Appendix III: New Jersey & The New Jersey Cybersecurity & Communications Integration Cell (NJCCIC): The Bureaucratic Superstructure Approach

In 2016, the responsibility for cybersecurity strategy and oversight for the executive branch of NJ State Government was transitioned from the NJ Office of Information Technology (OIT) to the NJ Office of Homeland Security and Preparedness. The Division of Cybersecurity is responsible for the strategic development and implementation of an enterprise information security program to ensure the confidentiality, integrity, and availability of the State of New Jersey Executive Branch’s information resources, systems, and services while promoting and protecting privacy. It focuses on identifying threats to state systems and assisting departments and agencies in managing risk to acceptable levels.

A component organization within the Division of Cybersecurity is the NJ Cybersecurity and Communications Integration Cell (NJCCIC), the first of its kind, state-level information sharing and analysis organization in the United States. Established by Executive Order #178 (Christie – May 2015) the NJCCIC acts as the state’s one-stop shop for coordinating cybersecurity information sharing and incident reporting, performing cybersecurity threat analysis, and promoting shared and real‐time situational awareness between and among the public and private sectors.

The NJCCIC was founded as an effort to integrate cybersecurity into the New Jersey State Fusion Center. It has expanded into a multifunction organization serving as an enterprise monitoring apparatus for the executive branch (Security Engineering and Cyber Operations Branch – SECOPS), a threat analysis organization (Cyber Threat & Analysis Branch – CTIA), center for risk management (Governance, Risk, and Compliance Bureau – GRC), and vehicle for outreach and services (Partnerships Branch). The Partnerships Branch also hosts the Incident Response Team, which provides services to some executive agencies, but mostly does triage on events to refer the affected to a private entity, the MS-ISAC, or law enforcement for response.

New Jersey operates on a shared services model, for information technology infrastructure. The state chief technology officer (CTO) leads the state Office of Information Technology (OIT), which is responsible for providing and maintaining the information technology infrastructure of the executive branch of Sstate gGovernment, including all ancillary departments and agencies. The CTO provides vision and leadership for OIT and is responsible for coordinating and conducting all executive branch technology operations. The CTO directs the planning, implementation, and governance of enterprise Information Technology systems in support of the executive branch of state government’s business objectives and operations, to improve cost-effectiveness, service quality, and mission development.

The MS-ISAC

The Multi-State Information Sharing and Analysis Center (MS-ISAC) was formed in 2003 and in 2010, joined the Center for Internet Security (CIS), a nonprofit entity working to “harness the power of a global IT community to safeguard private and public organizations against cyber threat.”¹ The MS-ISAC has a cooperative agreement with DHS to coordinate cybersecurity activities among SLTT governments. Originally, the MS-ISAC worked through the state CISO or other designated point of contact for all SLTT efforts, but in 2010 opened membership to local and tribal governments and began interacting with them directly in 2011. Since that time, the MS-ISAC has grown to over 2,000 members, with representation from all states and territories, 78 of 79 state fusion centers, tribal and local governments, mass transit authorities, airports, public universities, K-12 institutions, election directors, and more.²

The MS-ISAC provides monitoring and incident response services, runs information sharing programs and platforms, and performs scans on SLTT infrastructure. A graphic showing the various initiatives currently offered to SLTT organizations is shown in Figure 1. In addition to services performed for its members, the MS-ISAC also passes information back and forth with DHS through the NCCIC, the ISACs and ISAOs, and the national and international CERTs (to get information to international partners).³

Key to the MS-ISAC’s success has been its focus on feedback and engagement. The center conducts annual surveys of its members, performs an annual self-assessment, and sends out post-incident surveys. As with any survey program, feedback is spotty, but augmented by the MS-ISACs outreach program, the center’s staff has been able to make concrete improvements based on this feedback.⁴

Monitoring

Through its SECOPS branch, NJCCIC has a robust monitoring service for New Jersey’s executive branch agencies. It provides both network and endpoint monitoring services and centralizes logs and alerts through a SIEM and log aggregation solution. Over the last two years, NJCCIC has increased sources to the SIEM by an order of magnitude and has been able to integrate feeds from SIEM solutions deployed to other agencies.⁵ The NJCCIC will continue to add agencies to its centralized monitoring service until the Center has total network visibility across all departments and agencies of the executive branch. To support this increase in data, SECOPS personnel have focused a substantial amount of time on increasing efficiency, creating custom analytics, and decreasing false positives.

