'States Leading on Cybersecurity' was the name of session at National Governors Association (NGA) Annual Winter Meeting on Sunday. Homeland Security Secretary Jeh Johnson addressed looming DHS shutdown impacts as well as federal / state opportunities to work together to share cyberthreats and other critical information across the public and private sectors.
Photo Credit: C-SPAN
Cybersecurity was the main focus of Sunday’s Homeland Security and Public Safety Committee session, where governors and attendees heard from several guest speakers and asked questions of subject matter experts, including U.S. Department of Homeland Security Secretary Jeh Johnson, Army LT. General Edward Cardon and Jandria Alexander, from Aerospace Corporation.
At the session, developing deeper cybersecurity partnerships, the need for better training and the focus on keeping cyber talent (and related people issues) were the top themes covered during the 85 minute session at National Governors Association (NGA) session on cybersecurity at the 2015 Winter Meeting in Washington D.C.
Homeland Security Secretary Jeh Johnson addressed the potential DHS shutdown impacts as well as opportunities to work together to share cyberthreats and other important information across public and private sectors.
The session was broadcast live on C-SPAN and the entire video can be seen here.
The early minutes of the meeting were spent covering the potential impacts of a partial shutdown of the Department of Homeland Security (DHS), if funding is not provided by the end of February. Secretary Johnson had just come from five morning talk show appearances, and the topic of DHS funding was brought up many times throughout the question and answer period.
Secretary Johnson also said that cyber must be a shared effort, with essential roles for federal and state governments as well as the private sector. He highlighted some of the recent actions the Obama Administration has taken on cybersecurity, including:
- Proposing new legislation.
- Enhanced hiring authority for DHS.
- DHS now assists more federal departments in cyber.
- Strengthened the DHS NCCIC as the single portal for cyberthreat information, while proposing liability protections for private companies that share information.
Many of the other specific details regarding recent federal actions on cybersecurity are listed in this White House Cybersecurity Summit Fact Sheet.
The State Leaders and Governor’s Plans
The meeting was chaired by Gov. Terry McAuliffe (D-Virginia), NGA Homeland Security & Public Safety Committee Vice Chair. He said that:
- Last year over 100,000 attacks (on average) were targeted at Virginia Government each day of the year.
- One of his first acts as Governor was to adopt the federal framework on cybersecurity. Virginia was the first state to adopt this approach.
- He created a cybersecurity commission which is co-chaired by recognized leaders in the security industry. See this article for more details.
- Governor McAuliffe is also on President Obama’s Council of Governors, which shares cyberthreat information and had additional cyber briefings last Friday.
Governor Snyder of Michigan, who is chair of the committee, was not at the event in person due to an illness, but he sent a video, which included this new interesting hacking example of state government from the Michigan Cyber Range. Governor Snyder also highlighted Michigan’s leadership work in cybersecurity, including this new 2015 Michigan Cyber Initiative.
The Michigan Governor also said that he has included a FY 2016 budget request for an additional $7 million investment for cybersecurity. He said that Michigan is attacked online more than 700,000 times each day. (Note: the difference with Virginia is likely in how each state names or classifies a cyberattack.)
LT. General Edward Cardon, who commands cybersecurity for the Army, made it very clear that cybersecurity challenges are growing in complexity, scope, cost and other important ways. He emphasized the following areas:
- Partnerships are key.
- Governance, authorities and National Guard roles are important.
- Cyber mission force (expansion) completed by end of FY16 – establishing capabilities at a level playing field.
o Training to safe level as active duty, need facilities, organizations – each state's cyber network defense team.
o Ten cyber defense teams within the National Guard Bureau are being established, with the details being worked about where these will physically be located.
- Cyber problem continuing to grow for all aspects of military preparedness.
Jandria Alexander, from Aerospace Corporation, is on the Virginia Cyber Security Commission as a commissioner. In her testimony, she highlighted:
- Virginia’s Framework – They are establishing a strategic plan, baseline of security posture, gap analysis, roadmap and examining what’s available to help.
