As the complexity and volume of cyberattacks continue to increase, there’s an urgent need for state and local governments to work together to manage their risk. That’s the goal of whole-of-state cybersecurity.
In this approach, state government works closely with city and county governments to prevent and prepare for incidents, and to provide support when incidents occur. This may be done in partnership with higher education, critical-infrastructure providers, federal cyber responders, and other stakeholders.
“At the end of the day it’s one team, one fight,” said James Weaver, Secretary for Information Technology and State Chief Information Officer for North Carolina, speaking at a recent GovLoop online training.
North Carolina has formed a joint cyber task force that brings together law enforcement, emergency management, N.C. National Guard Cyber, and the Local Government IT Strike Team, along with state IT and cyber specialists. With this combined-forces approach, “we are very quickly able to pivot and provide the right level of support” in response to a cyber incident, Weaver said.
There’s an urgent need for this kind of collaborative strategy, said Vinod Brahmapuram, Senior Director of Security for State, Local and Education at Lumen Technologies. Cyber exploits are on the rise, and many cities and counties lack the resources to effectively go it alone, he said.
At the same time, digital modernization creates new vulnerabilities. In the modernized IT landscape, “we are all connected,” he said. “For example, a state health department has so much connectivity with the county and city systems,” he said. In this environment, “we cannot be siloed.”
Nor should we be, since there’s a common mission across all levels of state and local government: To serve the citizen. “The same resident is a resident of the state, a resident of the county, a resident of the city. It’s the same person,” Brahmapuram said.
Collaboration Is Key
Despite the urgent need for collaboration, it can be challenging at the state level to come up with an approach that meets the needs of all stakeholders.
Bigger and smaller municipalities may be at very different places in their cyber journey. “You don’t want to bring down a person who already has a mature program, while trying to get other people up to a baseline,” Brahmapuram said.
To get over this hurdle, he urges IT leaders to work with stakeholders early in the process. “We need people to come together, to collaborate,” he said. Through close collaboration, they can forge a roadmap that maximizes the impact of available resources for all parties.
Once a statewide approach is in place, IT leaders also will want to consider the limits of those efforts.
In North Carolina, Weaver said, cities often will ask the joint cyber task force to stay on and troubleshoot other potential problems once an incident has been resolved. But that task force “is not there to run day-to-day operations. It’s there to resolve the incident, contain it, eradicate it.”
It’s important to have guidelines in place to manage those engagements. At some point, “we have to cut that umbilical cord and bring those folks back onto the bench,” he said.
A number of key strategies can help to deliver an effective whole of state cyber program. It starts with getting stakeholder buy-in. “There can be some misperceptions … where people think this is Big Brother trying to reach in,” Brahmapuram said.
To get over this obstacle, Weaver casts a wide net, reaching out to state agencies when an incident impacts their operations, forming ties to academia and engaging with critical-infrastructure providers. He also offers free vulnerability assessments to local entities. By working in this very open way, the task force is able to build trust.
Brahmapuram said the tone of the message matters, too. Rather than appear to dictate, an effective partnership will be one in which business-line owners are “empowered to make the decisions,” he said.
Technology will play a key role here. With IT tools ever-evolving, the whole-of-state approach should encompass a forward-looking roadmap, to ensure the response mechanisms continue to align with the emerging needs, Brahmapuram said.
The time to move on this is now, Weaver said. The pandemic changed the landscape for federal workers and for citizen engagement. Digital tools are more important than ever, and threat actors more aggressive. “This is why we have to marshal our resources a little bit differently than we have in the past,” he said.