A virtual session of the National Association of State Chief Information Officers (NASCIO) midyear conference titled “Stronger Together: State and Local Cybersecurity Collaboration” came out of a report of the same name published earlier this year by NASCIO in partnership with the National Governors Association (NGA). The effort was a response to the dramatic increase in ransomware attacks on the public sector in 2019 and looks at examples of places where state, county and city governments are working together to bolster cybersecurity.
North Carolina Chief Risk Officer Maria Thompson and Randy Cress, CIO and assistant county manager in Rowan County, N.C., explained how such partnerships work in their state, where legislation requires local governments to report all cyberattacks to the state Department of Information Technology (DIT). DIT works with the North Carolina National Guard and the Emergency Management agency to assist cities and counties responding to cyberattacks. As with so many interagency efforts, communication is key, they said.
Thompson stressed the importance of understanding who the stakeholders are at the local level, and of finding someone who is trusted in the local government community. For her, one of those people was Cress, who serves on the North Carolina Local Government Information Systems Association (NCLGISA) as an IT Strike Team Leader. Cress had previous experience working with NCLGISA on emergency management and disaster preparation for the state’s hurricane season, work that he said parallels readying for cybersecurity. Because he had existing relationships through that association, he had built trust among his fellow local government peers.
Thompson said she wants local governments to understand that the legislation mandating cyber reporting does not mean cities and counties are beholden to the state, but rather that the state understands that locals are often under-resourced and wants to offer tools to help in incident response. And while states may not have budgeted line items for assisting local cyberefforts, as is the case in North Carolina, Thompson said leaders must get creative when it comes to funding.
Also part of the panel were the report’s authors, NASCIO’s Meredith Ward and the NGA’s Maggie Brunner, who brought up a belief held by some IT leaders that helping local governments is not in the state’s “swim lane.” Thompson was clear on her stance that that is incorrect.
It’s a concept central to Thompson’s belief that a whole-of-state approach is necessary in cybersecurity. “‘State’ is in our title,” she said, “but ‘state’ doesn’t necessarily just mean state agencies.” It is also DIT's job to work with and help protect North Carolina's local jurisdictions.
“The relationships that you have will create that environment where you can share and learn from each other,” Thompson continued. “Does education and awareness make you better and stronger? Yes, and by continuing to learn from each other, we get better over time.”