Chapter 3: Lessons for State Policymakers

Every state and territory is different, and the unique laws, structures, and priorities that each state’s policymakers inherit tend to impact their decision-making on cybersecurity efforts. That being said, there are some common lessons that policymakers can keep in mind as they design and move their programs forward.

Each of the actions described in this report require strong leadership from the top. Cybersecurity is, and should be, an executive-level issue. Gubernatorial support lends legitimacy to the efforts of the operational-level employees executing on the plans, and helps tie together disparate elements of state bureaucracy.

Effective cybersecurity programs will necessarily have to extend beyond a single term, however, and will likely cross parties and administrations. Current governors should strive to form long-term strategies that will come to fruition beyond their administration, developing enduring models and effective means of implementation. This process should include pushing programs down to the staff level so that they can survive political transitions and institutionalizing programs through legislation.

The institutional approach should span across the various different agencies and branches of state government. Engaging the various stakeholders in the planning and operation of a cybersecurity program helps to institutionalize the initiatives and bridge leadership transitions between CIOs, CISOs, and state administrations. Cybersecurity is a whole of government problem; involving parts of government outside of the IT department creates buy-in from across the state enterprise. In addition to institutionalization of positions and agencies, secure and consistent funding sources or human resources structures (civil service job titles or training programs) are also enablers of successful and sustainable programs.

Likewise, engaging private sector leadership and independent researchers is an integral component in fostering a cybersecurity ecosystem within the state, and can add vital expertise and perspectives to planning, defense, and response efforts. Enabling the private sector to play a significant role also makes them a stakeholder in the states’ program and aids sustainability efforts. As these relationships mature, they support the development of trust, which is essential for effective information sharing. Additionally, the technology industry and educational institutions of a state can play an important role in shaping a vibrant and successful cybersecurity talent pool, which can have a catalytic enabling effect on state and local cyber efforts.

On the flip side, the private sector should also actively reach out to state governments to start and/or increase these efforts. Just as the private sector needs an open and supportive state government, state officials need an engaged and open community to work with.

By focusing on the local environment, states can also ensure that they better serve their own communities. National-level exercises are, as they should be, geared towards situations that would have a whole-of-country impact. States can be more granular, focusing on specific scenarios that are likely to affect their citizens, and forming the relationships needed to respond to those kinds of events. State-municipality relationships are sometimes as fractured as—or more so than—federal-state ones. The challenges of federalism extend all the way through the U.S. system; states need to focus downward as much as they do upward. In this regard, the sorry state of municipal financing and budgets nationwide mean that, much as states often have fewer resources and specialized personnel than their federal counterparts, many localities have weaker capabilities or less specialized workforces than their state counterparts. Thus, the need for states to offer support to these jurisdictions is often much higher than the states have capacity for.

To create a comprehensive program, there needs to be significant engagement in cybersecurity programs from multiple parts of government, not only IT. As described above, external involvement helps to increase buy-in. But separating cybersecurity from IT can be critical to strategic planning and prioritization. Security and technology have similar components while harboring distinct goals and challenges with regard to growth and risk; having a CISO who reports to the CIO can, in some cases, create a conflict of interest. It can also impede efforts to integrate cybersecurity into the rest of the security and response processes in a state. If separating the CISO from the CIO isn’t possible, having significant parts of the program led by other departments can help to achieve those aims. It is clear, however, that segmenting responsibilities for cybersecurity among various government entities presents its own set of bureaucratic challenges.

A cybersecurity superstructure or a cybersecurity coordinator or advisor that sits on top of existing agencies to set priorities and coordinate and/or run cybersecurity efforts throughout the state can be a solution to this problem. It is unlikely that a state would choose to countermand the legal authorities of specific agencies that manage key parts of the cybersecurity eco-system, but having a single voice and strategy on cybersecurity is essential for efficiency and effectiveness. These super-bureaucratic entities also help to bring a strategic element to the cybersecurity effort by running across the various elements of state government. Such an organization and its leadership should help develop a state-level cybersecurity strategy, align economic priorities with the security needs of the state, and facilitate public-private cooperation.