CYBERSECURITY

It is not a question of whether a state will face a cybersecurity attack, but when it will occur, when it will be discovered and how bad it will be. A critical question every governor should ask is, “How will I find out about a cybersecurity incident?” All state leaders should ask this question on day one of their administration with an eye to addressing gaps, overlapping jurisdictions and other areas where a state’s response could encounter confusion. 

State governments have worked for more than a decade to improve their cybersecurity readiness, in partnership with federal authorities. As states continue to modernize their technical infrastructure and systems for delivering government services, it is increasingly easy for people to access everything from fishing licenses to financial assistance for health care from state and local websites. Along with those improvements has come a crucial challenge for governments — protecting their ever-expanding online systems from hacking, ransomware and other threats. Cybersecurity must be a persistent and top state priority.

Recent years have seen a pronounced increase in malicious online actors accessing government systems, wreaking havoc, costing governments money, endangering those who rely on public services and embarrassing elected officials. Airports, police departments, local water systems, schools and hospitals have been victimized. Atlanta was targeted with a ransomware attack in 2018 that cost it $17 million. Baltimore saw hackers take control of 10,000 of its computers, with the city’s email and other channels shut down for weeks. In the last 24 months, it is estimated that nearly every state has dealt with a cyberattack, including more than 60 public safety agencies and 191 local governments.^[1]

Foreign actors also pose a threat to state services. In the early months of 2022, Ukraine alerted the world that the Russian invasion of its country included a barrage of cyberattacks on the Ukrainian power grid. In March, President Biden sent a letter to governors warning that Russian President Vladimir Putin might launch cyberattacks on American infrastructure as the U.S. confronted Moscow over its attack on Ukraine. The president offered states his administration’s assistance and suggested specific steps for governors to take to secure their critical infrastructure, including gathering and preparing state emergency management and cybersecurity leaders. 

The coming years will see continued challenges, but also opportunities. In the face of increasing cyber threats, governments — especially local and tribal governments — will have to compete with other public and private sector employers for technical expertise to manage their cybersecurity needs. Many states have started to establish the necessary laws and regulations, organizational structures and skilled workforce to address these challenges. To help build capacity, there is $1 billion in cybersecurity grants for state and local governments in the $1.2 trillion Infrastructure Investment and Jobs Act of 2021, as well as other programs that states can turn to for cybersecurity assistance.^[2]

This memo lays out actions that states can take during the first 200 days of 2023 to secure their data systems and ease public concerns about their state’s cybersecurity readiness.

SUMMARY OF OPPORTUNITIES

Prepare for a cyberattack early in the administration

The best defense against a cyberattack is preparedness. Early in 2023, the governor can lead a tabletop exercise in which officials practice their roles in an emergency. This can strengthen the state’s readiness for a broad cybersecurity attack by testing existing plans for keeping government functioning and responding to incidents at state and agency levels. As part of this exercise, state leaders should strengthen how they coordinate with federal, other state, local and tribal authorities, and how to best communicate with the public, private companies and utilities, schools and other institutions.

Conduct a broad review of the statewide cybersecurity strategy

In the first 100 days of 2023, the governor should make sure state leaders understand the state’s current cybersecurity strategy and funding, and set priorities for the most urgently needed improvements. More than 30 states have formally established a cybersecurity task force, commission, advisory council or other group of experts to assist with this critical work.^[3] Such a review lays the essential groundwork for ensuring that appropriate resourcing, hiring and prioritization is done at a statewide level. 

Build cybersecurity leadership and a strong technical workforce

Cybersecurity demands a government-wide approach, and every state executive should put protecting data and information systems on their list of priorities. To execute a robust strategy, state leaders and agencies need an experienced cybersecurity professional regularly reporting to the governor and top officials. A state chief information security officer not only advises on the secure and responsible operation of technical infrastructure, but is a key engine for developing effective cybersecurity policies and best practices. They are also responsible for building a strong technical workforce and strengthening a culture of information security.

