Welcome to New America, redesigned for what’s next.

A special message from New America’s CEO and President on our new look.

Read the Note

Close

State flags

Cybersecurity for the States: Lessons from Across America

Table of Contents

Appendix IV: Washington State: The Multidisciplinary Approach

Overview

Numerous observers have commented on the strength, or perceived strength, of Washington State’s cybersecurity efforts. The Hewlett Foundation noted that Washington is “…considered by many to be a leader in advancing cyber policy for prevention, incident response and technology.”1 The Pell Center at Salve Regina says that Washington has “…been at the forefront of cybersecurity protection and preparedness.”2 These are among many outside commentators who have noted the interesting decisions that Washington has made.

A few key points characterize Washington’s approach. The first is a multi-disciplinary approach that combines expertise and focus around cybersecurity in both information technology (where cyber vulnerabilities appear) and emergency management and risk management (where consequence management is often conducted). Secondly, Washington has taken numerous steps organizationally that are seen as forward-leaning—from early adoption of the National Guard as a tool for cybersecurity, to a large-scale reorganization of their technology agency to focus on security in addition to traditional operational imperatives. Third is the relative maturity of its capabilities and structures. While some structures, like the cyber planner position of the Emergency Management Division, are small and not heavily resourced, they exist structurally and have already begun to build strong relationships and processes.

While the idea that cybersecurity is everyone’s problem, not just an IT problem, has become widespread in the world of security, the same cannot necessarily be said for the more structured and routinized world of state government bureaucracies. The structure of Washington’s cybersecurity efforts shows that the state has, in fact, recognized this issue. Washington’s early cybersecurity efforts were not focused around a center of gravity in the Office of the Chief Information Officer (CIO), but rather initially in their emergency management office (the state Emergency Management Division (EMD), a part of the Washington State Military Department, Washington’s office of National Guard).

Starting in 2012, efforts to address cybersecurity were largely based in the state Emergency Management Division, and has since included the hiring of a cybersecurity manager and the creation of a Cyber Emergency Response Annex (“the Washington Significant Cyber Security Incident Annex” or WSCIA) to supplement the state’s existing Comprehensive Emergency Management Plan or CEMP.3

Subsequent efforts have focused more on the IT and IT security components of cybersecurity, as opposed to the management components focused at EMD within the Washington State Military Department. In 2015, the state legislature approved the creation of an Office of Cybersecurity headed by the state chief information security officer (CISO) who would report to the CIO.4 Subsequent efforts also added a chief privacy officer who also reports to the state chief information officer and expanded efforts to provide centralized IT services through Washington Technology Solutions, known as WaTech, which is led by a director co-hatted as the CIO.5 The following year, 2016, the governor of Washington signed an executive order creating a new Office of Privacy and Data Protection within the Office of Cybersecurity, an office that intends improve information sharing about standards, best practices and other training for both state agencies and the general public.6

Successes

Protection of Critical Infrastructure

Washington has done a number of things that are seen as forward leaning. Perhaps at the top of the list is its early adoption of its National Guard assets for cybersecurity purposes. Through extensive work from lawyers on all sides, and with the support of the governor’s legal advisers,7 the state has managed to create legal processes to enable National Guard teams to engage state agencies and critical infrastructure partners. While early versions often took almost a year to sort out, the fact that these processes now exist and are understood more widely, serve as a starting point for the possibility of growing such cooperative efforts.

