More than two years after the launch of the $1 billion state and local cybersecurity grant program, hundreds of millions of dollars are flowing to states to help them invest in long-term cybersecurity planning through a statewide approach. I'm here.
The fruits of their labor are beginning to appear. For example, New York State announced in late February that it would leverage nearly $6 million in federal funding to create a new cybersecurity grant program to support local governments. The program aims to expand access to cyber tools, information, resources, and services, with states using their purchasing power to directly source and deliver “best-of-breed” services to their communities.
and guests from Maryland, North Dakota, and the city of Dallas shared on the first episode of. New Route Fifty The Innovation Spotlight series, which aired Tuesday, showcased what we've learned so far in implementing a statewide approach that prioritizes information sharing and enhanced partnerships between various levels of government and private industry. .
Route Fifty's Chris Teale (left) interviews cybersecurity leaders. From left to right: Dallas Chief Information Officer Bill Zielinski; Michael Gregg, Chief Information Security Officer for the State of North Dakota; Netta Squires, Maryland's local cybersecurity director, said:
The federal cyber grant program, the first investment in cybersecurity established under the bipartisan Infrastructure Act, requires states to work with various levels of government to develop cybersecurity plans. .
Most states are in the process of launching statewide programs. But three state and local technology leaders who appeared on Tuesday's Spotlight episode agreed that information sharing between different levels of government is one of the most important aspects of this approach. They said states need to work more collaboratively with localities, school districts, utilities, businesses and others to confront adversaries because they do not respect jurisdictional boundaries when they attack.
These information-sharing groups include multi-state coalitions such as the Multi-State Information Sharing Analysis Center and the Joint Cybersecurity Operations Command Center, as well as state-level groups, commissions, and committees where leaders can meet with their local governments and utilities. Includes task force. others.
“The enemy is not waiting for monthly meetings,” said Netta Squires, Maryland's local cybersecurity director. “They're constantly talking in other forums. Our defense mechanisms and analysts need to be able to talk to each other at the same speed.”
In the early days of the cyber plan, Michael Gregg, North Dakota's chief information security officer, said he worked with the state's cities, counties, schools and other local governments to form a “common vision” on the issue. He said he went on a “listening tour'' to meet the president. What they face and how to deal with them.
“It is easy to think of solutions, but it is difficult to define the problem,” he said. Once you spend time with those people, define the problem, and start to understand what the problem actually is, you can start to put together a vision of where you want to go. ”
For cities, having the country's purchasing power and willingness to provide a variety of services, tools, and resources can be very helpful. Bill Zielinski, Dallas' chief information officer, said all of this speaks to a greater sense of cooperation and being part of a “coalition of the willing.”
“I need to spend money where I can, so I’m always looking for opportunities where there are tools, features, and services that I can leverage and use,” he said.
The statewide strategy appears to be slightly different in all three states.
In Maryland, a statewide security operations center is tasked with monitoring threats, while a variety of committees and task forces exist that connect state leaders with other branches of government. The law placed various requirements on local and state agencies, including the need for cyber planning and assessment and meeting minimum standards.
North Dakota signed onto the Unified Cybersecurity Approach in 2019, making the cyber team responsible for all branches of government, albeit under existing budgets and staffing.
And Dallas will become part of a series of centers across the state that will provide on-the-ground support through security monitoring, threat sharing and training.
But there are also challenges for states as they advance their own approaches across the state, including sharing resources and tools. Even if a state provides centralized services, it is difficult to integrate those services with other levels of government because they may not be compatible with what the region already uses. There may be cases. Squires said the “federal” nature of technology, where “everyone does their own thing,” can make it difficult.
One way to mitigate this is for states to adopt risk and authorization management programs such as FedRAMP or its state-level equivalent, StateRAMP. These programs ensure that cloud services and other software comply with standardized security requirements. Using RAMP-approved services removes concerns about software security posture that can be a barrier to adoption.
“It's actually made us more consistent,” Zielinski said.
As with all discussions within the government, the issue of tight public finances is a major issue. This is especially complicated in states like North Dakota, where state budgets are set every two years and must work within those constraints.
Some government agencies, such as public schools, may only have certain “windows” where changes can be made, Gregg said, but old, customized systems, or any The technical debt that exists in places makes that even more difficult. Badly written code.
“This is different from private industry where you can easily go back and ask for more money or things you need,” Gregg said. “[You’re] Manage your people, processes, and technology, understand when and how you can change, deploy talent, and hire the right people. ”
