North Dakota is implementing unified cybersecurity across the 7 branches of government. Sean Wiese, North Dakota CISO, explains how this new, singular approach is breaking-down silos and redefining shared cyberservices.
As data breaches and ransomware headlines become commonplace, what can state and local governments, universities, community colleges, K-20 schools and others in the public sector do to change the cybersecurity paradigm?
To answer that question, many government (and private sector) leaders are looking north – to North Dakota.
As Government Technology Magazine reported back in mid-April:
“The North Dakota legislation authorizing a new unified approach to cybersecurity was signed into law Thursday by Gov. Doug Burgum.
The governor, a former Microsoft executive, said Senate Bill 2110 would go far toward protecting the state's digital infrastructure.
‘This important investment in 21st-century critical infrastructure recognizes the increasingly digital world in which we live and the growing nature of cybersecurity threats,’ said Burgum. ‘A unified approach to cybersecurity strengthens our ability to protect the state network’s 252,000 daily users and more than 400 entities from cyberattacks.’”
Introducing North Dakota CISO Sean Wiese
Leading this northern cyberdefense charge is Sean Wiese, the Chief Information Security Officer (CISO) and Director within the North Dakota Information Technology Department (ITD) since March 2016.
Mr. Wiese has a wide breadth of experiences in technology and security, and holds CRISC and CISSP professional certifications. Prior to becoming the North Dakota CISO, Sean was an Information Technology Manager or the North Dakota Newspaper Association from 1998-2002, an Information Security Analysts for ITD from 2002-2005, an Information Security Officer for NISC from 2005 to 2015 and a Senior Information Security Engineer for Kadrmas Lee & Jackson from 2015-2016.
I have spoken with Mr. Wiese several times over the past few years, and his passion for security, cyber expertise and belief in what North Dakota is doing come across clearly. He offers a compelling vision that flows down from Governor Burgum and Chief Information Officer (CIO) Shawn Riley. Both Mr. Wiese and Mr. Riley participated in the CyberCon 2018 at Bismarck State College last October, 2018. You can read about that event here.
As you can see in the interview below, the North Dakota team offers bold new ideas and a cyber vision that is now becoming reality and a potential roadmap for others.
Exclusive Interview Between North Dakota CISO Sean Wiese and Dan Lohrmann
Dan Lohrmann (DL): What is the “big picture” vision for cybersecurity in North Dakota?
North Dakota CISO Sean Wiese (SW): The big picture is a unified and singular approach to cybersecurity across the 7 branches of government. Protecting our citizens’ information and our systems is a priority, and as Gov. Burgum stated in a recent press release, legislation passed this session (SB 2110) is an important investment in 21st century critical infrastructure, and in recognizing the increasingly digital world we live in, as well as the growing nature of cyber threats.
The big picture for Information Technology writ large is a unified ‘shared service’ approach to supporting business needs now and in the future, and we’re focused on working as one across agencies to transform how we do business. Our ability to meet increasing demands for application development, data analysis, systems integration, cybersecurity efforts, website development, overall business needs, etc. rely on a holistic approach and an ability to move beyond day-to-day ‘run’ activities and move into the ‘grow’ and ‘transform’ realms.
DL: How does having a former Microsoft Executive as Governor help your cybersecurity efforts?
SW: Leadership at the top makes a huge difference in helping bring focus to key issues, which is where Gov. Burgum’s background and current role as chief executive is a wonderful asset. He is deeply passionate about technology, and harnessing technology to serve citizens. He also recognizes that one of our most important jobs as state government is to protect citizens’ data.
Our ability to work collaboratively with North Dakota’s legislators to pass Senate Bill 2110, the ‘whole-of-government’ cybersecurity bill, was due in large part to the Governor’s technology background and the collective efforts of our legislative partners to prioritize this as a key issue for the state.
DL: How will the new law, Senate Bill 2110, protect North Dakota’s Digital Infrastructure?
SW: SB 2110 is a game-changer in terms of elevating the security posture across all of state government by approaching cybersecurity from a unified, centralized perspective.
North Dakota faces threats because of the unique nature of our state network supporting 252,000 daily users, which is equivalent to a Fortune 30 company, as well as our military footprint and national leadership in the agriculture and energy sectors (we are #2 in oil production). Protecting our critical infrastructure across all sectors requires a comprehensive, singular strategy.
