The National Governors Association has been focused on engaging states when it comes to cybersecurity, and now a multistate compact stands as another positive sign of progress.
Governors are not traditionally known for their vast knowledge of IT systems or the importance of cybersecurity, but that stereotype seems to be giving way and leading to progressive discussions and leadership opportunities.
Last year, the National Governors Association (NGA) turned its collective attention to fighting the nationwide opioid epidemic and outlining some best practices and next steps. This year, they focused their attention to a different challenge: comprehensive state cybersecurity.
At the annual meeting of NGA in mid-July, 39 governors signed a compact — dubbed the Compact to Improve State Cybersecurity — aimed at better positioning their respective states around cybersecurity. Virginia Gov. Terry McAuliffe, who had served as the association’s chair until the meeting, had spearheaded the Meet the Threat: States Confront the Cyber Challenge initiative, which culminated in a multistate agreement to continue their cybersecurity endeavors.
Timothy Blute, program director for the NGA’s Homeland Security and Public Safety Division, said the signing of the compact is by no means the end of the overarching effort to better secure states through best practices; rather, it's a jumping off point for continued commitment on the part of state leaders.
“Last summer, at the NGA summer meeting, we released a compact on opioid abuse, and what we found was that it was a great way to sort of garner governor-level attention on the topic and really have governors commit to, a) recognizing the problem and b) implementing best practices,” he said.
The agreement calls for the adherence to three main tenants: building cybersecurity governance, which includes creating a formal structure, statewide strategy and conducting risk assessments; preparing and defending against cyber events, which includes creating a disruption plan, information sharing and coordination with the National Guard and the public; and growing the nation’s cybersecurity workforce, which includes reclassifying state jobs to better align with the private sector, placing veterans in cyber positions and partnerships with colleges and universities.
“Over the next year, obviously in our continuing work, we are going to track what the states are doing and then hopefully report out to the governors next July…,” Blute explained.
For Alabama, Gov. Kay Ivey’s signature was a strong signal of support for the action state cybersecurity and IT professionals were already moving ahead with.
Acting Secretary of IT Jim Purcell told Government Technology that many of the steps put on paper were already underway in his state, but that the buy-in from the state’s executive was very welcome.
“Our governor was one of the ones that signed it, and we said, ‘Man, that’s fantastic because we already, in the Office of Information Technology, had a focus on this,” he said.
In keeping with the main guidelines of the compact, Purcell said his team is down the road with the formation of a council and trying to centralize his office as the main cybersecurity resource for Alabama agencies.
The cybersecurity compact, Purcell said, draws the focus from the one-off efforts many states engage in and gives it a more holistic and cooperative national approach.
And out West, Hawaii Gov. David Ige announced on July 31 that his state also joined the compact, saying that the top priority of any governor is the public’s welfare and safety, which now includes protecting citizens from cyberthreats.
Cybersecurity experts at all levels of government say that collaboration with jurisdictions – above, below and lateral — is key to staving off the ever-present threat of a massive breach, poised by phishing, ransomware and hacktivism.
“Hawaii has already taken proactive steps toward the compact's goals,” said state CIO Todd Nacapuy in the press release. “These include establishing a state chief information security officer, reclassifying IT security positions to align with modern industry best practices, offering cyber internship opportunities, and supporting programs such as SANS Institute’s CyberStart program that encourages high school and college students to explore careers in cybersecurity.”
And in Minnesota, IT Services Commissioner Tom Baden lauded Gov. Mark Dayton’s decision to join the multistate agreement saying in a press release dated July 14 that the state has "a tremendous responsibility to protect the private data of 5.5 million Minnesotans, and this data is increasingly at risk for sophisticated cyberattacks. Committing to the NGA’s compact to improve state cybersecurity paves the path forward to work collaboratively with our legislature, cities, counties and federal partners to enhance our defenses against these threats.”
Though McAuliffe has returned to his pre-chairman duties, making way for Nevada Gov. Brian Sandoval’s term, Blute said the association isn’t done with the cybersecurity fight just yet. The association plans on continuing its research in this area and gathering resources for state leaders.
With some states obviously missing from the compact, Blute said the absence of their signatures was more based on maintaining flexibility in the evolving cybersecurity program landscape.
“The feedback we received from a number of states was just that right now they are still exploring the policies that they want to implement on cyber and they didn’t want to sign onto a compact and then choose to go in a different direction…” he explained.
Staff writer Zack Quaintance contributed to this report.