And though the feds may have the dollars to throw at vulnerabilities, states and smaller jurisdictions are left to fend for themselves — ready or not. What’s more is that their treasure troves of data arguably outweigh anything at the federal level and are often far more vulnerable to outside threats.
Those well versed in the challenging area took to a panel on Feb. 16 to discuss its finer points and talk through what is working in the space during the 2017 RSA Conference.
In Virginia, state leaders have doubled down on their cybersecurity strategy and focused on planning, investing and executing it across their agencies. Secretary of Technology Karen Jackson said the major barrier for states undertaking these efforts is more a function of cost and budget than anything else.
Though she acknowledged that the threats facing the public and private sectors are not dissimilar, she said the available resources and scope of responsibility between government and industry could not be more different.
“I think the biggest challenge in the state is that we have to look at it from a myriad of funds,” she said, adding that while a private company is only responsible for protecting its own networks and customers, state government is responsible for many agencies controlling massive amounts of personally identifiable information.
Dropped down another level, localities face the same challenges as the state but are almost always less funded, less aware and less able to respond to the revolving threat landscape. “When you are in that kind of environment, you have to really try to put in as many safety nets as you can," Jackson said. “It’s a very different world when you get down to the small communities.”
When compromises occur, expecting smaller communities or service provider to comprehensively react to an attack without some level of outside assistance from state or federal partners, said Eric Goldstein, branch chief for the partnerships and engagement wing of the Office of Cybersecurity and Communications at the Department of Homeland Security (DHS).
“I think what we can hope is that they have been educated to identify the problem and know who to call. I think who to call will differ by state,” he said. “Our goal is that these utilities recognize the problem and call somebody quickly, not that they are internally resourced to manage the entire incident in-house.”
Goldstein continued to say that a clear channel and coordinated cyberattack reporting process should be available to these smaller organizations to optimize the reaction that follows.
Those working to coordinate leadership and strategy across the country are seeing a shift in the focus and a concentration on including smaller government organizations that have historically been overlooked.
According to Timothy Blute, program director for Homeland Security and Public Safety at the National Governors Association, more states are opening the conversation and working to educate and collaborate with less prepared local jurisdictions.
“One of the optimistic things we’ve seen from our approach is, especially in 2016, more and more states are including locals in the strategic planning process,” he explained. “ A lot of the states we are working with not only were focused on, 'How do I shore up state IT systems? How do I do outreach to critical infrastructure?' but then the next piece of that was, 'I’ve got to get the local municipalities in on this discussion, I’ve got to get the counties in, I need to understand what their vulnerabilities are.'”
While efforts to improve state and local cybersecurity are all well and good, the panelists agreed that maintaining any long-term strategy requires a talent pool that has been hard for many in the public sector to draw from.
The Virginia approach has been to offer two years of tuition for two years of state service as an incentive for tech-minded individuals to look beyond the private sector's higher-paying opportunities.
“Every single state we work with and talk to is trying to get their arms around the workforce issue," Blute said. "Whether it’s smaller workforces trying to get qualified folks to work for the state to promote and protect cybersecurity or the bigger pipeline, every single state we are working with is thinking about it and trying really innovative and creative ideas …”
