Michigan. Georgia. Colorado. New Jersey. And now Utah. The list of states with a broad coalition of cybersecurity stakeholders united in one physical space has grown steadily over the past few years. Surveys from a wide array of organizations reveal that the No. 1 priority on the minds of tech leaders in state and local government is cybersecurity. Nobody wants news of a breach to break in their jurisdiction. And as cyber has worked its way to the top of the agenda, so has the realization that the CIO’s office can’t tackle it alone.
Increasingly, cybersecurity has become a concern that transcends the CIO’s office. Government Technology has tracked the growing frequency with which cybersecurity is now a part of the biggest policy speech most governors give each year: the State of the State address.
“We’re doing all we can within our existing management structure to defend our state resources, and more importantly to keep our citizens’ personal information safe from hackers, criminals or worse,” said Idaho Gov. Butch Otter, pointing to the appointment of the state’s first director of information security, Jeffrey Weak. Among Weak’s activities, as outlined by Otter, is enacting strict cybersecurity standards, Internet security controls and training for every employee. In another common practice, Idaho’s efforts, which include a partnership with the Idaho National Laboratory’s Cybercore Integration Center, are also aimed at luring cybersecurity-related industry to the state.
As for models to emulate, many, including officials in Utah, refer to the recently opened Hull McKnight Georgia Cyber Center for Innovation and Training as “the gold standard.” A pet project of Gov. Nathan Deal, now nearing the end of his second term, the $100 million center stands as a physical monument to the ever-broader way government is approaching cybersecurity. The 17-acre campus, when complete, will offer more than 330,000 square feet of space for various government and law enforcement agencies, academia and the private sector. It’s just this kind of broad collaboration that will position states to take on the enormity of the cybersecurity challenge.
“We have many different players focused on different pieces, and it seemed we could get a lot more done if we brought all those groups together,” said Georgia CIO and Georgia Technology Authority Executive Director Calvin Rhodes, tasked by Deal with overseeing the undertaking.
As for Utah, its cybercenter uses office space in the basement of the capitol building on State Street in Salt Lake City. It opened on the eve of the state’s primary election in June — just in time to help ward off the influx of intrusion attempts that Utah, and so many other jurisdictions, are experiencing this election season. It’s a proof of concept, of sorts, CIO Mike Hussey explained, estimating that the current space represents about 20 percent of what they need.
In answer to the question of “why now?” Utah Chief Information Security Officer Phil Bates admits that the state feels a bit behind the curve. “Five years ago was the right time,” said Bates.
Long lauded as a digital leader among state governments, Utah consistently receives an “A” grade in the Center for Digital Government’s* bi-annual survey of state technology practices. With a consolidated IT environment, a lean state workforce (smaller today than in 2002), transparent, data-driven operations, and an openness to experimenting with emerging technologies, other states routinely consult Utah’s example in making tech-driven improvements.
But when it comes to a multi-agency cybersecurity facility, funding has proven a challenge. Hussey estimates that the new space, about 25,000 square feet in total, would cost between $15 million and $18 million. If his team can secure support from the governor’s office, they’ll make the pitch to the Legislature early next year. Even with the funding in hand, building on Capitol Hill requires the approval of the Capitol Preservation Board, hesitant to make any changes to the area’s historical facilities. It won’t be a simple process.
For now, the small-scale center unites the Department of Technology Services, the Department of Public Safety and the State Bureau of Investigation. It recently played host to a tabletop exercise that cast a much wider net: elections staff, public safety, Homeland Security and the Department of Emergency Management and more.
Ultimately, though, they envision a number of additional uses for a larger cybercenter on Capitol Hill. A bigger space would allow the state to develop partnerships with academia, establish internships to contribute to the workforce pipeline and share expertise with local governments. One place where the need is particularly acute is with counties, which are responsible for administering elections in the state.
“Counties have expressed interest in getting into the cybercenter and learning how to improve their cyberposture … and we think that’s a good idea,” Hussey said.
An expanded cybercenter would also better position the state as a one-stop resource for Utah businesses needing guidance on their cybersecurity practices in order to prevent or respond to a breach. A few larger jurisdictions have started to serve this role as cyber-related concerns have increasingly permeated the private sector. Los Angeles, for example, opened its Cyber Lab in August 2017 in a partnership with Cisco to share threat information with local businesses.
“Every state needs to be looking at something like this,” Hussey said, adding that when he came on board as CIO in late 2015, the state was blocking 130 million intrusion attempts daily. That number is closer to 1 billion today.
“It’s not going backward. It’s going to continue on this trajectory, and we need to get in front of this as soon as possible,” he said. “We really need to respond now.”
*The Center for Digital Government is part of e.Republic, Government Technology's parent company.