Recommendations

As described above, the federal, state and local partnerships, both public and private, are relatively recent, with most conceptualized and formed within the past five years. These nascent partnerships are raising the overall security of the ecosystem, but they are only a start. Relationships take time to mature and to build trust, and must be ingrained through institutionalized and repeated interactions to stand the test of time and workforce turnover.

Practice, Practice, Practice

No amount of repetition would be excessive to hammer home the point that exercises are key to maximizing efficiency and effectiveness of incident response capability and resources. Whether self-moderated or in partnership with industry, state, or federal resources, cities should exercise different types of cyber incident scenarios regularly and include different stakeholders. While exercises are often seen merely as a mechanism to assess or evaluate existing training or capabilities, it is important to recognize that they’re increasingly viewed more broadly as a way to teach, learn, and develop organizational experience, and a mechanism to expose growing or new workforces to challenges they’re likely to face eventually.

Exercising an incident is of vital importance for all related organizations, but for cities, where the cybersecurity governance models are still maturing, personnel turnover is often frequent, and partner activities are constantly evolving, it is essential to do so frequently. This activity strengthens resiliency across multiple fronts. First, it increases awareness of the threat and possible impact of a cyber attack to the stakeholders who control key resources and may need to take a management position in the case of a serious incident. Second, it introduces the key players to each other and ensures that the rolodex of key personnel and institutions is built up before an incident, not during or after. And third, it can uncover issues in procedure, policy, law, personnel, and technology that may hamper the response to an actual incident.¹

No amount of repetition would be excessive to hammer home the point that exercises are key to maximizing efficiency and effectiveness of incident response capability and resources.

This mindset should be expanded further to a more strategic level. The John S. McCain National Defense Authorization Act (NDAA) for Fiscal Year 2019 Section 1649 points to the need to create a system of campaign planning at the local level to assess readiness and plan for various scenarios.² Section 1649 is a pilot program only, and limited to defense critical infrastructure, but an expansion of such an initiative aimed at local governments and the critical infrastructure in those areas could help create the kind of federal system of cybersecurity resiliency planning that is needed.

One of the key legal issues referenced above is contract negotiation. Agreements with forensics and incident response firms are best handled ahead of time if at all possible, whether or not these contracts are set on retainer.³ Because of the nature of government contracting, retainer contracts can be difficult to implement as they involve an allocation of committed funds prior to any specific case, but are beneficial in that they come with guaranteed quick response times. If there is no incident, the money can be used for additional services. Even without a retainer contract, negotiating terms in advance can decrease rates, grease the approval process with insurance companies, and ensure that the contractors are familiar with the city’s systems and environment before an incident occurs.⁴

This process should be no different with government/nonprofit IR teams. In fact, arranging advance memorandums of understanding (MOU) between DHS’ NCCIC and city governments would help decrease response time and foster a relationship between the two organizations. This process should be part of an organized outreach program, as described below.

Think Differently, Think Regionally

Cross-city and cross-state partnerships have a huge upside that has been barely acknowledged nor widely put into practice to date. Some National Guard Cyber Protection Teams (CPTs) are created through partnerships between states: guardsmen from Michigan, Indiana, and Ohio form one CPT; members from New York and New Jersey, another.⁵ Not only do these units get to pull talent from multiple areas, but they have the ability to serve critical infrastructure that may span across multiple states more easily. Regional ISAOs, such as those described earlier, knit cities and their partners together to share information.

Taking a regional approach in new and innovative ways could provide services at scale and decrease the barrier to entry for local governments’ formation of a sophisticated cybersecurity program. Some examples of regional-based strategies could include:

• Signing MOUs between cities, between cities and states, or between states to provide incident response services.
• Expanding the use of regional ISAOs to facilitate the dissemination of information to SLTT organizations and their partners.
• Hiring a joint CISO who could oversee information security at multiple local governments.
• Creating a joint security operations center that could monitor the systems in multiple jurisdictions. Vermont and Maine have already started down this path, but we have yet to see it manifest for other groups of cities or local governments.
• Joining together to create a shared services platform used by multiple cities to provide similar services.
• Leveraging regional human resources ranging from educational institutions that develop such human capital, as well as regional talent pools in neighboring or nearby cities.

