4 minute read
How the EO Could Mature State and Local Cybersecurity
Doug Robinson Meredith Ward
Advertisement
Often, the federal government can seem like an older sibling to state and local governments. The average federal agency has a larger budget and staff than most state and local agencies; federal organizations are also more likely to steer state and local agencies down the trails they blaze.
Cybersecurity is no different, and the recent EO on this topic covers many moves federal agencies are familiar with. Although the EO does not force any state or local governments to follow suit, they may want to mirror many of the document’s minutiae.
GovLoop spoke with NASCIO Executive Director Doug Robinson and Director of Policy & Research Meredith Ward about how Biden’s cybersecurity EO could make the public sector’s overall cybersecurity more mature.
The interview below has been lightly edited for brevity and clarity.
GOVLOOP: Where are state and local agencies struggling with cybersecurity?
ROBINSON: Generally, the states are not organized to succeed around cybersecurity. They don’t have enterprise governance that’s strong.
By that I mean they don’t have the requisite capabilities and disciplines in their organization to succeed in cybersecurity. Their investments are not commensurate to the risk. That is more problematic at the local government level.
I think that cybersecurity is a significant business risk. I think that’s part of the gap we have today, the fact that across the board – from elected to appointed officials, particularly elected officials – cybersecurity is not embraced, cybersecurity is not well understood. They still want to think of this as an IT issue. “That’s the CIO’s problem – that’s an IT issue.” But it’s a business issue. We’ve now seen that come full bore.
I look at this as a business problem that needs to be articulated without this constant fear. This is life in the digital age, and we need to become more mature in how we address it. That’s the whole core of the EO, a whole set of directed actions that makes the federal government mature and modern. State and local agencies are dealing with the same thing.
What effect might the EO have on state and local cybersecurity?
WARD: State and local governments take a lot of direction from the federal government. What I think the EO can do is provide a model for state and local governments without having a mandate. I think it can help state and local governments with their own best practices. It’s always good to take an inventory of what they’re doing on a day-to-day basis and how that might improve.
Why is sharing threat intelligence important for agencies at every level?
WARD: As we get more connected as a society, it’s almost like our borders are getting thinner and thinner. To protect our federal, state and local government, it’s critical that everyone take an interest in cybersecurity.
There is currently no requirement in most states for the private sector to report any incidents they might have. But if there’s an attack on a private-sector company or institute, it could likely affect state and local networks, higher education and things like that, too.
This goes to the concept we call “all of state.” Everyone in a state has a role to play in cybersecurity. It is state governments, local governments, the private sector, higher education, etc.
ROBINSON: We’ve heard for years that actionable intelligence-sharing is an area that needs lots of improvement. There has got to be more collaboration and less just throwing stuff downstream to state and local agencies. Frankly, there are lots of times they do not know what to do with information because there’s so much latency built in, or because there’s a high degree of concern about something like classified information. What happens is that by the time Arizona’s chief information security officer gets the information, for example, it is not useful to them. It has got to be more than simple informationsharing – it has got to be broad collaboration. It is a whole-of-government discussion.
What is the main takeaway from the EO for state and local agencies?
ROBINSON: I think the main thing is that the EO is very comprehensive. It provides a good roadmap for state and local leaders to look at and say, “What can we do?” The EO reinforces what state and local governments need to do to become more mature and modern. You must understand the risks and make sure you fund them.
WARD: Every government in our country understands that cybersecurity is a huge concern, and everyone has a role to play. The more everyone plays their roles, the better off we are going to be.
