A global problem, cybercrime now surpasses all other forms of crime in the United Kingdom, according to the National Crime Agency. Here in the United States, there is a high level of interest among law enforcement officials to detect it and mitigate it. When the National Governors Association (NGA) planned to hold its first-ever cybersecurity policy academy, the response was overwhelming.
“We had the most state applications for this project than we’ve ever had for any project I’ve been involved in,” says Jeff McLeod, NGA’s director of the Homeland Security and Public Safety Division. “That just shows you the level of interest in states around the topic.”
The policy academy on cybersecurity emanated from the NGA’s Resource Center for State Cybersecurity, established in 2012. Initially co-chaired by Michigan Governor Rick Snyder and Maryland Governor Martin O’Malley of Maryland, it is now co-chaired by Snyder and Virginia Governor Terry McCullough.
Last year, the center convened representatives from nearly every state to discuss fundamentals around cybersecurity, governance issues, incidence response and tied that back to the center’s efforts to provide guidance and tools to states so they can strengthen their cybersecurity posture, notes McLeod.
The policy academy on cybersecurity is an intensive technical systems engagement drawing in state teams through a competitive 12- to 18-month process in which states apply to participate and governors designate a core team of five to eight individuals such as chief information officers, chief security officers, governors’ homeland security advisors, public safety secretaries – “high-level folks responsible for policy and promoting the governor’s agenda,” says McLeod.
Maribel Ramos, director of the Virginia Office of Intergovernmental Affairs, adds that the goal of the cybersecurity policy academy is to ensure states are better prepared to address the risks.
The initial two-day meeting took place earlier this year in Detroit, Michigan and brought together representatives from Connecticut, Illinois, Nevada, Oregon and Louisiana.
“We brought in the five states and experts from Michigan and Virginia to talk about the strengths and weaknesses in the states and where the gaps exist,” says Ramos. “It’s ensuring that all states have some kind of cyber plan. We feel that if the leadership at the top is not pushing for this, the issue is not going to get the attention it needs.”
The second part of the program entailed helping the state teams develop recommendations to take back to their states for an in-state workshop with a broader group of stakeholders.
How’s your cyberhygiene?
The final piece is a closing policy academy meeting in which the state representatives gather to discuss progress to date and finalize strategic plans based on recommendations they identified and developed through the first meeting and the subsequent in-state workshop.
The policy academy is focused on the cybersecurity fundamentals of governance and incident response, says McLeod. “What is the state’s authority structure? What are the roles and responsibilities across state agencies? Who’s responsible for taking the lead when there’s an incident? Some states have strong incident response plans, but in fact most states do not. That’s one thing we’re working on. Governors are in the position to influence all of this.”
Risk management is another factor.
“Strengthening cybersecurity isn’t a matter of compliance – just checking the box, ‘we’ve done this, we’ve done that, we’re good to go’,” says McLeod. “It’s how you manage risk across the state enterprise. That threat is always developing and changing. How you allocate resources most effectively to protect against it is a big piece. Another big factor is cyberhygiene – how do you make sure your workforce is aware and trained for different threats?”
A combination of driving factors led to the policy academy on cybersecurity, the first being governors telling the NGA that cybersecurity is a priority for them.
“They recognize as CEOs of their states that they are responsible for the safety and security of their citizens and they’re responsible for collectively holding far more information than the federal government has,” says McLeod. “Governors know they’re going to be held accountable for when something goes down.”
The NGA recognizes cybersecurity is an evolving threat that’s not going away and wants to ensure it is helping to put states in the best position to respond in the event something happens. Since last year’s summit, at least nine states have passed executive orders and more than 20 state task forces and commissions have been established. All five states that had participated in the policy academy are considering executive orders, potential legislation, and commissions to dive deeper into various critical issues, notes McLeod.
Going forward, the NGA seeks to replicate the lessons that come out of the policy academy for all states to help them move to the next level of cyber security, says McLeod.
Incoming NGA Chairperson Governor McCullough has focused on cybersecurity as his initiative for his 2016-2017 term.
“It’s going to elevate the role of the states and give them more guidance and resources on how they can address this,” McLeod points out. “Governor McCullough’s initiative is going to focus on where cybersecurity intersects with core functions of state government: health care, critical infrastructure, energy, transportation, education.”
States have various plans, funding issues and priorities.
In Virginia, Governor McAuliffe has focused on a cybersecurity workforce and education. “The other area we’re examining is when folks are looking at their IT or getting new equipment or devices, they ensure early-on that cybersecurity is on their mind instead of it being an afterthought, which will help in the long run with funding,” she says.
It’s important to Governor McAuliffe that other governors view cybersecurity as an opportunity for economic development in their states, says Ramos.
“There are a lot of jobs in Virginia in cybersecurity and technology that we need to fill. If we don’t start looking at our K-12 and higher education system, we’re not going to have the workforce to fill those positions,” she points out.
The focus is not just on two- and four-year institutions, but also looking at credentials and short-term programs leading them to what are good-paying jobs, Ramos says.
Virginia recently became the first state to pass legislation requiring computer science in the K-12 system, says Ramos.
