Officials in the Kansas City metropolitan area, which includes 119 cities and nine counties across two states, are in the early stages of forging a strategic framework that is expected to yield some quick wins in enhancing regional cybersecurity.
Though it could take years to complete, officials hope the undertaking will greatly improve the overall cybersecurity stance of all involved.
The effort is being spearheaded by the Mid-America Regional Council (MARC), which serves as the council of governments and metropolitan planning organization for the bistate Kansas City region, which includes areas of Kansas and Missouri.
Agencies that took part in recent planning sessions in July ran the gamut from the University of Kansas to the cities of Raymore, Mo., and Olathe, Kan., the Northland Regional Ambulance District and federal partners.
Among their areas of interest, MARC leaders want to look at creating a purchasing pool representing all municipalities, to drive reasonable and potentially cooperative prices for technology, Stephen Arbo, city manager of Lee’s Summit, Mo., and a leader of the initiative, told Government Technology. He used firewalls as an example of a technology where improved pricing might benefit all.
The group may also consider standardization and redundancy to guard against threats including bad actors and natural disasters by giving organizations the option to maintain their online presence across multiple emergency operations centers; and by making language and practices universal among first responders and public safety agencies.
A “common approach,” Arbo acknowledged, could mean architectural weaknesses would be shared along with strengths. But such gaps as well as scalability issues, he said, could be resolved by working out technological challenges in pilots, before scaling them to the larger group.
These and other ideas permeate six key steps the group has identified as key to achieving its vision:
Identify and establish best practices for planning. Design and implement regional communications strategies. Create collaborative training opportunities to build a high-quality workforce. Create a shared-services model to support local governments Improve redundancy and resilience through mutual networks and shared services. Establish a sustainable funding source to support a regional response to cyberthreats. The group’s vision statement indicates that it believes local governments can successfully operate under constant technology change and cybersecurity threats.
The Kansas City region, it said, will collaboratively create a secure environment where agencies “can maintain resilient infrastructure, public trust and support that benefits from organizational interconnectivity and innovation.”
The leadership group will meet again later this month, Arbo said, to outline time frames for each step and work on planning the upcoming year. Assessment of local governments is a possible first step, and procurement of protective software could be another early move.
After the group of around 20 adopts a work plan, officials will call a mass assembly of all local governments to get their feedback, support and buy-in, he said.
Arbo, who is also co-chair of the Regional Homeland Security Coordinating Committee, said it is clear technology can continue to create efficiencies, serve agencies’ future needs and help them better serve citizens — but only if cybersecurity threats are properly addressed.
“Technology will continue to be the answer to that, but if we can’t fix the cybersecurity threat issue, that will come to a complete stop. And we won’t have an environment where we can be creative and focused on improving our game,” Arbo said.
Officials at municipal agencies in Kansas and Missouri that would be part of the framework agreed streamlining procurement is a goal with shared dividends.
“One of the items that we discussed is the ability for certain agencies to prototype certain services, such that we can make a determination of how beneficial those services would be regionally. And that would certainly help us lower the cost of acquiring some of those services,” said Tony Sage, IT services director at Liberty, Mo., a city of around 30,000.
“I do believe that the larger metro area, we might be able to get better pricing than I can get today on some of these things even though I’m a pretty big agency. I also believe that we may have some opportunities that haven’t really been presented to [us] yet, that will come because we are doing this,” said Vicki Irey, chief technology officer of Overland Park, Kan.
Both also identified the potential for enhanced collaboration — already a strong point with both agencies — as another plus for the framework.
The framework finds its origins in two surveys: an International City/County Management Association (ICMA) regional poll in June 2016; and an October 2016 meeting of regional city and county managers and IT managers, which identified five areas of cybersecurity concern.
The ICMA survey identified “strong support” for cybersecurity initiatives, from 50 percent of executive-level officials and 33 percent each of elected and department-level officials.
More than half, or 26 out of 50 organizations that responded, indicated a “high” level of interest and “some” cybersecurity actions underway. Ten agencies indicated a “very high” interest level and “significant” actions underway, and another 10 showed “moderate” interest and “beginning” actions.
Of the agencies surveyed, 31 indicated an interest in developing shared regional cybersecurity strategies. Best practices and information sharing were identified by 17 respondents as the type of help needed “right now,” with seven agencies each indicating they’d like to see threat notifications and planning support.
Six organizations said they’d like help with cooperative procurement software and consulting services.
In October, the regional city manager/IT manager forum agreed cooperative group purchasing should be weighed, and regional information sharing would be helpful. It also found the best solution would be a “people” solution and not rest solely on technology; and cybersecurity should be raised to the level of a “serious” issue for all jurisdictions and public employees.
Additionally, the form agreed a cybersecurity employee awareness campaign in Overland Park was a “best practice.”
Based on these findings and further consideration, Arbo said officials realized cybersecurity threats needed to be treated “as a potential hazard” similarly to a tornado or “a terrorist act such as a bomb or an active shooter scenario.”
Developing a framework would enable agencies to use resources strategically and work as a unit, he said, instead of a diverse set of interests “all well-intentioned but maybe not getting as far as we should.”
Bringing all regional communities up to sea level could also yield exponential benefits.
“We’ve got to find a way to bring them up to a baseline to where they are consistent with all the other cities that do have these resources. Because we are becoming more and more interconnected between governments, with each other. So we have to do this, if not for them, then for ourselves,” Arbo said.
Which steps could result in the quickest wins isn’t yet clear, but the city manager said one swift move — possible within about three months — could be forming a regional work group to provide leadership and guidance as part of identifying and establishing best practices.
At their next meeting, leadership representatives will examine possible revenue sources for each of the six action steps, he added.
From their perspectives, Irey and Sage said improving regional cybersecurity and achieving a certain consolidation through redundancy and standardization could save agencies money.
One example could simply be showing agencies the free cybersecurity resources available to them, Sage said.
“That’s certainly a quick win for us as a regional group by identifying the right resource that we as a region feel is most valuable to our efforts,” he said.
Irey said her agency, like Liberty, has long emphasized active protection against cyberthreats — but more training and support, particularly for smaller municipalities would be on her wishlist.
“That’s a big one for us is raising the awareness, providing support, helping with the training,” Irey said, noting cybersecurity is constantly on the minds of many IT officials because their agencies are continually threatened.
"There’s almost nothing more important than this right now as far as — it feels like a war. We’re holding hands together and giving support the best we can together, because we’re stronger together than we are singly,” Irey said.