Governance Reform

There is an inherent conflict of interest with a CISO reporting directly to a CIO, yet that configuration, traditional but less and less common in the private sector, is the norm in most SLTT governments (and, in fact, at the federal level as well). A 2014 PwC survey illustrates this point using key incident response statistics. The survey found that organizations where the CISO reported directly to the CIO experienced 14 percent more downtime due to security issues and experienced over 40 percent financial loss from cyber incidents.⁶ While this finding was sourced from private companies’ data, these lessons are applicable to any institution.

While some CIOs are particularly security minded and can adequately manage the tradeoffs between modernization, speed of deployment, and security, the speed at which personnel changes within government makes a less institutionalized approach (where the CISO must depend on the individual CIO’s proclivity towards security) even more suspect. Additionally, placing the CISO under the CIO necessarily infers that security is an IT risk—not a whole company or agency risk. Indeed, a 2018 report by the Financial Services-Information Sharing and Analysis Center (FS-ISAC) recommended that CISOs report directly to the CEO for purposes of executive visibility.⁷

Such reorganization within public sector institutions may not be as easily executed as a private sector corporate reshuffle; cities and states may in some cases have to work with what they have. The state of New Jersey and New York City have both seen quantifiable benefits ensue from having an independent CISO position that reports outside of the IT line.⁸ In other cities, such as San Diego, the CISO still reports to the CIO, but also provides direct reporting to the mayor and other city executives multiple times per year.⁹

For smaller cities, the ability to employ a qualified CISO may be a luxury, no matter where he or she sits within the government. Smaller cities should, as mentioned above, consider using new tactics to share CISOs with other cities or surrounding areas or contract for a CISO-as-a-Service to get part time assistance. Whatever the construct, security must remain a priority for all SLTT entities, with high level visibility.

Additionally, if not already done so, cities should consider moving towards a shared services/consolidated IT management system. Consolidating IT systems under one agency and through shared infrastructure can improve security in several ways:¹⁰

• Personnel improvements: centralizing security and risk management functions allows the participating government agencies to share cost of security rather than duplicating it, meaning that the city could hire more specialists that could cover multiple agencies.
• Budgetary efficiency: shared purchasing across government functions reduces cost by consolidating vendors and allowing for bulk purchase agreements at scale. It also encourages greater capital investment in security and infrastructure when allocated as a whole government entity rather than through individual agency investments.
• Repeatable practices: a shared security model fosters a set and repeatable risk management process across government agencies.

Codify, Exercise, and Institutionalize Federal Resources with Authorities to Support SLTT Organizations

To make incident response more efficient and effective, whether for large or small incidents, the United States should prioritize deconflicting efforts, authorities, and responsibilities across the various agencies. The existing incident reporting guidance lists several points of contact that depend on the nature of the incident, which may or may not be known until well after the event. Furthermore, in many cases, verbal guidance provided to SLTT representatives from various federal agencies on how to report an incident has been conflicting.

Although there is high level guidance through PPD 41, as described above, concept of operations (CONOP)¹¹-level planning and exercising needs to be done and codified into plans, policies, and procedures.

Federal policymakers, lawyers, and lawmakers need to further define the authorities and allocation of resources to and between various federal agencies.¹² There are notable efforts currently underway at the National Guard Bureau and U.S. Coast Guard Headquarters to better delineate these roles—positive prospects that will add to the toolkit for federal and SLTT incident responders. Mapping out the capabilities of the National Guard CPTs in various states, such as the team in Missouri with deep forensics qualifications or the teams in Washington with experience on industrial control systems, would support a deeper level of planning and further cooperation between the various states which could form mutually beneficial peer partnerships based on complementary skill sets.

Reform Federal Funding for Cybersecurity

The current programmatic framework for providing federal funds for cybersecurity assistance to SLTT governments is challenged by red tape, confusion, and competition with other homeland security-related threats. This program should be reformed to allow for and direct funding towards efforts in both cybersecurity resilience and response.

