone, it impacts the entirety of the city, and that means we can’t be secure in isolation,” he said. “The more resilient we all are, the better off we’ll all be. For New York City to be the most cyber-resilient city in the world, that requires us all to be aware of the threat and to have the tools necessary to defend ourselves.”
With that in mind, Herckis and his team have taken steps to ensure that ordinary citizens are aligned in the fight. To that end, the NYC Secure App delivers free, real-time protection to users’ mobile phones. The app has been downloaded more than 200,000 times.
“It will alert you to unsecure Wi-Fi networks or unsafe apps on Android systems — the things that people experience in their daily lives that could impact their digital safety,” he said.
Cyber Command also has teamed with the nonprofit community by partnering with Quad9, a free service that replaces the default Internet service provider or enterprise domain name server configuration. Together they’ve worked to secure some 3,000 public Wi-Fi access points across the city.
“If someone’s connecting to these, it will block known malicious sites, ensuring people aren’t steered to places that are intended to hurt them,” Herckis said. “It’s a way of trying to protect residents when they’re utilizing public infrastructure to connect to the Internet.”
Small businesses also play a key role in Herckis’ whole-of-state vision. He has teamed with the city’s small-business services office to deliver basic cyber hygiene information to the business community. “We wanted to give them things that they could apply to their own businesses: small steps that they could take to be more secure,” he said.
Getting public participation in a shared cyber mission has its challenges. The problem seems so big, and individuals may have a hard time understanding how they personally can help in the fight. Herckis tries to keep the messaging simple and tangible.
“People quickly become overwhelmed by the scope of the problem. So what can be done? You can show them the small steps that can be taken to significantly improve their security, rather than focusing on the big, scary problem,” he said.
At the same time, NYC Cyber Command also partners with larger public and private entities, from the police department to critical infrastructure operators, in order to coordinate cyber preparedness and response. “We need all of that coordination,” Herckis said. “We’ll all be stronger if we’re working together as a community of cyber defenders.”
YORK COUNTY, VA.
In York County, Va., one high-profile cooperative effort has the IT department working with the Department of Elections to push out basic guidance to all jurisdictions.
“I’m on the advisory board for that effort to create a set of standards for all the jurisdictions involved with elections: Here are the best practices of what everybody needs to be doing,” said Deputy Director of Information Technology Timothy Wyatt.
The team is pushing out processes and procedures, describing administrative controls and modeling system security plans. “For a lot of these smaller and even medium-sized jurisdictions, these are all new concepts,” Wyatt said. “They’re not sure how to tackle it, where to start.”
With a population of 68,000, York isn’t the biggest county in the state, but Wyatt said his team still has valuable know-how it can share with other counties looking to bolster their cyber efforts.
“This isn’t the private sector, we’re not in competition with each other,” he said. “We’re all one family, and we’re all about helping the citizens. They may live in your county, but maybe they work over in one of those other jurisdictions. The more we help each other, the better it is for everyone.”
There’s precedent for this approach: A whole-of-state cyber strategy mirrors similar efforts in public safety. “We do police software hosting for a neighboring city. We have a regional 911 system with various other cities and jurisdictions,” Wyatt said. “If it’s good for the community, we embrace that very readily.”
Looking beyond the elections initiative, Wyatt’s team has also engaged in direct efforts to enlist citizens and the business community in the cyber fight. He’s worked with a regional development center for small businesses to deliver cyber basics, and has shared similar information directly with small businesses.
Wyatt has found he can build strong partnerships by making the message personal.
“We focus on what they care about, what’s important to them,” he said. “For businesses, their reputation with their customers is critical. If they get hacked or they leak data, it could lead to the loss of their brand, the loss of customer confidence.”
He’s reached out to citizens as well, for example with information about securing personal information online. Here, the best route seems to be the gentle touch. “I’m not here to tell you what to do or what not to do,” he said. “I’m here to educate on how risky a certain activity may be. Then you choose how risky or how safe you want to be. I just want to give you the tools and the knowledge.”
All these efforts — the outreach to individuals and businesses, as well as the intra-governmental push — help to drive a stronger countywide cyber environment. To Wyatt, this seems the only sensible approach to an ever-expanding problem.
“Overall, we have to take a collective stance to try to fight against the wave of cyber hackers and everything else,” he said. “We have to share resources. We have to collaborate and work as a team.”
COLORADO
There’s often profound inequality among local jurisdictions when it comes to cybersecurity capabilities.
“Some have cybersecurity teams that have funding, that have good security programs — and then some have nothing,” said former Colorado CISO Deb Blyth. “They may have no IT staff, no security personnel, no funding, no security program. There is a huge pendulum swing between the haves and the have-nots.”
