IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Strengthening Cyber Partnerships: An Interview With the N.J. CISO

Michael Geraghty, the director of cybersecurity and chief information security officer for the state of New Jersey, shares information on cyber operations, partnerships and more.

New Jersey Capitol_shutterstock_1076858612
Back in the summer of 2018, well before the COVID-19 pandemic changed virtually everything about technology and service delivery for governments worldwide, I had the privilege of interviewing Michael Geraghty, who is the accomplished director of cybersecurity and chief information security officer for the state of New Jersey, on all things cyber.

Fast forward to 2023, and Government Technology reported on New Jersey’s new 2023-2025 IT Business and Technology Strategic Plan earlier this year. In the following interview, I checked in with Geraghty on his new cybersecurity plan for the state, which can be found here, and where New Jersey security is headed next.
Dan Lohrmann (DL): So what are the biggest accomplishments in New Jersey cybersecurity over the past few years, since I interviewed you in 2018?

Michael Geraghty (MG): The saying “no one achieves anything alone” is appropriate here. The core of the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) is composed of professionals from New Jersey’s Office of Homeland Security and Preparedness (NJOHSP), the New Jersey Office of Information Technology (NJOIT), the New Jersey State Police (NJSP) and the New Jersey National Guard (NJNG). It is a very cohesive and high-performing team of teams.

We also have very strong partnerships with individuals and organizations throughout the public and private sectors. And let’s face it, no state CISO has a chance of accomplishing anything without the support of and partnerships with the governor’s office and the cabinet members running the executive branch departments and agencies. But our partnerships go beyond department heads to include managers and line workers.

Similarly, you can’t accomplish anything with private sector or local government organizations without having strong partnerships. Those partnerships are only developed if you’re trusted, and that trust comes not by what you promise but what you deliver.

In 2021, the New Jersey Domestic Security Preparedness Task Force ratified our NJCCIC Cybersecurity Strategy, and we’ve been feverishly working with our partners to achieve all its goals and objectives, while adjusting the plan for anything we may not have included but has emerged to be of strategic importance. Our accomplishments span many different areas from election security initiatives to legislation to cyber workforce development. The list goes on, but none of those accomplishments would have been possible without a great team and those strong partnerships.

DL: What are your top cybersecurity priorities for 2023-2024?

MG: We will continue to execute on our strategic plan and make adjustments as necessary. And as our dependence on technology for all aspects of government, education, commerce and life continues to grow, the priority has to be for the NJCCIC to scale proportionately in our ability to provide effective and efficient cybersecurity products and services to all of New Jersey, while also continuing to maintain the highest standards of excellence. Our team is motivated by such challenges.

DL: Tell us more about your security operations center.

MG: Speaking of scale, one of the biggest challenges for any organization is the ability to operate at scale while paying attention to the minutest of details. That’s especially important in cybersecurity. We’ve studied and borrowed some ideas for our Security Operations Center (SOC) from the architectures of some of the largest online companies that have enormous technology footprints and user bases. As every physical device and human is connected or becoming connected to a network, we need to scale beyond just what’s in our data centers and on our desks to account for the telemetry being generated by all those devices and humans. That includes telemetry generated by public safety systems, building management systems, transportation systems, physical access control systems, physical environment monitoring systems, etc.

Today, our SOC processes approximately 8 billion to 10 billion network, application and system events per day. In the next few years, we’ll probably need to triple that capacity. In order to achieve that scale, we’ve built it on a highly secure, resilient and elastic cloud infrastructure that can process all those events and allows us to detect and respond to any suspicious or malicious activity in real time.

DL: How do you see that center evolving over the next year or two with cybersecurity in New Jersey? 

MG: When we started on this journey, we focused on system, application and network events. Since then, we’ve added in all our other data sources, software and hardware inventory, vulnerability and risk data, threat intelligence and other information sources. It may not be the Holy Grail of a single pane of glass, but it’s a single source of the truth for us.

DL: How do you think AI (and more near-term generative AI) will impact technology and cybersecurity in America? Are you more fearful of attacks and misuses or of embracing the new technology?

MG: AI is a tool that can be used for good or evil, just like any other tool. And just like any other advancement in technology, we’ll evaluate it and use it to enhance our ability to do good things, while guarding against those who will misuse it.

DL: Is ransomware still growing, staying the same or shrinking as a cyber threat in New Jersey? Is there a statewide effort to help locals and schools with ransomware attacks?

MG: Extortion has been around for hundreds if not thousands of years. Ransomware has also been around in some form or another since the 1980s. The attack vectors and the extortion methods have certainly evolved, but as long as there is money to be made by the threat actors, it is not going away. When Willie Sutton was asked why he robbed banks, his response was, “That’s where the money is.” If you asked the transnational cyber criminal syndicates why they launch ransomware attacks, they would say something similar.

Our mission in the NJCCIC is to make New Jersey more resilient to cyber attacks. Toward that end, we do everything we can to help all organizations in both the public and private sectors to prepare for, respond to and recover from cyber attacks while continuing to operate effectively.

DL: What new technology excites you the most? What cyber threats or developments do you fear the most? 

MG: I’m going to steer this question in a different direction. New Jersey is one of the few states in which cybersecurity is organized under the State Office of Homeland Security and Preparedness, and that provides me with a little bit of a different perspective. On Sept. 10, 2001, it was almost unimaginable that terrorists would be able to hijack and fly planes into the World Trade Center or the Pentagon. Yet it tragically happened. Since 9/11, both the public and private sectors committed to never allowing such an attack on our homeland to ever happen again. Today, such an attack is as unfathomable as it was then, but now it's because of all the efforts, safeguards implemented and continuing diligence to make sure it can’t. To think that we can make such progress in securing our homeland is exciting. Similarly, we saw that same commitment during the pandemic in battling COVID-19. It is amazing what we can accomplish.

On the flip side, we haven’t committed to doing that in cybersecurity, and that scares me. All of the same vulnerabilities that were exploited in 1986 as documented in Cliff Stoll’s book The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage, are still prevalent today. In 1986, West German hackers hired by the KGB gained access to Lawrence Berkeley National Labs (LBNL) computer systems by way of the dormant account of a system administrator who had left LBNL a year earlier. In 2021, a dormant account for an employee who left the Colonial Pipeline Company was used to launch the ransomware attack that crippled fuel delivery in the southeast part of the United States. Its like "Groundhog Day." We haven’t shown the same “all for one and one for all” commitment to hardening our networks and remediating those vulnerabilities yet. That doesn’t mean there aren’t people trying and good work isn’t being done, but there’s a lot more of it that needs to happen.

DL: Anything else you want to mention? 

MG: I’m a proponent of the collective defense model for cybersecurity. It is unrealistic to expect any one person or organization to defend against nation-state actors, criminal syndicates, terrorist groups, hacktivists and others who can launch attacks from anywhere in the world at any time of day or night.

A more effective approach from both a cost and resiliency perspective is the adoption of a collective defense model in which organizations collaborate to detect, share intelligence and respond to threats together in real time. If we all adopt that approach, we’re going to be much more resilient to cyber attacks.

DL: Thank you for taking the time to answer my questions. And more important, thank you for your government service to New Jersey and the U.S. as a whole.  
Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.