Cybersecurity for the States: Lessons from Across America

Chapter 1: Introduction

This report focuses on state-level cybersecurity because of its critical place in the cybersecurity ecosystem within the United States, particularly in three key areas: responding to cyber incidents, protecting critical infrastructure, and supporting the development of a cyber workforce.

Today’s cyber threat environment features a proliferation of cybercrime and attacks from nation-state, nonstate, and nation-state-sponsored actors on both public and private sector systems, along with global “contagions” that can affect large swaths of digital infrastructure simultaneously.¹ To address these challenges to America’s security, we need to have a national cybersecurity program that is effective at all levels: national, state, local, and across various private sector industries. The federal nature of our government, and the resultant division in its structure and authorities, demand that state governments take an active and proactive role in responding to threats to their citizens and the organizations located in their jurisdiction.

States maintain citizen databases and provide a range of services to their residents. Protecting the integrity and confidentiality of that data and ensuring the availability of those critical services is essential to offering efficient and effective government to the citizenry. Furthermore, state agencies are on the front lines of communication and response whenever there is an incident. While historically this role has sometimes expanded to federal agencies for cybersecurity, with the prevalence of threats and their widespread impact, this primary role shifts back towards state action in most cases. States also play a role that the federal government typically does not, (except in unique circumstances or when state resources are exhausted) which is supporting localities and municipalities as they deal with crises and manage the consequences of such events. In this sense, even when states are not on the front lines of cyber incidents, they often are expected to support other jurisdictions; all this despite the fact that many states are in nascent or flux states in terms of their own cybersecurity.

Mapping and defending critical infrastructure is highly connected to state governance, due to the close relationship between regulatory agencies and their geographic sectors, as well as areas of responsibility that are under the direction of state officials, such as election security. Sectors or industries that are often regulated at the state level—like electricity, water and wastewater, and telecommunications—are areas in which states have serious cyber equities, because they are expected to manage the consequences of failures or incidents. In a similar vein, educational institutions and curricula are also shaped or controlled at the state and local level. To address the shortage of a trained cybersecurity workforce in the United States, curricula needs to be laser-focused on information technology and cybersecurity. That change will only happen with concerted SLTT action. From elementary STEM education, to community colleges and vocational training, to universities and research institutions, to workforce development and retraining initiatives—these are programs and challenges that are overwhelmingly built and run by states and localities.

States also have the advantage of local relationships informing the provision of services effectively targeted and marketed toward their citizens. Public-private partnerships can flourish in these environments. For example, cyber ranges in Michigan and Arizona are run through partnerships between universities, the private sector, and the public sector. In Indiana, the state runs CritEx, an annual exercise exploring the ramifications and consequences of a cyber incident that affects one sector or one critical infrastructure organization.² Missouri’s Office of Cybersecurity runs a program to identify “vulnerable internet-connected systems belonging to organizations from various industries. The program identifies high-risk systems that, if left insecure, could lead to disruptions within critical infrastructure or significant data loss, and contacts the owners of the impacted systems to mitigate risks.”³ Programs like this that embrace and rely on constellations of local and regional partners are not likely to result from one-size-fits-all federal programs, but from the efforts of the states—what justice Louis Brandeis termed “the laboratory of democracy.”⁴

The answers to technical questions about how to secure networks are largely public knowledge; the challenges we face in cybersecurity often result from questions of process and people. The difficulty, as described by policy advisors from the National Governors Association in their 2017 report Beyond the Network: A Holistic Perspective on State Cybersecurity Governance,⁵ lies in organizational structure and governance. Our own report focuses on three case studies in which states have shown success in addressing these challenges, and from which we can form conclusions that can be beneficially applied across various state structures.

While the breadth, scope, and scale of state cyber efforts varies widely, several states have effective, mature cybersecurity programs. The most commented on include programs in California, Michigan, New Jersey, New York, Texas, Virginia, and the state of Washington, to name a few. For the purpose of demonstrating different stylistic and fundamental approaches toward achieving a common goal, this report will examine state cybersecurity programs with substantive success in specific key areas. No state has all the answers yet, but this report highlights three that have made particular progress: (1) Arizona, (2) New Jersey, and (3) Washington.

Each of these states has demonstrated certain capabilities or approaches that have the potential to inform other states’ efforts. The lessons learned from this study form a guide for state and local policymakers, strengthening their ability to ensure that their own cybersecurity program is as comprehensive and effective as possible. It is important to note that the approaches of these states are not mutually exclusive. In fact, elements of each model have already been adopted by the other states highlighted in this report, and their programs are the better for it. Every state faces a unique set of challenges, draws on its own comparative advantages, and has its own political, organizational, or legacy IT environments that shape their cyber efforts. So while no model will be ideal in all contexts, individual successful programs and approaches can collectively constitute a menu of options from which states can pick and choose those methods and techniques that fit their needs.

Alongside the conclusions we might draw to help inform action for individual states, this report also offers several recommendations for the federal government. There is a similar level of urgency for the federal government to facilitate the development unifying structures, serve the needs of state governments and their constituents, and better utilize and coordinate resources from mature and effective state programs for national defense objectives. States have been clear that they are interested in federal support, not just in terms of financial resources, but in terms of expertise and organizational support.

