Here's Why State-Level Cybersecurity Practices Matter

When the call came in from New Jersey’s Homeland Security Advisor, Dave Weinstein was exhausted. He’d been working as consultant for just over a year, advising companies on cyber risk, and though he found the work stimulating, taking four flights a week was draining. So, when one of his mentors asked if he would come on board to build the cyber program in New Jersey, he didn’t hesitate, thinking it would be a short-term position.

He was right, but not in the way he thought.

At 22, Weinstein was spending most of his days in the basement of the National Security Agency headquarters at Fort Meade. Just out of school, he scored a position as a cyber operations planner with U.S. Cyber Command. “I loved it! Though I didn’t see a lot of sunlight for about three and a half years.” Working alongside older military members—many of whom were fresh off the battlefield from Afghanistan and Iraq—he got his hands dirty with contingency planning in defense of critical infrastructure, and rose quickly through the civilian ranks. Those were the “very early days of combining offensive and defensive operations into military doctrine,” which meant sitting with a number of “very prickly and undefined policy challenges.” As it turns out, this kind of thinking in a fast-paced environment would be excellent practice for what was to come.

There are fewer and fewer people who don’t realize, at least on some level, that our rapidly evolving technological ecosystem also brings previously unimaginable threats. Someone who sheepishly admits to being hopeless on cybersecurity probably (mistakenly) believes that they’re only putting themselves, and not others, at risk. Governments, on the other hand, hold protecting others as core to their mission, and state governments are no exception.

Weinstein arrived to serve as New Jersey’s first cybersecurity advisor in August of 2014. After a few briefings, he quickly realized that there was a lot to do. The first item on his agenda was to build threat awareness in New Jersey. In the cybersecurity world, this is known as “information sharing.” The basic idea is that spreading information to people about what malicious actors are doing in cyberspace, and how they are doing it, can help people protect themselves, especially if the information is timely and specific. Imagine you got a notice that someone was breaking into houses on your street through unlocked upstairs windows, and that they lingered on targets’ front porches for days before striking, smacking and then spitting out bubblegum. If you arrived home one day to the unmistakable scent of watermelon bubblegum, you might rush to lock your upstairs windows. Very roughly, the cyber threat intelligence version of this is called IOC, or indicators of compromise. While they do not ordinarily involve bubblegum, they can be very specific, involving clues like IP addresses and domain names. (How much of, and in what form, this kind of information should be shared is a topic of vigorous debate.)

Several organizations share this sort of information, as well as help entities respond to cyber incidents, within sectors, across states, and nationally. The federal government’s version is called the National Cybersecurity and Communications Integration Center (or the much snappier acronym, ‘NCCIC’, pronounced N-Kick). When Weinstein got to New Jersey, he saw they needed an entity that would share this kind of information to specifically serve the New Jersey community—for IT practitioners and users within state government, but especially for critical infrastructure providers and small businesses across the state. According to Weinstein, those last two groups were especially underserved in this respect—not because the feds weren’t trying, but because the feds couldn’t possibly scale that kind of service down to the state and local level. To fill the institutional gap, Weinstein and his team built up NJCCIC. The first of its kind in the nation, NJCCIC is modeled off the federal government’s version, and serves as a hub for cybersecurity information sharing, incident reporting, and threat analysis.

It should be noted that a David Weinstein is not an easy find. On some level, successful cybersecurity policy depends on filling key cybersecurity roles. The crisis within the broader cybersecurity workforce is especially pronounced when it comes to state and local governments, where similar demands for talent overlaps with lower compensation than what the private sector can offer. In a 2015 survey of State Chief Information Officers, 92 percent of states reported that salaries and pay structures were an obstacle to attracting and retaining IT talent, and 86 percent of states struggled to recruit new employees to fill vacant IT positions.

The challenge extends also to the leadership level, where the average tenure for a State Chief Information Officer is just over two years—about half the length of a private sector equivalent. New Jersey’s previous CIO served for twice as long as most. When he stepped down after five years, Governor Chris Christie saw an opportunity to do what he’d hoped to do for a while: elevate the position to the cabinet level. In June of 2016, Christie created the role of Chief Technology Officer, emphasizing how critical IT and security are to the state. He also knew exactly whom to tap for this new role.

Today, as a cabinet member and head of all things information technology in the state of New Jersey, Weinstein’s responsibilities are only growing. Earlier this month, Governor Chris Christie signed an executive order that gives the agency Weinstein heads the statutory authority and bureaucratic clout to fully execute its mission.

When I asked Weinstein, given his background at the federal level, how he thought states fit into in the national cybersecurity picture, he emphasized that since states hold far more of their citizens’ information than does the federal government, it’s imperative that they have state-of-the-art cybersecurity practices.

But, states are also uniquely positioned to contribute to cybersecurity because they are “more intimately connected to their citizens.” Speaking of small businesses in New Jersey, Weinstein says that while the federal government can’t focus its resources on making sure small businesses are, for example, getting the latest vulnerability advisories for their sector, “we [in New Jersey] know our small businesses. We know the heads of the local chambers. We have those relationships.” As most cybersecurity practitioners will tell you, this work is far more about relationships than it might first appear. Beyond the technical elements, the central dynamic is people helping other people, and people helping others to better help them. As Weinstein puts it, state and local governments have the privilege and benefit of “living and operating in the communities you’re trying to protect.” In that light, it’s hard to imagine who is better positioned to help.