With the introduction of the Office of Cybersecurity, which is exclusively focused on the defense of state networks, the National Guard has been able to focus on its private sector partners.8 The Washington National Guard now conducts an average of two penetration tests per year on critical infrastructure partners’ systems. Its efforts going forward are to “train the experts”; while penetration tests are useful, there are multiple sources for such expertise. Given the Washington Guard’s extensive experience with SCADA systems and with the assumption that a persistent attacker will likely be able to penetrate these systems over time, program leadership is turning to conducting hunt operations and providing instruction on how to do the same to critical infrastructure operators. 9 The state has also been able to sponsor clearances for critical infrastructure operators so that they can receive classified briefings.10

These engagements serve three functions: First, they increase the defensive posture of critical infrastructure; second, they enable Guard units to gain experience on real, operating systems; and third, they provide critical touchpoints between the National Guard and their critical infrastructure partners before an incident occurs. By testing these systems, the Guard units also become familiar with networks and tools they may one day need to defend and build critical relationships that can support incident response efforts.

Well-Exercised Capability

While many states have cyber units or plans, there is always some delta between the capabilities that exist in theory, and those that are actually deployable in the case of an incident. Washington State has embraced the fact that the only way to understand the gap between expectation and reality is to test those capabilities, relationships, and people. As such, the state engages in at least four cyber exercises annually.11 These exercises, are importantly, designed to test various components and elements of the state cyber response. One is typically a cabinet level executive exercise, to enable better understanding of cross-disciplinary and agency interaction at the leadership level of the state. A second annual cyber exercise typically focuses on partnership with a county in the state and related infrastructure partners. As counties in Washington vary hugely in their cyber sophistication12—from very high-end capabilities in some counties home to high-tech giants, to less well funded and staffed counties—this set of exercises is designed to highlight and nurture relationships with local partners. Another is typically an internal state focused exercise, designed to illuminate processes and relationships below the state executive level, testing more operational and tactical incident response capabilities. Finally, there is typically at least one exercise that is designed as a prelude to a large regional or national exercise like Cyber Shield, enabling the state to assess regional and national level connections, as well as state level processes. This mix of exercises—a mix of scale, scope, focus—and their consistent annual nature leaves Washington very well exercised in the cyber arena.

These exercises are guided by cybersecurity annex to the state’s Comprehensive Emergency Management Plan (CEMP).13 Updated regularly based on exercise results, organizational changes, or alterations in the threat landscape, the annex provides a framework for response to a cyber incident and details responsibilities across the state.

Incident Response and Monitoring

Washington has a robust incident response system within the Office of the Cybersecurity. The statewide Security Operations Center provides external monitoring services, and the Cyber Incident Response team, which provides incident response services to agencies within the executive branch and can also provide assistance to local governments or other branches of government upon request.14

Part of Washington’s incident response protocol is to activate the Cyber Unified Coordination Group (UCG), which includes personnel from government agencies at the local, state and federal levels, as well as the private sector and academia, that can assist in response by “…providing additional resources, authorities, and information.”15 Although this group has never been activated in response to an actual incident, the group is brought together during the annual exercises so that its usage is well understood and members can build the relationships that will help facilitate response in the case of an emergency.

Centralization and Management of Statewide IT Resources

Washington’s cybersecurity strategy includes substantial investment in centralizing the security program through the Office of Cybersecurity and providing common resources through WaTech. Doing so enables the state CISO, Agnes Kirk, to set state-wide policies and standards and provides resources for operators in the various agencies beyond what they would be able to purchase or do for themselves. Particularly successful has been a program to institute centralized review of changes and configurations to improve compliance, security, and visibility across the enterprise for the network providers.16

Partnerships

Partnerships are key to the Washington model, across disciplines, across sectors, and across geographic boundaries. Perhaps the most pronounced partnerships—and the area in which many other states are still struggling—are the cross-sector ones. The private sector is deeply involved in Washington’s cyber efforts. Perhaps most importantly, the Cyber Incident Response Coalition and Analysis Sharing (CIRCAS) enables information sharing among trusted partners in government, academia, and the private sector. This group, which is similar in construct to an informal ISAO, has both public and private co-chairs, and wide involvement from private sector partners.17 While currently relatively informal, there have been discussions of using more formal tools—like non-disclosure agreements—to structure CIRCAS, and there is a partnership with the University of Washington to develop a secure technical portal for information sharing (as opposed to sharing by phone and email).18