With 400+ different entities trying to individually manage their cybersecurity efforts, you get exactly that – 400+ approaches to cybersecurity. This effort will allow us to better defend against the 5.7 million known attacks we see every month. This approach also enables us to measure our efforts in a more consistent manner, giving us a more informed view across all entities so that we can more effectively defend against threats.
It’s one thing to explain the importance of cybersecurity, but to actually show an example of an actual attack tells a much more compelling story. One of the ways we did this was to host a ‘hacking demonstration’ at the Capitol for our legislators during this year’s legislative session.
We had several scenario-based hacking stations set up, and they were shocked to see how easy it is to intercept personal information through public WiFi, and through the various types of phishing that can wreak havoc on your devices or be used to steal personal information.
We had a social engineering demo where we impersonated an internal HR portal and showed how we could harvest credentials by presenting it as a legitimate site. This was really eye opening for attendees, who were surprised at the ease at which credentials could be obtained as they were logging in to the supposed legitimate site.
We also had a real-time threat map showing where attacks were coming from around the world, which was a very visual aspect. Educating all of our stakeholders is a really important part of what we do, so we’ll continue to incorporate this kind of interactive outreach in the future.
For more information on the signed legislation see this article.
DL: How will cyber education change for K-20 schools in North Dakota? How is this different than other states?
SW: We are really excited about the K-20W Initiative. This is a completely unprecedented, statewide effort that has gained incredible momentum in only 18 months, and many states have reached out to ask how we’ve moved this forward.
We recognize that the jobs of today and tomorrow involve significant emphasis on technology skills. Virtually every job and every industry are being impacted by the rapid pace of technological change, which is why as a state we are pursuing a comprehensive, statewide approach to computer science and cybersecurity (CCS) education and workforce training. Our goal is “Every Student. Every School. Cyber Educated.” Prioritizing these skills will help organically grow our workforce and set students up to succeed, regardless of career path.
One of the key ingredients to the overall momentum and success of the initiative so far has been support from state leaders. This includes the state Superintendent, chancellor and other higher education leaders, governor, information technology executives, military leaders, Cabinet leaders, and numerous industry and public sector stakeholders.
The initiative is creating momentum through dozens of opportunities for students and teachers to learn valuable skills beyond just ‘technology’ and being savvy digital citizens (which is also incredibly important.) It emphasizes foundational skills like problem-solving, communication and teamwork that are incredibly valuable in a world where the jobs of tomorrow don’t exist yet.
For instance, many jobs, particularly in the cybersecurity, data analytics and digital marketing spaces, didn’t exist ten years ago. Cybersecurity itself has a virtually zero percent unemployment rate. Cybersecurity Ventures predicted 3.5 million unfilled cybersecurity jobs by 2021, up from an estimate of 1 million by Cisco in 2014. That’s why creating opportunities to organically grow a workforce can help students and citizens pursue fulfilling careers, while supporting continued economic growth.
The coalition and partnerships have yielded significant accomplishments in a short period of time:
And the list goes on….. Our bottom line is: we recognize that to compete locally – and globally – we need to create a technology literate workforce that can compete and succeed in the 21st century economy.
DL: Will there be sufficient resources to implement the new cybersecurity approach? How long will it take?
SW: Our original ask was 37 FTE and $11.4m and ultimately as we worked through the legislative process and worked with committees, were given 8 FTE and $11.4 million. This is a very significant investment in our cybersecurity workforce and infrastructure and will enable us to incorporate new cyber toolsets and services to attain our goal to have the most automated cybersecurity operations center in the country. We are finalizing our cybersecurity operations strategy, including the process of hiring the 8 FTEs and acquiring the cyber toolsets in the coming weeks. The stand-up of the security operations center will be an iterative process, with technology and process deployment being delivered in several phases, with our goal to be fully staffed and operationalized by the end of 2019.
DL: What do you believe is possible regarding cyberdefense with your new unified approach? What is included/left out?