New Jersey has also deployed multiple Albert sensors from the MS-ISAC to cover the executive branch agencies and the election systems that run on separate infrastructure.⁶

Information Sharing

The CTIA branch utilizes the information coming into SECOPS along with reporting from NJCCIC members, liaison relationships, and open source research to provide an intelligence and analysis functions for New Jersey and its citizens. CTIA disseminates multiple products, including cyber advisories, formal intelligence products, and a weekly bulletin, in addition to publicly accessible resources hosted on the NJCCIC website. One of the most successful analysis and information sharing initiatives orchestrated by CTIA was in response to the proliferation of ransomware incidents in 2017. The analysts built out dozens of ransomware profiles for each variant discovered through its monitoring services, reported in the media, or reported directly into the NJCCIC. These profiles (of which there are now over 200) were published on the website along with recommendations for end users and IT departments. This service was also used extensively by local police departments serving as the first line of response to many infections in New Jersey.⁷

CTIA provides SECOPS with vetted IOCs found through the monitoring services or those that are reported to NJCCIC from other sources which are then distributed to partner organizations via the NJCCIC’s automated indicator sharing platform, New Jersey Cyber Threat Intelligence eXchange (NJCTIX). Each IOC is vetted and confirmed as legitimate and actionable prior to distribution, with the understanding that quality over quantity helps to engender trust from its members and liaison services.

NJCCIC has built substantial liaison relationships with federal and state agencies through a consistent focus on collaboration.⁸ NJCCIC serves as a clearing house for representatives from those agencies, who can use the NJCCIC as a dissemination tool to get information out to citizens and organizations within New Jersey.⁹ These liaison services also serve as source of information for the CTIA analysts, who have built up effective processes and regular points of contact to exchange information in support of ongoing investigations.¹⁰

Outreach and Services

NJCCIC has over 6,200 members from approximately 3,000 organizations, which span across multiple industries, public and private sectors, and have expanded to reach 43 out of 50 states and members in 18 countries.¹¹ There are also multiple trade groups and sector working groups among the membership, which help to funnel information to multiple smaller organizations.

The cyber liaison officers in the Partnerships Branch and the analysts from CTIA provide regular threat briefings and trainings. These events, which are free to members, provide instruction on best practices and serve as a resource, particularly for small and medium businesses (SMBs) and municipal governments and organizations who would find it difficult to gather the kind of large scale threat trend information that the NJCCIC has.

The NJCCIC also runs incident response table top exercises and simulations for executive leaders and cabinet officials on a yearly basis, and has started performing risk assessments on behalf of federal partners leveraging federal resources. These activities have helped to raise awareness and increase preparedness across the state, particularly among the senior leadership.¹²

Efficiency

The OIT-driven shared services model was completed in 2017. This initiative moved control of infrastructure assets and the people who managed them out of the individual executive agencies and to the centralized control of OIT. This effort, along with NJCCIC’s state-wide monitoring services created a centralized point of contact for cybersecurity and helped set statewide standards to increase efficiency and create an effective baseline for security.¹³

Human Capital

Like many other public sector institutions, New Jersey struggles to recruit talent. The six- to eight-month onboarding process often discourages even those interested individuals from applying or delays their arrival so long that they take a competing offer. However, the NJCCIC has been relatively successful in maintaining the employees it has, due in part to a robust focus on mission and ensuring that its employees are allowed to push the envelope to continue to innovate and work on sophisticated programs.

