The task force has been meeting regularly since Gov. Laura Kelly convened it in July 2021 and it delivered its interim report to her on Oct. 5, with the document becoming public on Oct. 28. The report reflects the insights of public- and private-sector members and various experts and stakeholders with whom they convened and focuses on four central areas: statewide coordination and collaboration, workforce development and education, cyber incident and disruption response, and strategic vision and planning.
The task force is accepting feedback at CyberTaskForce@ks.gov, which will help the team expand on its recommendations and add additional ones. An updated, second report is due on Dec. 5.
State CISO Jeff Maxon and city of Wichita CIO Mike Mayta chair the task force, whose 15 members includes an array of voices from county and municipal government, critical infrastructure, emergency management and other areas. Kansas isn’t alone in turning a task force on the problem of cybersecurity, with Idaho currently in the midst of similar efforts. The Kansas team also turned to the National Governors Association for insights into its peers’ cybersecurity efforts to inform its own proposals.
The interim report makes clear that the task force sees more work ahead to make its proposed improvements stick. One recommendation calls for maintaining the task force for another year while Kansas establishes an official governance model for whole-of-state cybersecurity. Report authors also expressed concern that future administrations could easily undo progress by revoking the executive order behind the task force and urged long-lasting legislative action.
“It is highly recommended that the authority, responsibility and accountability of this governance body be codified by legislative action into law,” the report states. “Without empowering legislation, the extremely important work of cybersecurity governance will become distracted by changing political winds.”
EXPANDING THE GOVERNMENT’S CYBER STRENGTH
New government instruments will be needed to carry out the work ahead, and the task force called for creating a working group with the authority to oversee the state’s cross-sector cybersecurity collaborations. That could include managing strategies for sharing information, coordinating incident response and collaborating with various stakeholders. Task force members also urged the state to move within six months to create an advisory body responsible for developing an incident and disruption response plan.
Beefing up the state further will require establishing several new positions, too. Those may include a cyber navigator charged with facilitating communication and cooperation across public and private partners as well as an official charged with identifying cybersecurity grants and helping organizations obtain them.
Getting these and other cybersecurity roles filled will likely require new strategies. The public sector needs to better compete against private firms in benefits and, ideally, salary, the task force suggested. It called for the state to explore raising pay and enabling cybersecurity staff to work remotely when possible. This could both help government recruit as well as potentially channel high cybersecurity salaries to job seekers in rural areas, thus boosting those regions’ economic development, authors said.
Those initiatives, while helpful, may not be enough on their own and additional education and recruitment efforts should be launched. For example, the state could draw in more recruits by covering the costs of degrees for students who agree to spend several years working in government after graduating, and internship registries could help match interested individuals with public and private opportunities, the task force said.
CONTRACTS AND RESOURCES
It’s hard to improve when you don’t know what you’re starting with, and so the task force advised the state to review all its current cybersecurity contracts to identify any unmet needs. It also proposed creating a single comprehensive cybersecurity contract with multiple service and solution providers so that agencies could turn to this to quickly find offerings from vetted vendors, without needing to start procurement from scratch.
Kansas should also make sure that lower levels of government can purchase through state cybersecurity contracts, because this can lead to lower rates all around and save time for towns and counties that would be able to skip issuing their own requests for proposals.
Still, some agencies may not be able to find the goods they need in existing contracts, and states can help these and other organizations by providing boilerplate cybersecurity and information security contract language they can use in their own procurements. Organizations should be able to trust that using this standardized language ensures the deals meet a desirable level of cybersecurity.
DISASTER RESPONSE AND DEFENSE
Kansas' whole-of-state approach means engaging various different sectors in cyber defense. The task force recommended several ways to encourage this, including through annual conferences to promote networking and ideas sharing. New partnerships can also help; for example, the state could turn to entities with key audience bases — such as the League of Municipalities or Association of Counties — for help spreading the word about best practices, state offerings and cybersecurity alerts.
Regulatory rules, not just voluntary action, may also be important to making good cyber behaviors more widespread, and the state should consider adding cybersecurity training into the requirements that some critical infrastructure professionals already go through to get credentialed, the task force wrote.
Preparations like these can help stave off threats, but attackers may still slip through, and the state must be ready with a clear incident response plan. Simply writing down a plan isn’t enough, either, and the task force promotes frequently reviewing and updating it as well as regularly training professionals on how to put it into action. Officials also must act far in advance to hammer out agreements over how emergency responders such as the state National Guard should get involved in cyber incidents. That’ll ensure these players are ready to go in a crisis and not tied up with negotiating paperwork first.
Of course, elevating an entire state’s cyber posture takes more than good ideas — it also takes resources and commitment to action. The task force noted that the state will need to designate funding and ensure organizations or personnel are held accountable for progress, if it wishes to get these proposals off the ground.
