States Explore Opportunities at National Summit on Cybersecurity

As state government leaders left Shreveport, Louisiana, this week to return home, there was a sense of how far the nation has come regarding cybersecurity — tempered by a recognition of how much more needs to be done.

by / May 20, 2019
credit: Dan Lohrmann

The National Governors Association Center for Best Practices held their third National Summit on State Cybersecurity from May 14-15, 2019 at the Shreveport Convention Center.

The unique event convened state homeland security advisors, chief information officers, chief information security officers, governors’ policy advisers, National Guard leaders, and others from 50 states and territories to explore cybersecurity challenges and promising practices. Over the course of two days, participants engaged in a series of interactive sessions and breakouts to discuss countering the newest threats, disruption response planning, workforce development, and much more.

Coverage of the event was widespread. Here are a few of the headline stories that came out of the event (with embedded videos from the summit):

This radio interview after the event highlights many of the regional cybersecurity topics being addressed at the national summit.

Cyber Summit Agenda Items

So what topics were on the agenda? Here’s a sampling from Day 1:

  • Preparing the Grid for a Dark Sky Event
  • Cybersecurity and The Whole-of-State Approach
  • Cybersecurity & Crisis Communications
  • After-Action on the Colorado Department of Transportation Ransomware Attack
  • Keynote-Governor John Bel Edwards
  • Breakout: Supply Chain Management
  • Breakout: Using Cyber Volunteers for Incident Response
  • Breakout: How Does IT Centralization and Unification Improve Security?
  • Breakout: Information Sharing — How Far Have We Come?
  • Breakout: Statewide Disruption Response Planning
  • Breakout: Coordinated Vulnerability Disclosures
  • State Efforts to Assist Locals with Cybersecurity

On Day 2, here were some of the highlights:

  • An Interview with Dan Geer, chief information security officer of In-Q-Tel
  • Panel: Preparing the Next Generation of Cybersecurity Professionals in Louisiana
  • Keynote — Chris Krebs, director of the Cybersecurity & Infrastructure Security Agency, U.S. Department of Homeland Security
  • Fireside Chat — Jeff McLeod, director of the Homeland Security & Public Safety Division, National Governors Association (Moderator); Gov. Asa Hutchinson, Arkansas; Thomas Kennedy, CEO, Raytheon
  • Election Security: Looking Back, Looking Forward

The sessions were packed with best practices, case studies, opportunities for improving cybersecurity in different areas and much more.

You can visit this NGA resource center for best practices in state cybersecurity to learn more details. There are numerous guides, case studies, sample memos and more in areas such as governance, response planning, critical infrastructure, cybersecurity controls, cybercrime and other topics.

In a related topic, this article from Government Technology magazine also offers details on how Arkansas is taking aggressive measures to shore up cybersecurity.

My Favorite Sessions

I was involved in the summit as a moderator for the breakout session on coordinated vulnerability disclosure programs. For those who want to learn more on that topic, see this blog.

My two favorite sessions at the 2019 National Cyber Summit on State Cyber Security were the interview with Dan Geer and the presentation by Chris Krebs.

Here are a few of my highlights from the Dan Geer interview (some words may be slightly paraphrased).

  • A good question to consider for penetration testing is not whether they can break into your network, but rather, how much effort does it take to break into your network.
  • Cybersecurity may be the hardest problem in the world to fix, because we have an active opponent who is always adapting. Fixes don’t stay solved.
  • Measurement (in cyber) must yield a decision support. For example, police may not be able to determine how much meth is in an area, but they can measure the price.
  • How can we move forward in a positive way? Answer: We need more legal responsibility for developers, and more liabilities must be added. For example, if a company stops supporting a software product, it should become open-source. Also, network operators (for example AT&T and Verizon), who know when (and how) many cybercrimes are being committed on their networks must take more responsibility and action to stop bad actors.
  • Overall, Dan Geer is cautiously optimistic about the 2020s in cyber. Defenders are improving.
  • Geer believes the Internet will Balkanize into many smaller micro-networks. He believes smaller countries are asking “which foreign power will own you.”

While this session is from another event in 2018, this interview provides a good sense of the dialog that occurred with Dan Geer.

The keynote session with Chris Krebs, director of the Cybersecurity and Infrastructure Security Agency in the U.S. Department of Homeland Security, was also fascinating.

He described the actions of Russia in 2016 as game-changers in the history of cybersecurity, because the hacking was not just for data, but was an attempt to undermine democracy. He described excellent progress on election cybersecurity, with more actions coming soon.

Krebs stated that serious threats were not just from nation-states. Ransomware and a host of other cyber trends were top priorities. He reiterated many of the same themes that he presented at the RSA Conference 2019 in San Francisco. You can see that RSA presentation below to get a sense of his style and content.

Final Thoughts    

Hats off for Jeff McLeod, the director of NGA’s Homeland Security and Public Safety Division, and also Maggie Brunner, program director for the Homeland Security and Public Safety Division for the NGA Center for Best Practices, who organized and ran this event. Extremely well done!

Also, the National Governors Association (NGA) Resource Center for State Cybersecurity is co-chaired by Arkansas Gov. Asa Hutchinson and Louisiana Gov. John Bel Edwards, and both leaders (and their teams) really strengthened and supported the event in numerous ways.

I found the networking and level of discussions to be outstanding, with experts and cyber leaders from numerous state governments involved in some way. Involvement from academia, police, technology, homeland security and many other areas of local, state and federal government was unique. The priority focus on how cybersecurity impacts election security, workforce development, economic development and other areas of public-private interaction was outstanding, in my opinion.

In short, our challenges are great in cybersecurity, but the opportunities are also numerous in every area of life.  

I encourage readers to engage their local and state leaders on these cyber topics and to review the materials and best practices offered by NGA and NASCIO.