Challenges

Authorities

Like many states, Washington has different agencies that are tasked with different components of cybersecurity and have differing legal authorities for responding to them.19 In Washington, WaTech is legally responsible for protecting state networks in Washington, the Washington State Patrol is legally responsible for statewide law enforcement, and the adjutant general is legally responsible for emergency management and for most homeland security roles in the state. While each of these roles, and the legal authorities that underpin them, make sense, these roles are not as integrated as they could be. Certain episodes, like the WannaCry ransomware explosion, have pointed out the limitations of not having a single state cyber point-of-contact or information hub.20 Although there has been a memorandum of agreement drafted to delineate responsibilities between the EMD and WaTech, it has yet to be signed.21

This bureaucratic challenge is common in many states, and results from the vulnerabilities and consequences of cybersecurity being spread across many domains and the perception that cybersecurity programs might bring in resources. The reality, however, is that such programs often come with few additional resources that then must be spread out between the different agencies, complicating matters further.

Communications

Related to the conflict over authorities, the lack of a single voice on cybersecurity has created challenges for the State in disseminating and gathering information. Because there are many voices at the State level, federal and private sector partners alike sometimes do not know where to go for information; likewise, State organizations wishing to send information out to their private sector partners must work through a myriad of partners themselves.

Desire for Broader Access to Federal Resources

While Washington has a good relationship with many federal partners, the state also recognizes that they would benefit from further federal support in the cyber realm. In particular, Washington State leaders have been particularly vocal in their support for a centralized and specifically targeted grant program for cybersecurity efforts and the pending legislation (H.R. 3712) to create Cyber Civil Support Teams (CSTs). These “Cyber CSTs” would be comprised of National Guard soldiers and airmen under the authority of the Governor but with direct connection to the Department of Homeland Security (USCERT) and the Department of Defense.22

Washington’s leadership has also advocated for an expansion of Computer Emergency Response Teams (CERTs) to deploy one to every FEMA region and an increase in the number of Cybersecurity Advisors (CSAs)23, currently deployed regionally.24 Although Washington has regular contact with the Protective Security Advisors (PSAs) and CSAs in the region, such an increase in both programs would enable more interaction and better localized planning coordinated nationally.

Competition for Talent

Although most states struggle to compete with the private sector for cybersecurity talent, Washington’s competition is particularly steep given the number of large technology and defense industrial base companies operating in the area. Providing access to training, a wide variety of opportunities across the enterprise, and a clear mission goes a long way, but as Washington’s CISO remarked, “there is a clear need to develop new on ramps for people wanting to enter the space.”25 To further this goal, the Office of Cybersecurity is partnering with the National Security Agency (NSA) and DHS Centers of Academic Excellence for Cybersecurity in the state, NIST, and private companies.

Dependencies

Support of State Leadership

Governor Inslee, who was first elected in 2013, defines the Washington State approach to cybersecurity as “Community Cybersecurity.”26 Specifically, the governor identifies five pillars:

  • Regional collaboration between public, private and tribal partners
  • Resilience of networked systems for public safety and commerce
  • Promoting research, analysis, and sharing of cybersecurity information and best practices across private, public and tribal sectors
  • Unity of effort for the protection of critical infrastructure, and,
  • Dedication to workforce development to strengthen our economy and enhance our cybersecurity posture.

