In other parts of the world, Ukraine for example, there is little to no doubt that cyber is a devastating weapon in the arsenal of governments and hackers; stateside, however, the idea seems to just be catching on throughout all levels of government. But the officials behind Connecticut’s new cybersecurity game plan have no illusions about what vulnerabilities can mean for government — or private-sector entities within the state. Now there is a formal plan to help everyone better prepare.
On July 10, Gov. Dannel Malloy announced the Connecticut Cybersecurity Strategy, which outlines not only the need for an all-inclusive approach to cybereducation and -defense, but also a clear path forward. In October of last year, Malloy tapped Arthur House to lead security efforts as chief cybersecurity risk officer — a job he has wasted no time diving into.
The now public strategy outlines what both state CIO Mark Raymond and House describe as a “holistic approach” to cybersecurity by looking at five key sectors: state government, local government, business, higher education, and law enforcement and security.
The document also outlines some key principles within the strategic path, including: executive awareness and leadership, literacy, preparation, response, recovery, communication and verification.
“In sum, what we are trying to do is draw attention to the fact that this is a priority, that this affects everyone and we all have to take action, and the culture has to change,” House told Government Technology. “It’s kind of like the automobile. We had the automobile and everybody loved it, it revolutionized our lives, and along the way we discovered that it is a deadly instrument and you have to pay attention to safety as well as enjoy all the benefits of the automobile. Well, it’s the same thing with the Internet and the digital age. There is no going back.”
House, who also partners with a number of federal-level interests, shared that the view of cyber translates differently in other parts of the world. During his time in Ukraine, he said there was no need to relay the threat posed by an attack. Their conflict with Russia had already made that point for him.
“There had been two cyberattacks and everybody knows there is an ongoing conflict with Russia, and cyber is simply one of the means by which that attack is taking place. I would rather deal with and learn from people like that, who understand it. In this country, it’s still theoretical,” House said. “We see about ransomware and we hear about things, then we have the compromises, the famous ones that take place, but we have never seen the delivery of what is possible.”
Connecticut, like other states, is faced with a deficit of cybersecurity professionals. House cites roughly 4,000 unfilled positions in the state, with only around 300 students enrolled in community college cyberprograms.
Through his conversations with business leaders, House said many employers are simply looking for candidates with two-year degrees — what he describes as “the basics” — that can later be supplemented with additional training.
The cyber-risk chief went on to say there is also a need for a more robust intelligence and law enforcement component to cybersecurity throughout the state. “Right now, if you are a bank and have a large, cybersecurity intrusion, you can go to the Secret Service or the FBI, but the state has to complement and supplement their efforts in law enforcement. I am hoping we can do that fairly soon.”
Under the ideal circumstances, House said the state would be able to build out its cyberintelligence tracking capabilities. What’s more is the need for adequate response training for critical incidents. Unlike some serious weather events, House argues there are a lot of potential variables that come with an attack on critical infrastructure or systems.
“On the other side, we need to practice for a cyberattack. Potentially, if it were to happen, it would not just be like a big hurricane or an especially strong ice storm. There are dimensions to this which are completely different,” he said.
As Raymond sees the strategy, it takes a different tack than most states in its inclusion and overall approach to the larger cybersecurity ecosystem. What was once a more tactical approach to cybersecurity has rounded a corner since House was brought on board, and Raymond believes this strategy will only improve as traction is gained throughout the state.
“Really treating this as a holistic statewide initiative and not one that is of and for state government is really important for us,” the CIO said. “Making sure that we are raising both the skill level and literacy and leadership of all the businesses and individuals in the state around cyber is what I think is one of the very unique aspects of our strategy.”