Yesterday, I was given the opportunity to participate as a member of a panel entitled "States and Cybersecurity" at the National Governor’s Association (NGA) Winter meeting in Washington. This Health and Homeland Security Committee session was broadcast live on CSPAN and can be viewed here.
The other panelists discussing cybersecurity were Richard A. Clark, Chairman and CEO of Good Harbor Security Risk Management, and David Hannigan, Chief Information Security Officer at Zappos. We were asked to focus our opening remarks on action steps that states could take and not elaborate on the cybersecurity threat situation, which was covered in another briefing.
[Note: Samuel Ginn, Chairman of the National Telecommunications and Information Administration First Responder Network Authority, began the session by addressing plans for FIRSTNET.]
Here is a transcript of my opening remarks, which offer seven actions for Governor’s to take on cybersecurity:
Thank you Governor O’Malley for that kind introduction. I’d like to begin by thanking Governor Sandoval, committee members and NGA staff for inviting me today. It is an honor to speak with Governors on this important topic of cybersecurity.
I want to start by emphasizing that the State of Michigan government faces a barrage of unauthorized attempts to access our networks and systems each and every day. During 2012, we removed over 31 million pieces of malware from incoming emails, stopped over 142 million website attacks and blocked over 24 million network scans. The threat is real – we see it daily in Michigan, as does every other state in the nation.
So what can be done and what is Michigan doing now? I’d like to offer 7 actions that Governors should take to mitigate cybersecurity risk - 4 in the area of cyber defense and 3 in the area of cyber response.
First, four urgent actions regarding Cyber Defense -
#1: Governors Must Make Cybersecurity a Top Priority: In Michigan, Governor Snyder has personally led this charge by establishing clear areas of accountability, authority, visibility and governance. Michigan has centralized IT for all 17 Executive Branch Agencies, encompassing over 47,000 state employees. We have now merged physical and cybersecurity into one cohesive program. The Chief Security Officer is charged with providing enterprise-wide risk management and security associated with Michigan government’s assets, property, systems and networks. This organization also leads the development and implementation of a comprehensive security strategy for all Michigan technology resources and infrastructure.
#2: Each State Needs a Strategic Plan for Cybersecurity: Following the NIST framework, industry best-practices for cybersecurity and guidance from NGA’s new Resource Center on Cybersecurity, each state must implement an effective level of cyber defense. In October 2011, Governor Snyder brought together the best and the brightest from across the nation as he launched the “Michigan Cyber Initiative” at the national kickoff for Cybersecurity Awareness Month. This plan lays out a comprehensive strategy for establishing Michigan as a secure cyber state which protects individuals, business, and government, and safeguards citizen data. The strategy includes the development of resource kits for home, business, government and schools, as well as protecting our critical infrastructure in a safe cyber ecosystem. Our plan can be found at Michigan.gov/cybersecurity.
#3: Provide “Next Generation” Training and Awareness for Cybersecurity: In every state, employees are both our greatest asset and sadly our weakest link against cyber attacks. End user mistakes are the #1 cause of data breaches, whether they click on phishing scams, fall for social engineering tricks or inadvertently provide unauthorized access to sensitive data. In the past, Michigan developed training that quickly became outdated, boring, and, quite frankly, a failure. We learned from our mistakes and now offer new online statewide Cyber Awareness Training 2.0 for all employees. Brief, interactive lessons are delivered to all employees over the web that are relevant, timely and I must say even ‘fun’ activities for the users. Feedback thus far has been overwhelmingly positive, with employees praising the new approach and even sharing the information with family members at home.
And let’s not forget technical training for our cybersecurity staff. In 2012, partnering with Merit Network, we launched the Michigan Cyber Range. This state-of-the-art training, research and testing facility provides a secure environment for cyber response training, cyber defense scenario testing, and the latest in technical training for cybersecurity staff in the public and private sectors.
#4: Monitor and Defend your Networks 7x24: In our global Internet, attacks can come from anywhere at anytime. We need qualified staff and effective tools to detect, assess and respond to threats in order to ensure the confidentiality, integrity and availability of our data, systems, and networks. Michigan is in the process of enhancing this capability with a next-generation Security Operations Center that never sleeps. We are also working to develop and report using new metrics based upon the SANS Top 20 critical security controls.