Leadership across Washington’s cybersecurity programs point to the support of the Washington State Governor and his office, particularly in tackling legal hurdles and dedicating time and resources to exercises and events, as key to the progress made in multiple areas.27

Outreach

Despite the fact that many areas of government in Washington have clearly put a level of prioritization on cybersecurity issues, it is not surprising that the function is still not as well-resourced as some might hope for. Few resources are harder to come by in state government than additional personnel, and so many agencies are forced to try and do as much as is possible with limited numbers of people. In this regard, Washington deserves much credit. By leveraging outreach—the connecting of government agency efforts with those of organizations and institutions outside of government, they’ve been able to have impacts outsized to the personnel devoted to the issue. For example, despite there being a single cyber coordinator at the EMD within the Washington State Military Department, he has been able to connect the EMD with many public and private sector partners across numerous activities28—exercises, information sharing partnerships, planning efforts, as well as to help facilitate these partners access to federal resources through the DHS PSAs and the regional DHS CSA.29 This outreach and good will is a testament to the kind of good work state government employees can do, however the limited staffing and time-intensive nature of the relationship building components of this work suggest that there could be a certain fragility in depending on it being done by just one or two people.

Access to IT Talent and Infrastructure

Washington State’s unique workforce provides it with a unique advantage: access to wide-ranging IT and cyber talent. The state—and its cyber efforts—have benefited from the broad availability of IT expertise in several ways. First, it provides skilled cyber operators and analysts, both for state agencies and for the National Guard. The National Guard has been able to build on this base of skills to create teams with deep expertise in ICS and SCADA systems.30 Second, close contact with members of the private sector that serve as the foundation for IT infrastructure enables collaboration in the case of an incident. This expertise permeates into the local level as well in areas of high tech density, such as Pierce County.31 Third, partnerships with universities, buoyed by their private sector partnerships, have increased access to IT and cyber talent pipeline for the public sector as well.

The Triple Hat

The Revised Code of Washington, RCW 38-52 gives the task of comprehensive emergency management to mitigate, prepare for, respond to, and recover from emergencies and disasters caused by all hazards, whether natural, technological, or human cause to the adjutant general.32 In Washington, the adjutant general serves a “Super TAG” who is triple hatted with duties also as the head of the State Emergency Management Division and the State Homeland Security Advisor. Because the TAG has direct reports in all of these areas, he is able to coordinate resources between them all, helping to reduce some bureaucratic friction.

