Start me up
It’s been three months since President Donald Trump signed an Executive Order (EO) on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. The EO was big on plans, light on action, and we’ve yet to see any tangible results because of it. Federal initiatives, for the most part, are slow moving and frequently whittled away until their vanilla-ness is acceptable by all. As U.S. organizations await tactical guidance from Capitol Hill, governors from 38 states have decided it’s time to act and make their own moves to combat cyber threats.
Last month, the assembly of governors pledged commitment to cybersecurity by signing a compact that adheres to Governor Terry McAuliffe’s Meet the Threat program. Meet the Threat was created as a response to stagnation at the federal level, and has a stated goal of promoting better security guidance, governing bodies, awareness, training, and response units. McAuliffe, the outgoing chair of the National Governors Association, has been hard at work on his initiative for over a year, and in a July 14, 2017 press release said that he is proud to have “successfully engaged governors and their states on strengthening their cyber protocols and recognizing that cybersecurity is a technology issue, but it’s also a health issue, an education issue, a public safety issue, an economic issue and a democracy issue.”
I’ve been runnin’ hot
A small sigh of relief might be heard from private sector security practitioners upon hearing this news, as the security community has long been aware of the need to make security everyone’s business, not just the purview of a select group of experts. Meet the Threat isn’t a bill—nor is its intention to become law—but it does serve as standardized guidance that states can roll out to governments and private entities in those states. It’s a helping hand; an effort to get everyone on the same page, so to speak. Generally speaking, broad-based guidance and regulations rarely sit at the cutting edge of technological prowess, but at this stage of the cybersecurity compromise game, it’s clear that many organizations and agencies need a shove in the right direction. With more focus on and help with base-level security practices, organizations will now have a place to turn to get started or when buffing up existing (possibly ineffective) programs.
The compact focuses on three key areas: governance, preparation and response, and growing the cybersecurity workforce. With an acknowledgement that states are ripe targets for cybercriminals, given the collection and storage of large amounts of sensitive data related to residents, businesses, and critical infrastructure, states are encouraged to create a standard security strategy or roadmap that encompasses building a governing body, developing a plan to tackle real-life threats, and “conducting a risk assessment to identify cyber vulnerabilities, cyber threats, potential consequences of cyberattacks and resources available to mitigate such threats and consequences.”
Under the “preparing and defending” section, states are advised to develop incident response plans (including a communications strategy) and organize a “framework for information sharing.”
You got me ticking gonna blow my top
This is good but very basic advice. If the intent is to improve states’ efficacy against cyber threats, implementing policies and plans is a logical place to start, but necessitates additional responsibilities and funding for everything from continuous risk assessments (not merely one point-in-time assessment) to asset inventory, vulnerability and security testing, patching programs, maintenance and monitoring of implemented technologies, and even oversight of the IT procurement and configuration cycle. Plans and policies only scratch the surface. The devil will be in the details of how each state rolls out programs, and how far each is willing or able to go when it comes to funding a more robust cybersecurity program. State budgets are notoriously thinly spread, and while it’s easy to see the ROI of ensuring roads and bridge don’t crumble, it’s less easy to realize costs for implementing encryption for sensitive databases or upgrading lax password policies.
Kick on the starter give it all you got
The more interesting—and actionable—aspect of the compact is the section on growing the nation’s cybersecurity workforce. Recommendations include:
- “Reclassifying state job descriptions for cybersecurity positions to align with private sector practices
- Encouraging colleges and universities to seek National Security Agency certification as a Center of Academic Excellence
- Placing veterans into cybersecurity certification programs or open positions within state agencies
- Partnering with colleges to increase the availability of transferable, two-year cybersecurity degrees; and
- Creating a program to assign qualified college students to state agencies as low-cost, skilled cybersecurity interns.”
A charter to actively recruit and train cybersecurity professionals is mandatory. With limited supply and high demand, government agencies often lose qualified candidates to higher-paying, more-flexible private job offers. All organizations should be putting forth efforts to help train students for technology careers at an earlier stage, but states have a unique advantage here; state funding is already allocated towards training and education programs.
Love the day when we’ll never stop, never stop
Time will tell what happens next when it comes to real-time implementation of policies, procedures, and actions at state levels. It’s encouraging to see, though, that cybersecurity is not a line item or footnote at the bottom of other, more “traditional,” statewide programs, like public health, infrastructure, or education. The realization that information security underpins the success of all of these programs is a big step in the right direction.