State and local governments are typically the entities keeping information for their citizens, so they need to ensure that information is protected and make sure all affected sectors are aware – not just traditional law enforcement, but also the National Guard, notes Ramos.
Success comes not from a silo approach, but a collaborative effort.
“When Governor McAuliffe put together his cyber commission – one of the first actions he took when he came into office – he brought together education, defense, Homeland Security, and technology to discuss the issues across the board and how they need to approach this long term,” says Ramos. “He is focusing on how this impacts the grid and critical infrastructure.”
One point of entry, for example, can be phishing through email. “It looks official. There might be one letter in the name that might be off, but nobody is looking at it too closely,” she says. Making folks more aware is important.”
A call to protect state infrastructure, through IT systems
James Wright, director of the Nevada Department of Public Safety, says when applications opened up to participate in the academy, “We immediately applied for it because this has been a high priority for us and our governor, Brian Sandoval, who also is the chairman of our Homeland Security Commission,” says Wright. “We were excited about being accepted into that program.”
Nevada’s team included the governor’s chief legal counsel, an information technology chief and information security officer for the state’s Enterprise Information Technology system, as well as the emergency manager and chief of the Nevada Department of Public Safety’s investigations division.
The risk to the state’s infrastructure is a driving factor in delving deeper into cybersecurity measures, notes Wright. “It’s a real threat out there as we see it throughout the world,” he points out. “Our concern is having our state system compromised in a way that would impact the ability for government to perform essential functions.” That not only means the state’s information technology systems, but other sectors such as water utilities.
Cybersecurity has become an emerging law enforcement concern as technology plays an ever-increasing role in daily life. “These hacker actors are very skilled at what they do and it’s a new battleground,” says ______’s Wright. “Getting our people trained to deal with this is looking for the right people with the skillset that can get into the computer and identify those things. There are so many viruses out there that can scare you on how they affect IT systems.”
The Nevada Department of Public Safety is taking a role in cybersecurity because many times the impacts on systems are criminal acts leading to criminal investigations. Wright says, “We’re taking a lead in conjunction with our state information technology folks to make sure we’re monitoring matters like real-time intelligence feeds. We are finding systems being intruded on and we want to take the basic steps to make sure that every state employee who utilizes state computers understands the risks associated with it.”
That means going back to basics on something as simple as opening up an email. Wright suggests people need to pay attention and watch for titles, names, origin, as well as what’s the message.
The Nevada Department of Public Safety requires employees to take annual refresher training in information technology security systems. The training addresses different scenarios, including telephone systems, computer systems and identification badges and what is necessary to safeguard those systems.
“We have to preach that over and over again,” says Wright. “It’s our first line of defense. From there we can go on and do other things. We’re still learning what those other things are that we could be putting in place to combat this.”
Nevada has intelligence analysts working in its fusion center who – though not sworn law enforcement – are skilled in cybersecurity matters, says Wright. An initiative in the upcoming budget session requests a cyber position to be assigned to the investigation division that oversees the fusion center.
Wright says they chose not to use a sworn person because of turnover. “You get somebody in, train them as a specialist and high performance people like that get promoted and leave. We would rather have a highly-skilled civilian analyst position. They have law enforcement investigators working all around them who would be available to follow up on leads and take investigations should they get to that point.”
The new frontier of security, enforcement
Nevada’s takeaway from the policy academy is to develop policy and governance structures as well as communication platforms for information sharing and situational awareness, complete cyber incident response plans, and enhance and complete cyber policies.
“This is an ever-evolving new era we’re in combatting this,” says Wright. “It’s high tech. Everything is very fast. We’re going to have to stay on top of this. My fear is we’ve become so dependent on information technology to control so many aspects of our life and many of them are very critical – systems in hospitals that have been compromised, utility grids being compromised. We have to up our ability to take on that challenge and deal with that.”
Mark Raymond, chief information officer for the state of Connecticut, notes the state passed a special act requiring the development of a report on the state’s cybersecurity readiness. The state has an ongoing cybersecurity task force sharing best practices and situational awareness, including both public and private entities.
“Looking at the escalating threats that cybersecurity risks bring and knowing we had the legislative report, we thought it would be a great opportunity for us to develop a statewide cybersecurity strategy that wasn’t just state government, but included municipalities and public needs,” notes Raymond.
By participating in the academy, Connecticut serves as a role model for other states that have no form of county government. Connecticut has 169 cities and towns.
There are specialized skills required for cybersecurity investigation that are different and emerging for both forensic evidence collecting and prosecuting, notes Raymond.
“Being on top of all that’s changing in the industry requires very active training, exposure to a broader array of technology, of forensic techniques and coordination with many different jurisdictions because cyber actors can be local to your state, they can be in other states, they can be in other countries and all of those responses require an active coordination amongst a variety of different law enforcement players.”
Raymond suggests other states start studying their own risk exposures and make connections between public and private and local and state level law enforcement so they know who to contact should something happen.
“I think how we as law enforcement and state government should address that and come to terms with how that is our most pressing issue,” he says. “It’s happening everywhere. I don’t think the general public or even the law enforcement community at large understands the impacts and how much money is being stolen by the cyber criminals.”
Carol Brzozowski bio