February 24, 2013 By Dan Lohrmann
Yesterday, I was given the opportunity to participate as a member of a panel entitled "States and Cybersecurity" at the National Governor’s Association (NGA) Winter meeting in Washington. This Health and Homeland Security Committee session was broadcast live on CSPAN and can be viewed here.
The other panelists discussing cybersecurity were Richard A. Clark, Chairman and CEO of Good Harbor Security Risk Management, and David Hannigan, Chief Information Security Officer at Zappos. We were asked to focus our opening remarks on action steps that states could take and not elaborate on the cybersecurity threat situation, which was covered in another briefing.
[Note: Samuel Ginn, Chairman of the National Telecommunications and Information Administration First Responder Network Authority, began the session by addressing plans for FIRSTNET.]
Here is a transcript of my opening remarks, which offer seven actions for Governor’s to take on cybersecurity:
Thank you Governor O’Malley for that kind introduction. I’d like to begin by thanking Governor Sandoval, committee members and NGA staff for inviting me today. It is an honor to speak with Governors on this important topic of cybersecurity.
I want to start by emphasizing that the State of Michigan government faces a barrage of unauthorized attempts to access our networks and systems each and every day. During 2012, we removed over 31 million pieces of malware from incoming emails, stopped over 142 million website attacks and blocked over 24 million network scans. The threat is real – we see it daily in Michigan, as does every other state in the nation.
So what can be done and what is Michigan doing now? I’d like to offer 7 actions that Governors should take to mitigate cybersecurity risk - 4 in the area of cyber defense and 3 in the area of cyber response.
First, four urgent actions regarding Cyber Defense -
#1: Governors Must Make Cybersecurity a Top Priority: In Michigan, Governor Snyder has personally led this charge by establishing clear areas of accountability, authority, visibility and governance. Michigan has centralized IT for all 17 Executive Branch Agencies, encompassing over 47,000 state employees. We have now merged physical and cybersecurity into one cohesive program. The Chief Security Officer is charged with providing enterprise-wide risk management and security associated with Michigan government’s assets, property, systems and networks. This organization also leads the development and implementation of a comprehensive security strategy for all Michigan technology resources and infrastructure.
#2: Each State Needs a Strategic Plan for Cybersecurity: Following the NIST framework, industry best-practices for cybersecurity and guidance from NGA’s new Resource Center on Cybersecurity, each state must implement an effective level of cyber defense. In October 2011, Governor Snyder brought together the best and the brightest from across the nation as he launched the “Michigan Cyber Initiative” at the national kickoff for Cybersecurity Awareness Month. This plan lays out a comprehensive strategy for establishing Michigan as a secure cyber state which protects individuals, business, and government, and safeguards citizen data. The strategy includes the development of resource kits for home, business, government and schools, as well as protecting our critical infrastructure in a safe cyber ecosystem. Our plan can be found at Michigan.gov/cybersecurity.
#3: Provide “Next Generation” Training and Awareness for Cybersecurity: In every state, employees are both our greatest asset and sadly our weakest link against cyber attacks. End user mistakes are the #1 cause of data breaches, whether they click on phishing scams, fall for social engineering tricks or inadvertently provide unauthorized access to sensitive data. In the past, Michigan developed training that quickly became outdated, boring, and, quite frankly, a failure. We learned from our mistakes and now offer new online statewide Cyber Awareness Training 2.0 for all employees. Brief, interactive lessons are delivered to all employees over the web that are relevant, timely and I must say even ‘fun’ activities for the users. Feedback thus far has been overwhelmingly positive, with employees praising the new approach and even sharing the information with family members at home.
And let’s not forget technical training for our cybersecurity staff. In 2012, partnering with Merit Network, we launched the Michigan Cyber Range. This state-of-the-art training, research and testing facility provides a secure environment for cyber response training, cyber defense scenario testing, and the latest in technical training for cybersecurity staff in the public and private sectors.
#4: Monitor and Defend your Networks 7x24: In our global Internet, attacks can come from anywhere at anytime. We need qualified staff and effective tools to detect, assess and respond to threats in order to ensure the confidentiality, integrity and availability of our data, systems, and networks. Michigan is in the process of enhancing this capability with a next-generation Security Operations Center that never sleeps. We are also working to develop and report using new metrics based upon the SANS Top 20 critical security controls.
But what if there IS a major cyber incident in your state? Are you prepared? What if you experience a breach? Recommendations 5-7 address Cyber Response and Infrastructure Resilience.
#5: Build a Cyber Disruption Response Plan: States must develop a cyber disruption response plan, containing a checklist of required actions following a catastrophic cyber incident. State governments have become very good at responding to natural disasters such as tornados, fires, floods and hurricanes. This same level of discipline must be applied to cyber incidents using an all-hazards approach. In partnership with private sector companies who own and operate Michigan’s critical infrastructure, Michigan is developing a Cyber Disruption Response Plan to map out a clear communication strategy and the necessary actions following a major cyber incident. States should align their response plans with the recently-released Presidential Executive Order on Cybersecurity and Presidential Policy Directive-21.
#6: Cyber Disruption Response Plans Must Be Tested: Following Federal Emergency Management Agency (FEMA) guidelines, all states should be testing and refining their cyber incident response plans to ensure infrastructure resilience. In partnership with other governments, Michigan has benefited by participating in all four Cyber Storm global exercises, as well as NLE 2012 which focused on cyber incident response. We are planning further public/private tabletop exercises during 2013 to test our cyber response protocols.
#7: Establish Trusted Partnerships: Cyber defense and response cannot be done on an island or it will fail. We all must work together to face the growing threat, share information, and coordinate our response. Establishing and maintaining trusted relationships is a central key to cyber defense and incident response.
Michigan has strong partnerships with (to name a few):
The National Association of State CIOs (NASCIO) and other states
The U.S. Department of Homeland Security and other Federal agencies
The FBI and the FBI InfraGard program
The Multi-State Information Sharing & Analysis Center (MS-ISAC) in Albany, NY
Michigan State Police and other state agencies
Numerous Private Sector Partners
Building and strengthening these partnerships must be a key for each state moving forward.
In conclusion, cyberspace has revolutionized government. The Internet is accelerating opportunities for good and for evil at the same time.
Each state must act now to further protect their digital investments. Our public trust in government is at stake.
I look forward to addressing your questions.
Building effective virtual government requires new ideas and hard work. Security professionals need to be enablers of innovation. From helpful Internet training to defending cloud computing architectures to securing mobile devices, Dan Lohrmann will cover what's hot and what's not in protecting your corner of cyberspace.