What State Leaders Need to Know About Cybersecurity

As a former state chief information security officer for both Colorado and California, and the federal Department of Homeland Security’s first deputy undersecretary for cybersecurity, one of my continuing tasks was working with state lawmakers and state government executives to help them understand the multitude of issues in the cybersecurity arena. Because legislative bodies turn over fairly frequently, this was a never-ending responsibility that I took seriously and to which I devoted a significant amount of time, and still do.

State legislators and executives have formidable responsibilities to govern on complex and often technical cybersecurity issues that most have had very little experience with. The cybersecurity space is incredibly dynamic, with the threat and vulnerability environment changing almost daily, so these leaders are constantly weighing the law of unintended consequences as they address public safety on one hand and over-regulation of business on the other.

Ask any public- or private-sector information security executive what one of their biggest challenges are and they’ll respond with some version of “keeping the cybersecurity awareness of our employees fresh and in step with the threat environment.” As we’ve seen over the past six months, ransomware and supply chain cybersecurity issues have become daily topics, and legislators are struggling to find policy solutions that accommodate the vastness and diversity of American business. Most importantly, while Fortune 500 companies get most of the attention when it comes to how cyber criminals are impacting our nation’s economy, the small and medium-sized companies that make up the majority of our businesses find themselves struggling for both attention and resources. This is the law-of-unintended-consequences problem, where state and federal cybersecurity regulations can result in dramatic economic challenges for these smaller firms.

Over the past several years, thousands of businesses large and small, along with public-sector organizations including schools, local governments, utilities and police departments, have been impacted by cybersecurity breaches, finding themselves defending against everyone from nation-states to well-organized cyber criminal gangs — the massive Kaseya ransomware attack being just the latest example. It’s an unfair fight, and I believe it is the responsibility of state governments to be educated and aware enough of the cybersecurity threat to enact and implement reasonable laws that address the problem while not driving smaller companies out of business with too-onerous regulation.

Even when resources are available, such as in the proposed federal State and Local Cybersecurity Improvement Act, state government officials will struggle with finding the right balance, methodology and policy actions to effectively administer those resources. This provides an opportunity for cybersecurity education to become a state-level force multiplier.

Early this year, the National Cybersecurity Center, with support from Google, launched the Cybersecurity for State Leaders program with the goal of educating lawmakers and legislative staff on ways to strengthen defenses against digital attacks. The curriculum aims to prepare lawmakers and statehouse staff to be cognizant of cyber threats through specific training in the ecosystem of cybersecurity, why and how cyberattacks work, and how to protect themselves.

Since the program was launched, legislators and staff from 15 states have undertaken the training and received certificates for their participation. In addition, eight governors and two secretaries of state have taken the time to participate in videos and signing of charters supporting the program. These nonpartisan training events feature remarks from an array of experts, including cybersecurity executive Robert Herjavec, CEO of the Herjavec Group; Stephanie Carruthers, chief people hacker for IBM’s X-Force Red Team; and senior experts and researchers from Google, Microsoft and other technology companies. Public officials who have weighed in on cybersecurity issues and policy include Georgia Gov. Brian Kemp and West Virginia’s two U.S. senators, Shelley Moore Capito and Joe Manchin.

“As we have heard in our engagements across several states, cybersecurity is one of those issues that non-technical people struggle to connect with,” said Forrest Senti, vice president of programs and operations at the National Cybersecurity Center (where I am chief strategy officer). “Cybersecurity for State Leaders addresses that challenge head-on with a low-barrier overview of the top things legislators can do to protect themselves against cyberattacks, and ultimately how to best support their state chief information security officers in defending their state infrastructure.”
The training program ultimately focuses on showing state lawmakers and their staffs where they fit into the state cybersecurity picture by dissecting various types of cyber events including phishing, ransomware, supply chain compromises and even misinformation campaigns. The program explores real-world cyber episodes, such as the Colorado Department of Transportation’s response to its 2018 ransomware attack, as examples for state governments.

You can talk to your state’s CISO about participating in your state’s training program, and if your state is not yet signed up you can reach out directly to the National Cybersecurity Center to express your interest in participating and register directly here.

There’s much to gain for policymakers looking to get a better understanding of the cyber threat landscape. “Many states lack a specific requirement for state legislators and their staff to take cybersecurity training,” said Mattie Gullixson, project manager for the program, “so Cybersecurity for State Leaders offers an opportunity to fill that gap, as well as spark greater discussions in each state on the importance of cybersecurity in 21st-century governing.”