The majority of funds provided to SLTT entities for cybersecurity emanates from FEMA’s Homeland Security Grant Program (HSGP), which itself has three programs:

• State Homeland Security Program (SHSP)
• Urban Area Security Initiative (UASI)
• Operation Stonegarden (OPSG)

The 2018 Notice of Funding Opportunity (NOFO) was notable in that, although these funds have been eligible for use for cybersecurity purposes for some time, FEMA mandated that both SHSP and UASI recipients were required to include an investment justification focused on cybersecurity projects.¹³ FEMA also included state and urban area chief information officers and chief information security officers in the list of mandated representatives for the senior advisory committee (SAC) that builds the grant proposals for each eligible area.

These efforts will hopefully address the gap between the grant money spent by states and urban areas on cybersecurity and their perceived gaps, the areas that municipalities themselves identify as an area of need. Although the HSGP purports to be focused on national preparedness writ-large, and while it funds disaster planning efforts, it ties cybersecurity needs directly to counterterrorism threats:¹⁴

“Recipients must limit the use of SHSP and UASI funds for projects that support the security and functioning of critical infrastructure and core capabilities as they relate to terrorism preparedness, and may simultaneously support enhanced preparedness for other hazards unrelated to acts of terrorism.”

By having the bulk of the available federal funds for cybersecurity come out of the HSGP, the federal government is, in essence, forcing the cybersecurity mission to “compete” with the counterterrorism mission in a process in which all spending must have a counterterrorism nexus. That is, not only is cyber forced to compete with terrorism as a problem set, it’s forced to do so in a process and program that is explicitly designed to focus on the latter, rather than the former.

By having the bulk of the available federal funds for cybersecurity come out of the HSGP, the federal government is, in essence, forcing the cybersecurity mission to “compete” with the counterterrorism mission.

Given the relative threat from terrorist groups vs. nation states and criminal groups in cyberspace, this seems to be a strange focus for grant money. Reportedly, FEMA does not require a direct linkage between threat and proposal¹⁵ (the idea that a terrorist might possibly be behind the keyboard for any attack is enough); that then begs the question as to why the language is included at all, especially given that it might discourage proposals for arenas in which state and local governments should be taking a more active role, such as workforce development, that are not tied to attack prevention or preparedness.

In the short term, FEMA should give clearer guidance and examples about which kinds of initiatives are eligible for HSGP grant money. A more transparent process would help states and local governments formulate proposals likely to receive money, and could also feed into a gap analysis assessment for the federal government between the initiatives they would like to see SLTTs take on, and the funds they are currently providing.

In the long term, FEMA and DHS should consider distinct grants for cybersecurity that can be used to target the specific priorities, threats, and needs. This is not the first time this idea has been proposed; the idea was floated in 2017 through a bill co-sponsored by Reps. Derek Kilmer (D-Wash.) and Barbara Comstock (R-Va.) along with Sens. Mark Warner (D-Va.) and Cory Gardner (R-Colo.) proposed the idea in the State Cyber Resiliency Act. The need has not changed, though the threat to SLTT governments has become more public since 2017.¹⁶

The programs and resources available for each state and local government are different; too-prescriptive guidance can create a backlog of under allocated funds and missed opportunities. Conversely, targeted grant money and associated analysis year-over-year could help feed both national and local priorities and enable the federal government to work with and through the states, instead of around them. Such a grant program would also give states a clear roadmap for federal funds, and enable the cybersecurity experts to guide the grant process, rather than being a minor part of a larger grant proposal that competes with other more easily quantifiable asks (such as fire trucks).

The topic of reforming federal funding for cybersecurity deserves a full-length paper of its own. This is a complex issue with many moving parts and myriad stakeholders. We hope that this paper will inform that debate as the discussion moves forward in and outside of the federal government.

Structure and Prioritize Federal and State Outreach Efforts

The structure and management of federal outreach efforts for SLTT governments is another subject that deserves further discussion. While we have touched on the topic herein, our focus has been city-oriented, and as a result, omitted issues relating to counties, tribes, and territories that also merit consideration. A key point bears mentioning: there should be a strategic approach to interacting with these organizations, from outreach, to service provision, to forming ongoing relationships. DHS has a prominent role in these activities, but outreach must be spread across several federal government agencies serving these communities, and will remain a shared responsibility.

State programs have been maturing over the last several years, and as described above, many are starting to think about working with local governments in a variety of ways. These programs could provide needed services, whether direct or in an advisory capacity, to local governments, but they need to be properly resourced both in terms of outreach (to make sure local governments are aware of them in the first place) and execution.