But what if there IS a major cyber incident in your state? Are you prepared? What if you experience a breach? Recommendations 5-7 address Cyber Response and Infrastructure Resilience.
#5: Build a Cyber Disruption Response Plan: States must develop a cyber disruption response plan, containing a checklist of required actions following a catastrophic cyber incident. State governments have become very good at responding to natural disasters such as tornados, fires, floods and hurricanes. This same level of discipline must be applied to cyber incidents using an all-hazards approach. In partnership with private sector companies who own and operate Michigan’s critical infrastructure, Michigan is developing a Cyber Disruption Response Plan to map out a clear communication strategy and the necessary actions following a major cyber incident. States should align their response plans with the recently-released Presidential Executive Order on Cybersecurity and Presidential Policy Directive-21.
#6: Cyber Disruption Response Plans Must Be Tested: Following Federal Emergency Management Agency (FEMA) guidelines, all states should be testing and refining their cyber incident response plans to ensure infrastructure resilience. In partnership with other governments, Michigan has benefited by participating in all four Cyber Storm global exercises, as well as NLE 2012 which focused on cyber incident response. We are planning further public/private tabletop exercises during 2013 to test our cyber response protocols.
#7: Establish Trusted Partnerships: Cyber defense and response cannot be done on an island or it will fail. We all must work together to face the growing threat, share information, and coordinate our response. Establishing and maintaining trusted relationships is a central key to cyber defense and incident response.
Michigan has strong partnerships with (to name a few):
The National Association of State CIOs (NASCIO) and other states
The U.S. Department of Homeland Security and other Federal agencies
The FBI and the FBI InfraGard program
The Multi-State Information Sharing & Analysis Center (MS-ISAC) in Albany, NY
Michigan State Police and other state agencies
Numerous Private Sector Partners
Building and strengthening these partnerships must be a key for each state moving forward.
In conclusion, cyberspace has revolutionized government. The Internet is accelerating opportunities for good and for evil at the same time.
Each state must act now to further protect their digital investments. Our public trust in government is at stake.
I look forward to addressing your questions.
Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.
During his distinguished career, he has served global organizations in the public and private sectors in a variety of executive leadership capacities, receiving numerous national awards including: CSO of the Year, Public Official of the Year and Computerworld Premier 100 IT Leader.
Lohrmann led Michigan government’s cybersecurity and technology infrastructure teams from May 2002 to August 2014, including enterprisewide Chief Security Officer (CSO), Chief Technology Officer (CTO) and Chief Information Security Officer (CISO) roles in Michigan.
He currently serves as the Chief Security Officer (CSO) and Chief Strategist for Security Mentor Inc. He is leading the development and implementation of Security Mentor’s industry-leading cyber training, consulting and workshops for end users, managers and executives in the public and private sectors. He has advised senior leaders at the White House, National Governors Association (NGA), National Association of State CIOs (NASCIO), U.S. Department of Homeland Security (DHS), federal, state and local government agencies, Fortune 500 companies, small businesses and nonprofit institutions.
He has more than 30 years of experience in the computer industry, beginning his career with the National Security Agency. He worked for three years in England as a senior network engineer for Lockheed Martin (formerly Loral Aerospace) and for four years as a technical director for ManTech International in a US/UK military facility.
Lohrmann is the author of two books: Virtual Integrity: Faithfully Navigating the Brave New Web and BYOD for You: The Guide to Bring Your Own Device to Work. He has been a keynote speaker at global security and technology conferences from South Africa to Dubai and from Washington, D.C., to Moscow.
He holds a master's degree in computer science (CS) from Johns Hopkins University in Baltimore, and a bachelor's degree in CS from Valparaiso University in Indiana.
Follow Lohrmann on Twitter at: @govcso
Building effective virtual government requires new ideas, innovative thinking and hard work. From cybersecurity to cloud computing to mobile devices, Dan discusses what’s hot and what works in the world of gov tech.