From a statewide perspective, it’s imperative to find means to close that gap. That includes taking cooperative steps to share information and insights. “The local governments provide critical services to their communities,” Blyth said. “We can’t just leave them out to dry.”
At present there is no formal mechanism for driving a whole-of-state approach in Colorado, but it’s coming. The Governor’s Office of Information Technology, the Secretary of State’s Office, emergency management officials and others are all working to define the rules of the road for a formal collaborative approach.
“We would like folks from across state and local government to be able to sign up, to self-select in order to become incident responders. We would give them some consistent training and then have agreements in place so that when someone calls us, we can all help,” Blyth said.
Details have yet to be worked out. There are jurisdictional questions: Will the effort reside in the Governor’s Office of Information Technology, or elsewhere? And how will it be funded?
“One challenge has to do with statutory authority,” Blyth said. “Right now, no one is really in charge of cybersecurity standards at an overarching policy level. Each local government is sort of in charge of their own domain.”
In the long term, jurisdiction will have to be made explicit.
Then there are the budgetary questions. Blyth doesn’t want to create an unfunded mandate — telling jurisdictions how to conduct their cyber efforts without giving them adequate means. One possibility is for a state entity to aggregate homeland security funds that are designated for cyber defense. By pooling those resources, the state could potentially get bigger bang for the buck, sharing common solution sets among multiple local entities.
That’s just one possible approach. State-level officials and local leaders are still working out potential funding schemes, which will eventually be brought to the Legislature. The goal is to have a formal plan in place by summer 2022.
If this vision comes to fruition, it could change the nature of cyber response across state and local authorities.
“It would mean we could be less about responding to emergencies, and instead be more proactive,” Blyth said. “Right now, we’ve got 60 people from a state and local perspective who share cybersecurity threat intelligence information across the state. But there are about 3,000 local governments in Colorado. We can improve the cybersecurity landscape significantly, if we can just get more participation.”
The 2018 ransomware attack on the state’s Department of Transportation helped to prove the point. By collaborating with others, the IT team was able to have a state of emergency declared around that incident — the first time that had ever been done for a cyber breach.
“That gave me access to the Colorado National Guard. It gave me funding and resources that I needed to recover,” Blyth said. “The Guard, they are cyber-trained warriors. They are really good at finding the holes in the environment, creating a battle plan, getting systems back online. We had great success with that approach at the state level, and now we want to replicate it at the local level.”
NORTH CAROLINA
In North Carolina, three county and town CIOs are spearheading an effort to drive greater collaboration around cybersecurity issues. The North Carolina Local Government Information Systems Association (NCLGISA) has assembled an “IT strike team” led by Rowan County CIO Randy Cress, Henderson County CIO Mark Seelenbacher and Scott Clark, CIO in the town of Fuquay-Varina.
The CIOs agree that a cooperative approach is the best way to ensure an adequate defensive posture across disparate state and local entities, where the availability of skills and resources can vary widely.
“Especially during cyber events, there’s a lack of resources around incident response,” Cress said. “It requires a diverse skill set, and the whole-of-state approach is what brings together all those resources.”
The effort here involves the state IT department, the emergency management agency, the National Guard and law enforcement, including the FBI and others. In addition, the Center for Public Technology at the University of North Carolina School of Government plays a leading role in coordinating efforts.
State legislation requires local governments to report all cyber attacks to the state Department of Information Technology, which works with the North Carolina National Guard and the emergency management agency to coordinate the response.
In practice, that initial report sets the wheels in motion, with key players huddling to assess the scale of the issue. “We start with a scoping call to assess the impact on the agency,” Seelenbacher said. “All relevant responders will work to determine the total impact of the event.”
These formal conclaves have given rise to a strong peer-to-peer network, through which local cyber pros are able to pool their intellectual capital. “At the local level there’s always someone who knows that they can contact the strike team,” Seelenbacher said. “Even if they don’t know [who] to call up to at the state level, they at least get to us.”
Clark described an incident in which all these pieces came together: a ransomware attack on a North Carolina city. The local emergency management team was already active in support of COVID-19 needs, and the strike force was able to leverage that presence to help drive the response.
“Emergency management helped run the incident. They were basically the incident commander, while the IT staff got all the resources focused on the job at hand and repairing. It was a very good model of interagency and interdepartmental support,” he said. “Working together, they were able to rebuild the system, and it is in better shape now than it was before.”
As a result of that event, the local CIO has now stepped up to share his expertise with others who may find themselves under attack. “It shows how this can be a real win-win,” Clark said. “We threw all these resources at it, and now he’s giving back to the community and helping others that had the misfortune of having a cyber attack. It shows how this approach helps improve the state as a whole.”