Over the last year, system intrusions such as those delivering ransomware have become increasingly prevalent in the public sector. While all levels of government – federal, state, and local – are affected, local government agencies are often the hardest hit due to a lack of staffing and resources for robust cyber defenses. To strengthen their cyber defenses, state and local governments can benefit from collaboration and “whole-of-state security” may be the key.
Several states have sought to counter the increasing number of attacks on municipalities with a whole-of-state approach to cybersecurity. This emerging framework focuses on communication among state and local governments to understand risks and share information, so that they can respond to cyber incidents effectively. By sharing resources, all levels of government, from state legislatures to local councils, can improve their defenses individually and collectively. This collaborative relationship allows state IT leaders to deliver high-impact tools, such as endpoint protection and cybersecurity awareness training, to local jurisdictions. It can also include the formation of a joint cyber task force, featuring representatives from state, county, and city governments, who collaborate to establish security protocols and resolve cyber incidents.
One notable benefit of whole-of-state security is the reduced duplication of data and effort. Minimizing redundancies helps to keep costs low and allows for more efficient allocation of resources, but it also has direct security benefits. A resident of Raleigh, North Carolina, for example, is a resident of the city of Raleigh, Wake County, and the state of North Carolina. If each of these jurisdictions records that resident’s data individually, there are three sets of information that could each be compromised in a cyberattack. Under whole-of-state security, the city, county, and state can share access to a single record, drastically reducing the data that requires protection.
Like any new security approach, implementing whole-of-state security requires a cultural shift. To encourage cross-jurisdictional collaboration, a transition from data collection to validation is necessary. In a recent webinar, James Weaver, Secretary & State CIO, North Carolina Department of Information Technology, presented the analogy of a bar checking IDs. “If a 21-year-old person walks into a bar, do they need to show their driver’s license [with their full name,] date of birth, and[…]address?” he explained. “Or does the bar actually just need to know that this person is 21?” The purpose of showing a license at a bar isn’t for the bar to collect its patrons’ birth dates, but to verify their ages. Similarly, many processes that currently involve the collection of personally identifiable information could be reimagined to validation processes that cross-reference with existing records.
The move to whole-of-state security can’t happen overnight, and states looking to enact it will face various obstacles throughout the process. In addition to the major cultural shift inherent to any system overhaul, states may find themselves facing pushback from local government. “We are seeing misconceptions where people think that this is a “Big Brother” trying to reach in and take over,” said Vinod Brahmapuram, Senior Director, Security at Lumen Technologies, in the same talk. “That’s not really what it is; this is about putting together a team.”
Even once the idea has buy-in from all levels of government, the design of the security protocols has to account for varying maturity levels. While larger, more affluent counties and cities have likely begun developing a more sophisticated cybersecurity posture, less populous towns and counties may have been unable to dedicate resources to building a security strategy. True cohesion requires a relatively equal playing field, but the question of how to bring those less developed regions up to baseline without holding the more mature programs back is a difficult one.
States with established whole of state security protocols will, inevitably, face challenges. One identified by Weaver was knowing when and how the state’s cyber task force should disengage after resolving an incident. “Our joint cyber task force is not there to run day-to-day operations; it’s there to resolve the incident, contain it, eradicate it, and say, ‘here are things you should do in the future,’” he said. “And very quickly, an entity starts saying, ‘hey, could you do this for us? Could you do that for us?’ and we have to bring those folks back onto the bench because cyber doesn’t go away.” This issue can be solved with support from the state level beyond an initial assessment. Outlining a transition timeline for disengagement and supporting entities through that transition with avenues for training and guidance ensure that all parties agree on the task force’s purpose and purview.
While challenges can arise from myriad sources when building and strengthening cross-government relationships, many of them can be resolved with frequent and open communication. Continuous state-level support of smaller agencies is one part but equally important is to ensure all levels of government are included in the conversation. This is especially important to address issues created by less mature cybersecurity programs, which are likely to have questions and require more initial guidance. It also helps to avoid “Big Brother” implications, as it means there isn’t an “outsider” handing down rulings. Instead, decisions are collaborative, and government agencies have a part in shaping the protocols that will affect them. Brahmapuram and Weaver also recommended creating a forum for sharing best practices as a part of these discussions so that participants can continue to learn from each other, even as the collaborative program develops.
In an increasingly connected world, malicious actors have more opportunities to interrupt daily operations to steal critical information or derive financial profit. “The bad actors are very unified[…]if we don’t [come together], it is almost like trying to go to a gunfight with a stick,” said Brahmapuram. Collaborating gives agencies at every level of state and local government more tools with which to bolster their cyber defenses and protect their residents.