First, the federal government should designate specific cybersecurity funding that is linked to national priorities, namely making sure states have done baseline risk and capability assessments, the development of mature response capability for incidents across multiple sectors, and the development of an interdisciplinary approach.
Second, federal incident response, guidance, and assistance programs should be deconflicted and streamlined to create a cross agency solution.
Third, the Department of Homeland Security (DHS) and the Department of Defense (DoD) should prioritize the expansion and institutionalization of localized assistance programs.

Box 1

DHS’ CSA Program

DHS’ Cybersecurity Advisors (CSA) program currently employs 11 professionals nationally with deep backgrounds in information security to cover the 10 FEMA regions. These advisors are tasked with the following:

Providing guidance and information to SLTT organizations by participating in cybersecurity councils/teams that report to the governor, assisting with state-level planning and information sharing initiatives;
Connecting SLTT organizations to federal resources at the MS-ISAC, NCCIC, and other parts of DHS, such as the teams that provide technical assessment services;
Increasing awareness of federal cybersecurity policy, executive orders, and information-sharing programs by conducting one-on-one or group meetings, providing briefings, and attending conferences and symposia; and
Conducting assessments of SLTT organizations’ strategic and tactical cybersecurity risk exposures and capabilities.

With only 11 CSAs deployed across America, these advisors can sometimes be challenged to connect with and provide services to all entities under their purview. While this team is still being rolled out, the Protective Security Advisors (PSAs)⁶, of which there is one designated for each state, can utilize their existing networks to do some of the initial groundwork, identifying points of contact for the CSAs and introducing SLTT organizations to the services provided by the new CSAs and their federal partners. The CSA program is expected to increase to 24 members by the end of 2018, and the existing roadmap has up to 93 advisors planned, with 44 currently approved in the upcoming proposed budget.⁷

Even if the program meets its ambitious target to triple by next year, it will still be limited in its capacity to reach the critical infrastructure and public sector entities it is designed to support across the country. Consistent contact and relationship-driven action is key; the current program simply does not have the resources to achieve its stated goals. Even then, its stated goals may not be sufficient. There are 50 states, numerous territories and tribal governments, dozens of major cities, and hundreds of localities in need of assistance. Many states will not be able to help their sub-jurisdictions until they’ve built much more substantial capacities of their own. The current effort, while valuable and appreciated by those who benefit from it, is not up to the scale of the challenge.

Citations

Meyer, C. (2017, 7 1). Deciphering an Evolving Threat Environment: An Interview with Frank Cilluffo. Retrieved from Security Magazine: source; Manfra, J. (2017, 10 3). Written testimony of NPPD Office Cybersecurity and Communications Assistant Secretary Jeanette Manfra for a House Committee on Homeland Security, Subcommittee on Cybersecurity and Infrastructure Protection hearing. Retrieved from US Department of Homeland Security: source
Indiana Guard training site helps state, feds protect infrastructure. (2016, 5 26). Retrieved from US Army: source
The SANS Institute. (2017, 12 5). SANS Announces 2017 Difference Makers Award Winners. Retrieved from SANS: source
New State Ice Co. v. Liebmann, 463 (US Supreme Court 3 21, 1932). Retrieved from source
Garcia, M., Forscey, D., & Blute, T. (2017). Beyond the Network: A Holistic Perspective on State Cybersecurity Governance. Nebraska Law Review, 96(2)
PSAs are trained critical infrastructure protection and vulnerability mitigation subject matter experts who facilitate local field activities in coordination with other Department of Homeland Security offices. They also advise and assist state, local, and private sector officials and critical infrastructure facility owners and operators. Protective Security Advisors. (2018, 4 12). Retrieved from Official website of the Department of Homeland Security: source
Wilke, B. (2018, 3 2). Chief, CSA Field Operations, Department of Homeland Security. (N. Cohen, Interviewer)

Welcome to New America, redesigned for what’s next.

Education & Work

Democratic Futures

Global Security

Technology & Democracy

Thriving Families

Trending Topics

Real Skills, Real Income: Why Youth Apprenticeship Is Resonating Now

Future-Proofing U.S. Nuclear Policy: Forecasting Outcomes of the Nuclear-Armed Sea-Launched Cruise Missile

Debunking Myths on Student Parent Data Collection

The App Store Accountability Act Poses Serious Concerns for Privacy, Security, and Free Expression

Redrawing School Boundaries for Fairer Funding

Reframing Fusion Voting as a Practical, Powerful Reform Strategy

Harnessing Terrorism Data to Reshape U.S. National Security Policy

Establishing a National Housing Loss Rate

New America Fellows

Making Child Care Work for Student Parents

Drinking Water Data for the Nation: Version 1.0 Release Webinar

The Understated Value of Regional Intermediaries for Workforce and Economic Development

The Charleston Regional Youth Apprenticeship Model

Cybersecurity for the States: Lessons from Across America

Table of Contents

Chapter 1: Introduction

Box 1

DHS’ CSA Program

Citations

Chapter 1: Introduction

Cybersecurity for the States: Lessons from Across America