Launch a statewide cybersecurity campaign

The governor sets the tone for embedding a culture of information security across the state. Early in an administration, this can be done with the launch of a visible campaign to improve cybersecurity that includes all state offices and agencies, employees, vendors, private companies and the public. State leaders can announce steps to undertake critical protections, such as phishing-resistant multifactor authentication and Zero Trust systems for verifying the identities of every user of all state systems, including vendors. They can also unveil cyberhygiene training for all state employees and contractors, and technical support for local governments to move their websites to the .gov domain for greater security.

Back to top

Americans increasingly rely on online access to government services, whether it’s applying for health care assistance, seeking public records or buying a fishing license. This puts a heavy burden on states to protect their information systems, including online portals, at a time when it is increasingly challenging to provide effective cybersecurity. 

Even as they expand online services and modernize outdated systems, many state governments are incurring “security debt,” the unaddressed security needs that grow over time as they add new software or hardware^[4] or fail to update old technologies. Hackers and other malicious actors exploit these weaknesses and have ever more sophisticated, powerful ways to penetrate state technical and data infrastructure. 

Malicious actors have broken into online systems run by state and local governments around the country. For example:

In this digital age, states can and must be able to offer robust online services and systems and ensure their protection from unauthorized access and exploitation. Most states have been working on statewide cybersecurity strategies to protect their systems and data, and develop their cybersecurity workforce.^[11] According to the National Conference of State Legislatures, every state now has a chief information officer (about half of whom report directly to the governor) and a chief information security officer (typically reporting to the CIO).^[12] Still, governments have struggled to recruit the cybersecurity workers they need. While the U.S. cybersecurity workforce grew by 5.5% over the past year, the number of unfilled cybersecurity jobs in the U.S. grew by 9% to over 400,000 positions.^[13] This has led to federal agencies competing for the same talent.^[14] The situation is worse for state and local governments, where many positions are left unfilled. 

Even in states that have mature cybersecurity teams, those teams can be hampered by narrow ranges of authority and bureaucratic barriers in which there is little coordination among agencies. To accelerate security improvements, cybersecurity leaders need organizational structures that facilitate cooperation and information sharing with other agencies; federal and other state, local and tribal partners; private companies; and the public.

FEDERAL DOLLARS CREATE A TIMELY OPPORTUNITY FOR SUCCESS OR FAILURE

The $1.2 trillion Infrastructure Investment and Jobs Act enacted in December 2021 includes $1 billion for state and local cybersecurity grants and a path to a strong state cybersecurity strategy.^[15] Called the State and Local Cybersecurity Grant Program, funds will be distributed over the next four years.^[16]

The U.S. Department of Homeland Security issued a Notice of Funding Opportunity in September 2022 that explains how to apply for the grants and what they can be used for. To be eligible for a grant, a state must have a Cybersecurity Planning Committee with at least half the committee’s members having professional cybersecurity experience, and including representatives from counties, cities and towns, and public education and health agencies.^[17]

States can then submit a cybersecurity plan to the Cybersecurity and Infrastructure Security Agency (CISA). The plan must outline the state’s strategies for managing, monitoring and tracking information systems, as well as its plans for improving the preparedness, response and resilience of IT systems against risks and threats. It should also include details on how the state will implement best practices in cybersecurity.

The Jobs Act includes other new programs that states can use to strengthen their cybersecurity protections. For example:

There are also federal and state resources that can help states understand the current status of their cyber defenses and what to prioritize. CISA, the government’s lead agency for responding to cyberattacks, provides a comprehensive set of tools, guides and services that states can use to understand and respond to threats. The National Institute of Standards and Technology (NIST) also has a wealth of best practices and standards that states can use to assess their capacity, though doing so requires a team with deep technical and security expertise. The National Governors Association and National Conferences of State Legislatures also offer resources aimed specifically at state cybersecurity practices.

Back to top

Below are meaningful steps that state leaders can take at the beginning of 2023 to assess and improve their state’s protections against cybersecurity threats. In the first 200 days:

1. Prepare for a cyberattack;
2. Conduct a broad review of the statewide cybersecurity strategy; 
3. Build and empower state cybersecurity teams and technical talent;
4. Launch a statewide cybersecurity campaign.

PREPARE FOR A CYBERATTACK

It is not a question of whether a state will face a cybersecurity attack, but when it will occur, when it will be discovered and how bad it will be. A critical question every governor should ask is, “How will I find out about a cybersecurity incident?” All state leaders should ask this question on day one of their administration with an eye to addressing gaps, overlapping jurisdictions and other areas where a state’s response could encounter confusion. 

