State and local government officials and industry experts hashed out the details of what’s needed for better cybersecurity.
Teamwork was the prevailing theme during a webinar in which state and local government officials and industry experts hashed out the details of what’s needed for better cybersecurity.
“Cybersecurity is a team sport and you have to have everyone engaged. It can’t just be an IT issue,” Amanda Crawford, executive director of the Texas Department of Information Resources (DIR) and the state’s CIO, said during ITI’s “A Cyber Plan for State and Local Governments” event on Jan. 26. “It has to be a business issue and a leadership issue, where it comes from the top down that cybersecurity is a priority.”
She pointed to the successful mitigation of a 2019 coordinated ransomware attack that affected 23 local Texas governments. “We had prepared and had an incident response plan … that we had practiced through tabletops,” Crawford said. Additionally, the state had legislative processes in place so that Gov. Greg Abbott could declare a cybersecurity emergency and trigger help from the Texas Department of Emergency Management, the state National Guard, Texas A&M University and other organizations.
Trust is at the heart of such collaboration, added Florida CIO James Grant. “Trust is honestly at the forefront – trust that when we show up, we’re capable of doing what we say we’re going to do and that [when] we say we’re going to do it, that we actually will do it,” he said.
Partnerships with industry can also bolster cybersecurity. Crawford cited the Texas Information Sharing and Analysis Organization, a legislative mechanism that allows for threat sharing between the public and private sectors, and is free to join.
“So much of this is about timely threat sharing and then taking it seriously,” she said.
Procurement changes are also necessary for cyber advancement, Grant said. It needs to be simpler to increase the number of people who can understand, identify and purchase solutions to solve problems.
“Our version of the enterprise architecture that’s about to be finalized in rules starts with really clear deliverables for all future procurements,” he said. “For things that were already in operation, we’re not going to show up and just write them out of compliance, but we are going to give [agencies] a road map to modernization…. These very clear deliverables have to be inside of every future technology procurement in excess of $195,000.”
But procurement must also align with cybersecurity frameworks like the National Institute of Standards and Technology’s Cybersecurity Framework or StateRAMP’s for procurement compliance, added Ben Caruso, Juniper Networks’ state and local government practice leader. “History has taught us that faster access or more cybersecurity solutions don’t always equate to more cybersecurity or more defensible architecture," he said. "So when you think about an effective procurement strategy, it also needs alignment – alignment with the risk classification of the connected assets in the systems.”
First, however, agencies need basic cyber hygiene such as multifactor authentication. “Policymakers have to ensure that we have the resources in place and have the basics in place before we do anything else,” said Allan Wong, director of U.S public-sector strategy and business development and head of state and local government at Tenable.
Mike Witzman, director of systems engineering for U.S. state, local and education at Cisco, highlighted the zero trust model. “It’s becoming the North Star very quickly,” he said. “That is how we secure every worker wherever they’re working, all data and applications wherever it lives, as well as all critical infrastructure.”
Filling cybersecurity staff shortages is also crucial. In Florida, Grant is using the tour-of-service model, recruiting workers out of college to get frontline experience in developing application programming interface calls, incident response and interoperability. In Texas, Crawford is studying an apprenticeship program that Indiana uses to have the private sector train, retrain and upskill workers, and an outsourcing model with competitively procured technology experts on retainer.
Ultimately, all stakeholders must be aware of not only the current landscape, but how it’s changing into the next one.
“We have to understand that the cybersecurity landscape is rapidly evolving and that we have to plan for it in advance,” said Karen Worstell, senior cybersecurity strategist at VMware. “What is the innovation that is coming? How can we invest in a solid infrastructure now that will allow us to continue to innovate it and modernize it for the full stack, all the way from infrastructure to application, without having to rip things out and try to start over again?”
Stephanie Kanowitz is a freelance writer based in northern Virginia.