Backed by state funding, Purdue University and Indiana University (IU) will provide at least 342 cybersecurity assessments over four years — the minimum number the universities expect they could tackle. Mat Trampski, executive director of Purdue’s Technical Assistance Program (TAP) and cyberTAP, told Government Technology that recipients could be any “incorporated government entity with a technology presence.”
The project aims to give local governments insights for charting their cyber strategies and give state government information on how it might best direct investments, administrative actions and/or policies to better protect the entire state.
“This is, to me and to us, the starting point to creating a conversation and creating a network of opportunity for how do we want to see the state of Indiana protect itself and secure itself for the future,” state CIO Tracy Barnes told GovTech.
Students will also join cyber professionals on the evaluations, where they can gain more hands-on experience and learn about the needs of local government.
The universities are currently developing the methodology they’ll use when performing assessments, basing it on frameworks from the Center for Internet Security (CIS), the National Institute of Standards and Technology (NIST) and Trusted CI. That work should wrap up in 2022, paving the way to start offering evaluations, Trampski said.
STATEWIDE STRATEGY
The cyber assessments will give local governments better information for guiding their cybersecurity priorities and budgeting decisions, said Ryan Hoff, director of government affairs and general counsel for the Association of Indiana Counties (AIC), in a conversation with GovTech.
A one-off evaluation isn’t enough, either. Making sure the program is impactful means going back and reassessing government entities after about a year or two, to see if they’ve been able to make changes based off the original assessments, Trampski said. If the same weaknesses persist, that’ll highlight that more resources may be needed to help.
This project, in part, reflects a growing awareness that the state and local governments share technology connections, and that vulnerabilities in one entity impact the others, per the press release.
The Indiana Office of Technology (IOT) aims to review aggregate information about the evaluations, to learn where it can better support local governments, Barnes said. If common themes emerge — such as many municipalities showing the same struggles — IOT can make a case to the state for investments, policies or other actions to help address them. The state could also seek federal funding based on the findings, including through the State and Local Cybersecurity Grant Program, and work to provide more “holistic” solutions.
SPOTLIGHTING LOCAL GOV
University students will be able to get “on-the-job training” by joining professional cyber and informational security staff on the assessments, Trampski said. But the value of student participation goes beyond building their cyber skills, Barnes said. Students involved in the assessments will hopefully gain more sensitivity to the needs of local governments, and that could inform their future work, whether they enter the public or private sector.
As urban areas suffer population declines, they risk becoming overlooked. And so, Barnes said it’s important “to get more individuals to have that awareness and to … remember that, when I’m thinking about solutions — whether it’s technology or cyber or anything — I’m thinking about the least of us in the areas and communities that are often overlooked and often left behind, and how do I put things in place that enable them to continue moving forward.”
ENCOURAGING MODERNIZATION
The new initiative could also help governments feel more confident modernizing, by showing them how to minimize cyber risks when using newer technologies, Barnes said. Otherwise, cybersecurity concerns might persuade governments to stay in a “legacy mindset.”
“That fear often can give folks the impression that, ‘You know what, we’re better off just staying on paper,’” Barnes said. Such old-school approaches may be more cyber safe but can also hold communities back from growth and economic development, he said.
THE STATE-LOCAL RELATIONSHIP
As the program kicks off, the greatest challenge facing it isn’t technical — it’s relational.
Local governments can be wary that the state is going to sweep in with a heavy-handed approach — something IOT hopes to get ahead of by visibly making efforts to listen to local governments about their needs, offer services and emphasize collaboration, Barnes said.
“How do we overcome folks thinking that we’re looking to be more of a Big Brother as opposed to a helping hand and a partner in this challenge?” Barnes said. “The biggest concern is how do we make sure folks see that we’re not doing this to mandate, to control or to assert authority.”
Barnes and Trampski said the project aims to foster trust by putting higher ed — not the state — at the center of the effort. That could avoid triggering concerns about state authority and build on universities’ existing relationships with local government.
Purdue’s Local Technical Assistance Program, for example, has provided local government civil engineering support for decades, Hoff said.
NUTS AND BOLTS
Interested governments can sign up online to participate, and the state aims to spread the word through more outreach. Trampski anticipated a first-come, first-served approach to scheduling assessments, without prioritizing any particular size or type of government.
Barnes and Trampski both said they want the assessment process to be convenient for local governments
“It’s a really low barrier of entry,” Trampski said. “This is not going to be a terribly time-consuming or difficult process ... They should have no concern about sharing the data with us, or anything like that. It’s going to be a very smooth, easy program.”
These kinds of assessments typically take anywhere from half a day to a couple days, depending on the organization’s size, Trampski said. While the universities are still hammering out their approach to evaluations, Purdue’s current assessment work includes elements like network scanning, network enumeration, and internal and external scanning. Assessment teams expect to work closely with local governments’ IT departments, as well as include the risk and compliance teams and welcome other interested government members.
