Virginia builds cyber foundation for government, business
- By Matt Leonard
- Oct 19, 2016
When Virginia Gov.Terry McAuliffe took the chair of the National Governors Association, he chose to focus his tenure on cybersecurity, an area where his state has some expertise.
Just one month after his inauguration in 2014, McAuliffe signed Executive Order 8, which launched the “Cyber Virginia” initiative and the Virginia Cyber Security Commission with the goal of building the cybersecurity infrastructure and economy in the state. Today, McAuliffe and others who were involved with the initiative can point to progress by way of new statutes, scholarships and research supporting cybersecurity.
Speaking at an NGA conference in Boston earlier this month, McAuliffe said the reason for Virginia’s focus on cybersecurity is simple: The number of industry and government organizations located in the state make security paramount.
“We’re in a unique position,” he said of Virginia. “We have the largest naval base in the world, 27 military installations, CIA, Quantico, Langley, Oceana. So in addition to the state assets, we have a tremendous burden because of all of the military, defense and intelligence.”
The state can’t afford to have weak security with the amount of sensitive information it handles from public and private sector organizations, McAuliffe told GCN: Agencies and businesses located in Virginia want to know that the state is doing everything it can to secure their data and systems. “We can’t be a weak link,” he said.
He told the conference that his initiative as NGA chair isn’t entirely unselfish, either. A state with weak cybersecurity can provide a backdoor to a more secure state if the two share a healthcare provider or other asset, he said. So the goal, he said, is to increase cybersecurity in all states.
Virginia has worked to address cybersecurity in five areas: support security-based economic development, improve the cyberinfrastructure, reduce cybercrime, expand cybersecurity education and increase public awareness, according to Bob Day, who was the Virginia Cyber Security Commission executive director until the commission ended its work last year. Both Day and McAuliffe agreed that cyber education is fundamental to building a secure nation.
“One of the big problems in cyber is finding qualified people,” Day said. “It’s a chicken and egg thing.” Without a pipeline of cybersecurity workers, the Commonwealth will be unable to protect its own computer networks or the state’s critical infrastructure.
To address the workforce shortage, Virginia has increased the number of schools that offer federal cybersecurity programs, set up a cloud-based cyber range for schools that can’t afford to build their own and created scholarships for college students who agree to work for the commonwealth after graduation.
Virginia Secretary of Technology Karen Jackson said metrics back up the investment in education. “Northern Virginia [Community College] has more than doubled its enrollment over the last year” in related cyber fields, Jackson told GCN.
A tech-savvy workforce is also key to the economic development McAuliffe says could come from cyber. That’s why colleges in Southwest Virginia, which has been hit hard by the decline in coal, are interested in cybersecurity’s potential to help their local economy. Programs at University of Virginia College at Wise and New School Institute can help fill the 33,000 cybersecurity job openings in the Washington, D.C., Maryland and Virginia region, he said.
The potential for cybersecurity-based economic development will be the best way for state CIOs and CISOs across the county to convince their legislatures and governors to invest in cyber, McAuliffe said -- adding that Virginia’s General Assembly was on board from the beginning.
This legislative support resulted in many changes to state laws in the two years the commission has been at work, Day said. Agency heads are now responsible for their agency’s data security, computer crimes carry stiffer penalties and law enforcement can more easily access internet data.
But if an executive branch is struggling with getting the legislature on board, McAuliffe said governors should consider executive orders. “I would suggest all states do that,” he said.
“You know, I can’t get everything done legislatively.”
Although Virginia has leveraged its technology ecosystem to raise its cybersecurity profile, it’s not the only state in good shape, Day said. “But there are plenty of other states that have a long way to go and will directly benefit” from the groundwork Virginia has laid.
Matt Leonard is a former reporter for GCN.