SW: This unified approach is just the beginning of a journey to a more holistically secured and protected State of North Dakota. Thanks to our statewide network that covers communications to all seven branches of government, we have visibility into the threats directed at it. By weaving in this unified approach to cyberdefense, we are able to better protect the additional layers above the network, all the way down to the endpoint. Keep in mind, it isn’t all about the technology either. Awareness and education, documented risk management practices, and efforts towards achieving a minimum viable security practice threshold are just as important and will be assessed and measured on a regular basis.
DL: Is there more coming for the 2020s? What is your 3-5 year goals beyond current projects?
SW: Similar to many other organizations, the state is facing 24% retirement in the coming years, so one of the things we want to do is look at Robotic Process Automation, and using technology to replace the commodity/transactional tasks where we can, which also gives employees an opportunity to do more meaningful work that only creative human beings have the capacity for.
When we talk about ‘robots’ and ‘automation,’ people tend to jump to the assumption that we’re talking about replacing humans, which isn’t the case at all. We’re talking about tasks that can and should be automated, to be more efficient, to enable our employees to do higher level work.
The example our CIO, Shawn Riley, uses to illustrate this is one of those vintage, galvanized washing boards that you can still buy on Amazon for $15.00, vs. a modern washing that’s going to cost $1,000 or $1,200.
Sure, we could all do our laundry by hand for the low-cost investment of $15.99, but the point is our time is more valuable spent doing other things that the Electrolux can’t.
We need to make wise IT investments that will help meet business needs now and in the future, and we need to explain to our team members that we value their skills and abilities, and there is a place for automation that augments our ability to do more, more efficiently. Anyone who is willing to learn and have a growth mindset will always be able to find a job. Let’s let the technology help us make a bigger impact and do commodity, repeating work.
We also see IoT devices becoming more pervasive across industries. North Dakota is very future-focused with our view of the technology landscape and capabilities that will exist in the future around smart technologies. For instance, Gov. Burgum and Chief Information Officer Shawn Riley have stated a goal of having over one billion sensors in the state, and that may not be so far-fetched.
In the agricultural industry we see autonomous vehicles, and sensors that monitor moisture and nutrition. In the energy industry, sensors monitor production, performance and safety of many operations. In virtually every small business, we see technologies enabling virtually all aspects of operations, sales and marketing. There is literally no industry that exists in the state – or nation – that is will not continue to benefit from advancements in emerging technologies including AI, ML, IoT and automation as a whole to augment the quality of a service or product for that business.
With this significant change happening with how technology is embedded throughout our lives both personally and throughout our economy, it is imperative that we deploy capabilities that protect our infrastructure and support continued deployment of these emerging technologies.
DL: I want to thank Sean and congratulate the entire North Dakota team for this outstanding cybersecurity vision and ground-breaking approach. I certainly wish you the best of success in your cyber efforts as you head into 2020 and beyond.
As I learn more about the cybersecurity (and overall technology) efforts in North Dakota, it reminds me of my initial years working with former Michigan Governor Rick Snyder and CIO David Behen. Similar to Governor Doug Burgum, who has a technical background with Microsoft, Governor Snyder was the former CEO of Gateway Computers. Both men understand technology, as well as the potential pitfalls in our new digital world - thus the need for new, robust cybersecurity efforts.
During those years (2011-2014), Michigan launched numerous new cyber projects that were closely watched (and emulated) all over the nation. Those ground-breaking efforts are still being utilized and modeled around the world today (such as the unique approach to comprehensive public/private statewide initiative for cybersecurity in 2011, programs like the Michigan Cyber Range, Cyber Disruption Response Strategy and Michigan Cyber Civilian Corps.)
A top technology executive from a Fortune 500 company recently asked me about my views of North Dakota’s cyber plans, because he thought they were becoming national leaders - forging new approaches for global governments.
He asked if North Dakota's new unified cyber approach will be adopted by other states (and even other countries) just as Michigan's actions were followed? I said, given the unique governance models in other states, only time will tell.
I certainly agree that these bold cyber plans in North Dakota are cutting-edge, impressive and will strengthen their overall cyberdefense efforts. Their singular approach is innovative, and the North Dakota leadership team is world-class. It will be exciting to watch how North Dakota develops over the next few years.
In the meantime, I urge others to examine North Dakota's overall cybersecurity model - especially for K-20 cyber education.