Cybersecurity incident response plan

States must have a written plan for answering an attack, and keep it updated. This requires coordination by a large group of people and agencies, including the cybersecurity team, communications, legislative affairs, operations, National Guard, law enforcement, perhaps the governor’s office and others. Plans should clearly lay out incident response management responsibilities, such as in Louisiana’s Cyber Incident Response plan (annex to the Emergency Support Function – 17 at p. 184). It will also likely require engagement with outside organizations including private businesses, utilities, insurance companies and others. In 2019, the National Governors Association examined the 15 states that have publicly available cybersecurity incident response plans. An overview of that research can be found here.

The cybersecurity team should be immersed in the state’s plan for responding to attacks, including a state’s determination of what, if any, resources will be provided for local incidents. In building relationships with local governments, state cybersecurity officials should share the plan with those officials so they will know what state resources are available during incidents. More information about handling cybersecurity attacks is available from CISA, including steps for states to report an incident and receive assistance if necessary.

Strengthen statewide communication channels

State governments are a critical interchange for information sharing by federal, state, local and private sector stakeholders during a cyberattack. Many attacks happen at the local level, such as at police departments, colleges, hospitals or airports, where the state does not have direct authority or control. As such, it is important to create lines of communication with these organizations before an incident. Strong relationships pay dividends by enabling an immediate, statewide response to an attack and helping prioritize the allocation of resources in preventing a breach.

New Jersey’s Cybersecurity and Communications Integration Cell was established in 2015 as the state’s central unit for cybersecurity threat analysis, incident reporting and information sharing. It sets priorities for disseminating information from the federal government and for proactively communicating and sharing intelligence with the public.^[19] In 2022, North Carolina’s governor signed an executive order to establish the state’s Joint Cybersecurity Task Force. It works to build relationships among state and local government agencies and educational institutions to provide incident coordination, resource support and technical assistance.^[20]

Ensure every agency has a documented continuity of operations plan 

States should consider the loss of computer function as the loss of a government’s ability to operate overall. As with any unexpected disaster, governors should plan as if this will happen in an administration’s first 200 days. 

States should review and update their continuity of operations plans (COOP), which typically are used to outline how they would deliver services during natural disasters. A COOP is often separate but complementary to a cybersecurity incident response plan. Most cybersecurity incident response plans detail how a state would coordinate the response to a cybersecurity attack, including plans to involve law enforcement, the National Guard and other agencies. A COOP, on the other hand, lays out how a state will continue to run the essential functions of government itself — and serve constituents — while addressing the incident. To maintain readiness, states should conduct exercises to test this capability annually or at least participate in regional or national exercises to identify any gaps. 

States can also help local governments and providers of essential infrastructure, like electric utilities, have plans in place as well. The consequences of not having a plan for continuing services during a cybersecurity breach can be severe. In 2018, a local police department in Riverside, Ohio, was a victim of a cybersecurity attack that shut down all of its systems for a full week. The community did not have a continuity plan, leaving officers taking reports on yellow notepads with no system for processing them.^[21] This weakened the department’s response to problems.

CONDUCT A BROAD REVIEW OF THE STATEWIDE CYBERSECURITY STRATEGY

Most states already have some cybersecurity strategies, many of which were developed out of necessity from increasing incidents of malicious hacking and security breaches. In the first 100 days of 2023, governors and top officials should broadly review the state’s cybersecurity strategy to assess existing assets, vulnerabilities, talent needs, funding, administrative obstacles and opportunities. Such a review establishes an informed foundation for the ongoing management and readiness posture of the state’s cybersecurity team. Moreover, it helps leaders set realistic priorities to protect the state’s data and information systems.

To begin, the governor should identify a trusted cybersecurity advisor as soon as possible to help lead this assessment. This may be the state CIO or CISO, or it may be a special advisor or another official with technical knowledge. The advisor should understand the state’s technical infrastructure and organizational structure to help lead a productive discussion with leaders.

