State and Local Government Cybersecurity
Last week, I provided opening remarks for the State and Local Government Cybersecurity Framework Kickoff Event, hosted at the National Cybersecurity Center of Excellence (NCCoE), a partnership among the National Institute of Standards and Technology (NIST), the State of Maryland, and Montgomery County. This event is part of the White House’s ongoing coordination and outreach in support of implementing the Cybersecurity Framework, which was released on February 12, 2014, pursuant to President Obama’s Executive Order on Improving Critical Infrastructure Cybersecurity (E.O. 13636).
Although much of the attention around the development and implementation of the Framework, and the implementation of E.O. 13636, has focused on the private sector, our state, local, tribal, and territorial government stakeholders are critical partners in our overall drive to improve cybersecurity protections for the nation’s critical infrastructure. These government entities operate critical infrastructure where cybersecurity protections can be increased, and they house considerable amounts of information about residents – everything from driver’s licenses to school records – that must be protected.
These entities are also the first line of response when something goes wrong for our people – individuals and local businesses that are the victims of cyber crime or malicious incidents in cyberspace are likely to reach out to their local law enforcement and related government agencies first for help. At the same time, these local governments present a complex landscape for cybersecurity: they vary widely in governance structure, technical connectivity, and resources available for securing systems and information.
To help navigate this complex yet important landscape requires a team effort. Recognizing that, the White House convened a broad array of stakeholders including government representatives, local-government-focused associations, private sector technology companies, and partners from multiple federal agencies to discuss ways to help this community implement the Framework as a tool for improving cybersecurity. Over 100 cybersecurity and technology leaders attended the event in person, and nearly as many participated virtually via a webinar, representing entities from Hawaii to Michigan (click here to read the Michigan Chief Security Officer’s detailed blog on the event).
Participating organizations included: NCCoE, NIST, the National Governors Association, the National Association of State CIOs, DHS Office of Cybersecurity and Communications, DHS Office of Intergovernmental Affairs, and the Multi-State Information Sharing and Analysis Center. (Click here to access materials provided by participating organizations.) Additionally, the chief information security officer for the State of Maryland moderated a panel of technology industry leaders (including representatives from AT&T, Intel, Microsoft, Symantec, and the Information Technology Industry Council) who shared their organizations’ experiences in implementing the Framework.
Collectively, this group shared information about their approaches to working with the Framework, their current initiatives involving cybersecurity, and many of the resources and programs that are available for this community. (For example, DHS has specific resources available to assist these government entities.) The good news is there are a lot of groups working on local-government cybersecurity issues. This means there are many opportunities for governments to engage on cyber issues, to leverage and share the work of various groups, and to divide up future efforts.
The event concluded with a discussion of future needs to support Framework implementation and cybersecurity improvements for local governments. Some items cited as areas for future collective work included:
- Craft a use case involving local government cybersecurity for NCCoE to pilot.
- Develop a local government overlay for the Framework.
- Leverage existing surveys to baseline Framework implementation and develop useful metrics.
- Develop tools, such as sample cybersecurity legislation, that can be reused by the community to speed knowledge transfer and share best practices among local governments.
- Develop local government-specific goals for the National Initiative for Cybersecurity Education (NICE) to help close the cyber workforce gap.
- Share a calendar of outreach events planned by federal partners and associations, to enable personnel to connect with local events.
Clearly, there’s a lot of work to do for the community that comprises state, local, tribal, and territorial government entities. By working together, these groups and their federal partners can make real progress.