- Addressing the Unmanned Aerial Vehicles (UAV) protection space – Cyberattacks on unmanned aerial vehicles are being addressed.
- Initiatives with NIST – A cybersecurity showcase is coming to Virginia later this year.
- Manufacturing community becoming prepared for attacks.
- Cyber Operations Center – Joint cybersecurity operations center with the private sector, cyber testing, red team exercises and sharing incidents, lessons learned,
- You can learn more about the Virginia Commission at their website.
The Question and Answer Session
There were many excellent Q/A exchanges near the end of the session that are worth highlighting. These include:
- Secretary Jeh Johnson’s discussion on need for more cyber talent in government. The challenges of technology and people are growing. The panel agreed that technology is moving so fast right now, the people issues are paramount at the moment. Spear-phishing examples were mentioned, highlighting the need for better training.
- The Virginia Governor’s question on how we should be sharing more – with the answers including fusion centers from Secretary Jeh Johnson.
- Wyoming Governor Mead’s question on what is the weakest link - technology or people?
The answer from the LT. General Cardon was that, “People are everything in this space right now – technology is moving so fast. Offenses will always lead the defenses in cyber....”
Jandria answered that exploits of widely-known vulnerabilities are still common. In Virginia, there are 7 legislative bills on cyber, one on accountability for systems to be maintained to an appropriate level.
- Governor Nixon (D) Missouri asked about how to go on offense and better use law enforcement? How are people being held accountable for crimes?
DHS Secretary Johnson said we need to: “Make it cost-prohibitive to hack (illegally). He gave an example of justice from last week in New Jersey.
- Governor Fallin (R) Oklahoma asked: “Is ISIL a threat in 49 states?” (She heard this statement on a radio or TV talk show.)
Secretary Johnson replied that we have entered a new phase of terrorists threats – decentralized, the bad guys use Internet and social media, terrorists use Internet to reach into communities. We will see more independent actors, more complex, independent actors could strike at any moment. Need to build trust and instill that this all of our jobs – must be a public effort at all levels of government and the private sector.
Events Leading Up to the NGA Session
Utah Governor Gary Herbert NGA Vice-Chair introduced this topic at the opening NGA Winter Meeting session on Saturday.
“The increased frequency and intensity of cyberattacks makes this discussion critical and timely,” Gov. Herbert said. “NGA has taken the lead in providing states with plans and strategies for thwarting cyber attacks through its Resource Center for State Cybersecurity.”
“We would ask the Congress to work, and federal government, to work with states as we try to find solutions to that issue. Our national guard, we have a lot of expertise from the private sector that are available to help in this issue and working together we can find solutions.”
NGA Cybersecurity Session Analysis
One clear message from this session is that Governors are doing a lot on cybersecurity across the nation – including the allocation of more funds. Both Governor Rick Snyder from Michigan and Governor Terry McAuliffe from Virginia are taking many good steps to strengthen their online defenses. It is also clear that the other governors were very engaged with good questions and comments.
It is interesting to notice the similarities and differences from a similar NGA session at a winter meeting on cybersecurity two years ago. It is clear that the intensity is still in place, and NGA is doing some substantial work to continue to work with the federal government on the cyberdefense topics.
The comments and questions were certainly the most interesting part of the meeting, and I thought that LTG Cardon provided several excellent exchanges and comments such as this answer worth watching. His description on why the offense will always lead the defense in cyber was powerful and persuasive.
NGA will be taking several next steps on cybersecurity this year, and I urge readers to follow the NGA Resource Center for State Cybersecurity to learn more about upcoming events and programs that will soon be announced.
One such event listed at the NGA March calendar is the upcoming: National Summit on State Cybersecurity on March 30-31 in San Jose, California. Interested parties should contact Timothy Blute at NGA. My understanding is that most state government CIOs and CISOs will be attending.