Cybersecurity takes a village. For too long, state and local agencies haven’t realized that they can build on the same foundation when addressing their cyber hygiene.
Kevin Ford, North Dakota’s Chief Information Security Officer (CISO), says agencies are starting to notice opportunities for cybersecurity collaboration, however. For instance, North Dakota is weighing whether it can launch a powerful security operations center (SOC) that serves any interested agency regardless of geography.
During an interview with GovLoop, Ford detailed how a shared SOC might work for North Dakota and its partners. He also shared what distinguishes North Dakota’s cybersecurity landscape from that of its peers.
This interview was lightly edited for length and clarity.
What does North Dakota’s cybersecurity landscape look like, and how does it compare to others?
In North Dakota, we’re more unified in two ways. First, the state provides a network service to all government agencies in North Dakota. That’s the counties, the cities, K-12, libraries, so on and so forth. If you’re a local or state government institution, you’re welcome to be on the network. NDIT, the organization of which I’m a part, runs that. We can secure that network centrally, whereas other states may have multiple internet service providers at local governments they use. They may not have the ability to secure certain government assets. That’s one way we’re unique.
Another way in which we’re unique is that we have a smaller state. Despite this, North Dakota remains nimble as it has embraced a single cybersecurity strategy around Senate bill 2110. Senate bill 2110 provides NDIT strategic authority for cybersecurity for all government entities in the state. So, in addition to the network, we have some ability to issue policies to various institutions around the state for guidelines while other states have struggled with this kind of centralization effort.
We’re looking for a “thou should” line rather than a “thou shall” line when it comes to collaborating with stakeholders such as K-12 or higher education institutions. That’s something the state’s looking for us to take the lead on, and that’s something we’re trying to step up to be able to do.
What are North Dakota’s biggest cybersecurity concerns, and how is your state handling them?
My biggest concern that differentiates the state is the people of North Dakota — and the people of any state or federal government — don’t have a choice in using your service. They pay taxes, we collect their information. We have an ethical duty to protect their information.
As far as specific threats, I’m concerned with phishing attacks across the state for financial gain. I’m concerned with the potential for ransomware attacks against soft organizations in North Dakota, whether that’s human services, hospitals or other services that North Dakota’s citizens need.
We don’t know what organizations are launching these sorts of ransomware attacks. My intelligence suggests it’s both criminal organizations within and outside the U.S. With ransomware, they want to target institutions where having all your data jumbled up and encrypted is the most impactful to the organization or the people who rely on that organization. That way, they can be more certain that people will pay the ransom.
From the state government perspective, what if something happens and the Secretary of State can’t register businesses? That could impact commerce in North Dakota.
I’m concerned with critical infrastructure in the traditional sense, like power grids and water supplies. I’m also concerned with things that have negative externalities to our residents, whether it’s mortgages, taxes, registering businesses, hunting and fishing licenses, or any of the other services that North Dakota provides.
How would North Dakota share an SOC with other state and local agencies, and what benefits would come from this approach?
It’s still early days with that yet. We’re working with a lot of interested parties. What we’re trying to set up is something that moves the bar a little closer to day-to-day operations to get states more help with cybersecurity events. Our goal is to have a couple partner organizations that can provide support in a day-to-day cybersecurity business operation setting.
Every week, we may have several serious cybersecurity events that we respond to, but they may not reach the level of a statewide emergency where we would pull the lever, the alarms sound and we ask other states to come help us.
What we’re trying to do is get some understanding in place. Then, if I have a security event that’s not an emergency, but I still need help with it, I can rely on a member of the state to come help me before it reaches the emergency level. It’s so we can swarm more effectively and prevent emergencies.