NJCCIC uses a mixed model of state employees and contractors. It also regularly employs interns who are hired as part time contractors while in school and then converted to full time state employees upon graduation; this program has been a robust pipeline for the NJCCIC and augments traditional recruiting methods. New Jersey is also exploring some scholarship programs in order to further leverage those individuals who are looking to enter the workforce.

Reciprocal Information Sharing

Although NJCCIC has been able to share out information, it still has work to do in developing robust bidirectional threat intelligence sharing, especially with private sector organizations. Recent changes in the law require regulated companies in New Jersey to report cybersecurity incidents to the NJCCIC.

Governance and Cross-Bureaucratic Funding

Given the relatively recent transition of cybersecurity responsibility to the Office of Homeland Security and Preparedness, and is not rooted in any legislative mandate, executive branch departments and agencies are still adjusting to this change. Without codification in law, the recent gubernatorial changeover also adds a certain amount of uncertainty in its longevity. The State CISO reports to the Director of NJOHSP and serves as head of NJOHSP’s Division of Cybersecurity. The state CISO establishes and manages an information security program to ensure the confidentiality, integrity, and availability of the state of New Jersey executive branch’s information resources, systems, and services while promoting and protecting privacy and safety. The state CISO has overall responsibility for the development, implementation, and performance of the information security program by:

• Setting strategic information security planning across the executive branch of state government;
• Publishing the Statewide Information Security Manual’s policies and standards;
• Developing, managing, and executing the statewide Information Security Incident Response Plan;
• Identifying security requirements to limit the risks associated with identified executive branch business objectives as defined by the governor and the heads of state agencies;
• Developing, maintaining, and interpreting the Statewide Information Security Manual’s policies and standards;
• Providing information security subject matter expertise to state agencies;
• Drafting and implementing an information security awareness and training program to be used by all state agencies;
• Providing security metrics to track the performance of the information security program; and
• Developing an Information Security Governance, Risk, and Compliance program, including, but not limited to:
• Coordinating and conducting compliance and risk assessments of agencies and their information assets;
• Conducting and managing vulnerability assessments of agency networks, applications, databases, and systems;
• Conducting penetration tests of agency networks, applications, databases, and systems; and
• Conducting information security risk assessments of third parties with access to state of New Jersey information assets.

Since the CISO has oversight only over the executive branch of New Jersey government, there also remains a hole in centralizing security over the other branches of government, as well as for municipal or independent public sector institutions such as schools and election systems. There continues to be some shadow IT in operation that is not coordinated with the OIT or the CISO.¹⁴ Funding gaps in IT and a lengthy procurement process further challenge efforts to update legacy systems and implement new security tools.

Integrating cybersecurity with physical security also remains a challenge, with strong support from state executives but far from complete adoption or understanding among those around the state.

Executive Support and Buy-in from Stakeholders

New Jersey benefited extensively from executive support and sponsorship from the governor and his cabinet. The administration set expectations up front that this would be a long term, essential project that deserved attention at the executive level. Accordingly, the director for NJCCIC and the CISO were set up to report directly to the director of Homeland Security, a cabinet-level position in New Jersey.

Also essential in building a sustainable project has been the understanding that the cybersecurity initiatives and programs started under this administration, if successful, would necessarily continue well into the next governor’s administration and hopefully beyond. The acceptance and support of this long term viewpoint from the top of the administration helped to pave the way for stakeholder buy-in across the bureaucracy and with external partners.

Emphasis on Collaboration

A key factor in the success and widespread nature of the NJCCIC’s partnership program is its ethos around collaboration. The NJCCIC leadership defines the organization as a service provider, with customers and partners across multiple sectors. This consistent engagement and emphasis on empowerment of mission has built successful relationships with the executive agencies, state police, FBI, DHS, and others.¹⁵

Funding

The NJCCIC is supported both by direct state services and grant funding, which has paid for personnel and next generation tools. Being well funded enabled the NJCCIC to focus on recruiting qualified and competitive candidates, which further helped to lend credibility to the organization’s work.