“We’re all struggling to secure our cities, and we can use each other as sounding boards to ensure we’re either doing really good things or maybe we should change course and try to do something a little bit differently to fix the problems we have with cybersecurity,” coalition co-chair Boston CISO Greg McCarthy, told Government Technology. “None of us have all the right answers, but if we’re working together, sharing best practices, sharing lessons learned and working as a cohesive unit, we’re going to make our municipality more cybersecure and really government as a whole more cybersecure.”
The organization incorporated as a nonprofit in October 2020 and was born out of a lunch conversation between McCarthy and coalition co-chair San Francisco CISO Mike Makstman, during the 2019 RSA conference.
Makstman was new to the public sector, coming from a background in nonprofit and business, he told GovTech. The switch proved to be a major adjustment, with the differences in the climate standing out starkly. For one, office politics were now literally politics, public transparency had to be maintained alongside cybersecurity, and he was serving an enterprise that handled a vast swathe of functions — everything it took a city to run.
“I’m used to having professional organizations or colleagues to go talk to and nothing seemed to exist … There was no network to go talk to people in the same boat, who I could share my challenges with and learn from,” Makstman said.
Then he met McCarthy, who’d spent his career in the public sector, and “ended up talking for hours because we had so much to share.”
Even CISOs who’ve been in the public sector for a while are seeing their responsibilities change, as they increasingly needed to become public-facing and educate constituents who may be new to technology about using it safely, McCarthy said.
While organizations like the Multistate Information Sharing and Analysis Center (MS-ISAC) provide helpful tools, McCarthy wasn’t aware of any organization focused specifically on this slice of government.
One of the coalition’s major functions is to provide CISOs with a network of peers with whom they can discuss everything from technical data to policy approaches and learn about how counterparts are tackling similar problems.
“Technologists are good at technology, but we're not always the best at writing down things and documenting policies around them. So, sharing policies that we've created within our organizations with other municipal governments, this is going to be hugely beneficial,” McCarthy said.
Many peer-to-peer conversations are currently conducted through email chains, but the organization looks to create a smoother experience by adopting and shifting discussion to an online, centralized collaboration platform, McCarthy said.
Future plans also include hosting a variety of conversations on key topics both through webinars aimed at a wide audience and roundtables for moderated small groups discussions, McCarthy said.
The organization isn’t just aiming to improve communication about policies and strategies, either, and has experimented with helping local governments share threat intelligence. The coalition piloted using Los Angeles Cyber Lab’s automated threat intelligence sharing tool to support sharing between several local governments. A city CISO noticing a potential attack on their jurisdiction could enter details into the tool, and the warning would be automatically pushed out to peers in other cities, McCarthy said.
Local governments aren’t required to report incidents to CISA and often don’t, unless it’s a major event, McCarthy said. But CISA could hypothetically join the local government threat intelligence sharing group to be kept abreast of any alerts, he said.
The group allows any municipal, local or county government to join and expects its information to be useful to all of them, but only those with populations of a certain size (250,000 for cities and 900,000 for counties) can be voting members, McCarthy said.
Support can include helping smaller governments that are considering hiring a CISO think through interview questions to ask and resources they’d need to provide to support the CISO’s work, Makstman said. He also noted that the coalition presented a local government track at the last RSA conference that drew about 700 registrants, ranging from members of small water districts to large cities, and will hold it again in 2022, Makstman said.
The organization also seeks to inform stakeholders who may not be cybersecurity focused or not part of local jurisdictions. For example, it partnered with researchers at the University of Maryland, Baltimore County on producing a white paper aimed at helping educate local government officials on the need for proactive cybersecurity.
Makstman also sees an advocacy role for the organization and said it can amplify small and large cities’ concerns to federal policymakers and partners. That includes talking with the Cybersecurity and Infrastructure Security Agency (CISA) about the kinds of supports and support delivery models, that would be most helpful to them, Makstman said.
“Sometimes the centralized, big models for big services don’t resonate as well or can’t be absorbed or digested at the local level — that kind of feedback is what the coalition can really provide,” he said.
The group officially incorporated last year, something McCarthy said allowed for partnering with other organizations in a way that makes it clear members are doing so only in their capacities as members, and not in their roles as official government employees.
The organization has been working to grow its membership and a Nov. 17, 2021, meeting saw roughly 70 local government participants register, Makstman said. Most focus has been on the U.S., but the coalition is also in conversation with cities overseas, where Makstman said he sees an opportunity for mutual learning.
Current board members include the CISOs of Boston, Chicago, Dallas, Detroit, New York, San Francisco, San Jose and Seattle, Makstman said. New members can sign up on its website.