Citations
  1. RTI. (2017). Understanding Demand for Cyber Policy Resources. Hewlett Foundation’s Cyber Initiative
  2. Spidalieri, F. (2015). State of the States on Cybersecurity. Newport, RI: Pell Center.
  3. Spidalieri, F. (2018, 3 7). Senior Fellow, Pell Center. (N. Cohen, Interviewer)
  4. Earls, A. R. (2017, 10). Agnes Kirk on the role of CISO, Washington’s state of mind. Retrieved from TechTarget: source; Kirk, A. (2018, 3 30). Chief Information Security Officer, State of Washington. (N. Cohen, & B. Nussbaum, Interviewers)
  5. RTI. (2017). Understanding Demand for Cyber Policy Resources. Hewlett Foundation’s Cyber Initiative. P58
  6. RTI. (2017). Understanding Demand for Cyber Policy Resources. Hewlett Foundation’s Cyber Initiative. P58
  7. Daugherty, B. (2018, 3 9). The Adjutant General, Washington State National Guard. (N. Cohen, & B. Nussbaum, Interviewers)
  8. Daugherty, B. (2018, 3 9). The Adjutant General, Washington State National Guard. (N. Cohen, & B. Nussbaum, Interviewers)
  9. Daugherty, B. (2018, 3 9). The Adjutant General, Washington State National Guard. (N. Cohen, & B. Nussbaum, Interviewers)
  10. Lang, R. (2018, 3). Cybersecurity Manager, Washington Military Department. (N. Cohen, & B. Nussbaum, Interviewers)
  11. Lang, R. (2018, 3). Cybersecurity Manager, Washington Military Department. (N. Cohen, & B. Nussbaum, Interviewers); Daugherty, B. (2018, 3 9). The Adjutant General, Washington State National Guard. (N. Cohen, & B. Nussbaum, Interviewers); Kirk, A. (2018, 3 30). Chief Information Security Officer, State of Washington. (N. Cohen, & B. Nussbaum, Interviewers)
  12. Lang, R. (2018, 3). Cybersecurity Manager, Washington Military Department. (N. Cohen, & B. Nussbaum, Interviewers)
  13. Lang, R. (2018, 3). Cybersecurity Manager, Washington Military Department. (N. Cohen, & B. Nussbaum, Interviewers)
  14. Kirk, A. (2018, 3 30). Chief Information Security Officer, State of Washington. (N. Cohen, & B. Nussbaum, Interviewers); Top 17 State & Local Cybersecurity Leaders to Watch. (2017, 10 18). Retrieved from StateScoop: source
  15. Spidalieri, F. (2015). State of the States on Cybersecurity. Newport, RI: Pell Center. P37
  16. Kirk, A. (2018, 3 30). Chief Information Security Officer, State of Washington. (N. Cohen, & B. Nussbaum, Interviewers)
  17. Lang, R. (2018, 3). Cybersecurity Manager, Washington Military Department. (N. Cohen, & B. Nussbaum, Interviewers)
  18. Lang, R. (2018, 3). Cybersecurity Manager, Washington Military Department. (N. Cohen, & B. Nussbaum, Interviewers)
  19. Lang, R. (2018, 3). Cybersecurity Manager, Washington Military Department. (N. Cohen, & B. Nussbaum, Interviewers)
  20. Lang, R. (2018, 3). Cybersecurity Manager, Washington Military Department. (N. Cohen, & B. Nussbaum, Interviewers)
  21. Daugherty, B. (2018, 3 9). The Adjutant General, Washington State National Guard. (N. Cohen, & B. Nussbaum, Interviewers)
  22. Kirk, A. (2018, 3 30). Chief Information Security Officer, State of Washington. (N. Cohen, & B. Nussbaum, Interviewers); Daugherty, B. (2018, 3 9). The Adjutant General, Washington State National Guard. (N. Cohen, & B. Nussbaum, Interviewers); Lang, R. (2018, 3). Cybersecurity Manager, Washington Military Department. (N. Cohen, & B. Nussbaum, Interviewers); 15th Congress H. R. 3712. (2017, 9 8). Retrieved from Congress.Gov: source
  23. See Appendix I
  24. Daugherty, B. (2018, 3 9). The Adjutant General, Washington State National Guard. (N. Cohen, & B. Nussbaum, Interviewers)
  25. Kirk, A. (2018, 3 30). Chief Information Security Officer, State of Washington. (N. Cohen, & B. Nussbaum, Interviewers)
  26. Inslee, J. (2015, 8 19). Letter to the Honorable Alejandro Mayorkas, Deputy Secretary, Department of Homeland Security. Retrieved from Washington Military Department: source
  27. Lang, R. (2018, 3). Cybersecurity Manager, Washington Military Department. (N. Cohen, & B. Nussbaum, Interviewers); Kirk, A. (2018, 3 30). Chief Information Security Officer, State of Washington. (N. Cohen, & B. Nussbaum, Interviewers)
  28. Daugherty, B. (2018, 3 9). The Adjutant General, Washington State National Guard. (N. Cohen, & B. Nussbaum, Interviewers)
  29. Lang, R. (2018, 3). Cybersecurity Manager, Washington Military Department. (N. Cohen, & B. Nussbaum, Interviewers)
  30. Daugherty, B. (2018, 3 9). The Adjutant General, Washington State National Guard. (N. Cohen, & B. Nussbaum, Interviewers)
  31. Lang, R. (2018, 3). Cybersecurity Manager, Washington Military Department. (N. Cohen, & B. Nussbaum, Interviewers)
  32. Revised Code of Washington (RCW) Chapter 38.52. (2017, 10 23). Retrieved from Washington State Legislature: source

Close

Appendix IV: Washington State: The Multidisciplinary Approach

View as PDF

Table of Contents

Close

Cybersecurity for the States: Lessons from Across America