The state of Arizona, which has long worked to eliminate gaps in coverage and implement enterprise-level security controls, is getting even more serious about cybersecurity with the creation of a broad task force dedicated to driving collaborative securitization.
Gov. Doug Ducey, who is in the final year of his first term, signed Executive Order 2018-03 March 1, doubling down on information technology security by creating the broadly centered Arizona Cybersecurity Team (ACT).
The group, made up of at least 22 members, will convene some executive branch-level officials who already interact on a regular basis, including Chief Information Officer Morgan Reed and Chief Information Security Officer Mike Lettman, as well as representatives from the departments of public safety, homeland security and emergency and military affairs.
But it will also bring in representatives from the legislature, higher educations, local government, the private sector and other state agencies.
The group’s overall mission is to “work together to protect Arizonans from a cyberattack,” the state said in a news release, and Ducey called it “another step we can take to enhance our cyberpreparedness.”
“In today’s world, the threat of cyberattacks is persistent and constantly evolving, which is why we are taking proactive steps to mitigate that threat and making sure agencies continually improve their cyberdefenses,” the governor said, highlighting the need to “work together as one team throughout government and the private sector.”
The team’s responsibilities include developing recommendations and advising the governor on cybersecurity issues; receiving quarterly updates from Lettman; offering advice on federal resources available to fight cyberthreats; promoting public awareness of threats; fostering collaboration between government, the private and education sectors, law enforcement and others; and driving cybersecurity and IT workforce development and training at the higher education level.
In an interview, Lettman praised the steps and noted that Arizona is a national leader in information sharing between the public and private sectors, in part due to the establishment of security organizations like the Arizona Cyber Threat Response Alliance (ACTRA), a collaborative cyber information hub that’s part of the Arizona Infragard.
“I think the silos that exist today [are], we all feel we know how to handle it and we don’t need help from everybody. We’re trying to break down that barrier. We’re trying to say, ‘We all need help. We cannot do this alone,’” Lettman said, referring to the cyberthreats that public and private sectors alike face.
Through teamwork, Lettman said the various entities could forge common solutions to IT security questions and confront related issues like an ongoing lack of applicants to fill vacant IT and cybersecurity positions in the state and around the world.
The CISO called the team’s mandate to “promote public awareness of threats online and how best to protect information” an “interesting” responsibility that isn’t always seen at the state level.
“Education on cybersecurity is certainly not in the wheelhouse of our mission. That one is very interesting that that’s in there, and I’m looking forward to hearing what this team has to say about what can be done,” Lettman said.
Sen. John McCain thanked Ducey for creating the ACT, which he said in a statement will activate “diverse expertise and experience” and train a “capable workforce to combat this 21st century challenge.”
“Over the last several years, we have seen cyberattacks target critical national security infrastructure, threaten our democratic institutions, and compromise the information of millions of American citizen. It’s never been more critical for the public and private sectors to work together to strengthen our cyberdefenses and protect Arizonans,” McCain said.
ACT’s exact schedule, and when exactly the governor might appoint its co-chairs isn’t set in the EO. But Lettman said it’s possible those appointments could come as soon as next week, with a meeting schedule likely to follow.
“It depends on what issues, and the directions we’re given. My recommendation would be [to meet[ monthly, minimum quarterly, but those will be discussed by the group,” Lettman said.