As a starting point for organizing a comprehensive review, the National Institute of Standards and Technology’s Cybersecurity Framework^[22] provides a guide that cybersecurity professionals often use to understand risks and ways to reduce them. NIST’s suggestions include: 

1. Describing their current cybersecurity status;
2. Deciding their cybersecurity target;
3. Prioritizing opportunities for improvement as part of a continual process;
4. Assessing their progress;
5. Communicating with internal and outside participants about cybersecurity risk.

Building off of NIST’s framework, CISA offers a template agenda for state, local, tribal and territorial governments to understand their cybersecurity posture. Similarly, the National Conference of State Legislatures (NCSL) has published a “Conversation Guide” developed for state governments. For example, NCSL suggests asking the state’s CIO or CISO about risk assessment and cyber strategy, including questions such as:

For the full resource, see the NCSL Cybersecurity Conversation Guide. For more technical inquiries, some states have published their own cybersecurity guides. For example, the Washington state auditor’s office has a tool for local governments to assess the strength of their cybersecurity systems. Each state’s review will be different, but should aim to be broad, involving leaders across state agencies and offices. The goal is to understand the cybersecurity threat landscape and the state’s capacity to protect its data, systems and residents.

BUILD AND EMPOWER STATE CYBERSECURITY TEAMS AND TECHNICAL TALENT

Make sure top officials know cybersecurity is a priority

Reducing cybersecurity vulnerability is such a fundamental challenge that it needs attention and buy-in from governors, department heads and other senior administration officials. While these leaders don’t have to understand the detailed technical aspects of cybersecurity, they do need to grasp how crucial it is for critical government functions. Every state executive should have cybersecurity on their list of priorities and should have a staff with appropriate technical expertise to ensure the effective, secure delivery of government services.^[23]

To solidify cybersecurity as a priority in the state’s leadership, many states have established cybersecurity committees or councils that include state leaders from departments and agencies, as well as experts from across the private sector and academia. In 2017, Indiana established the Indiana Executive Council on Cybersecurity “to form an understanding of Indiana’s cybersecurity risk profile, identify priorities, establish a strategic framework of Indiana’s cybersecurity initiatives, and leverage the body of talent to stay on the forefront of the cybersecurity risk environment.”^[24] The 35-member council includes local, state, federal, private sector, military and academic members. In 2021, it produced a statewide cybersecurity strategic plan. These expert committees can fulfill federal cybersecurity grant requirements and help develop statewide plans.

The role of the state chief information security officer

Chief information security officers (CISOs) oversee all aspects of cybersecurity and typically advise the state chief information officer (CIO) and executive leadership on cybersecurity risk. They develop security management systems and standards for safeguarding government information. 

The job of the CISO goes beyond compliance. The person should advocate for best practices while being able to make risk-based decisions to balance security with the effective delivery of services. For example, a CISO should understand Zero Trust, a security strategy the federal government is adopting with 2022 OMB guidance, which would require all system users to be authenticated and authorized.^[25] A strong CISO must be able to assess how such rigorous security measures benefit the state and how they can be implemented with minimal harm to overall service delivery and other priorities.

The CISO^[26] is typically accountable for:

While reporting structure varies by state, the CIO and CISO must be strong partners in running its technical infrastructure. To be effective, the CISO should have the power to make decisions, including those impacting staffing and budget. Whatever the organizational structure, the CISO should be in regular and direct communication with the governor and top state officials. It is not only best practice, but often legally mandated, for corporate boards to receive regular reports on cybersecurity risks. State governments should adopt a similar practice with their top officials.

Provide funding for state employees to develop their cybersecurity expertise

The number of cybersecurity training and certification programs is growing rapidly. These programs provide paths for training a state’s existing workforce. The NCSL provides a list of cybersecurity training resources specifically for state executive branch employees. Many state governments offer tuition assistance to employees, but states could provide even greater incentives for employees’ professional growth, such as Virginia’s Cybersecurity Public Service grant.^[27] At a time when cybersecurity professionals are in high demand, training programs can help states develop a technical workforce from within.

LAUNCH A STATEWIDE CYBERSECURITY CAMPAIGN

Protecting state systems and sensitive information from hackers requires every government employee to be aware that some of the most effective cybersecurity protections come from how they behave online, not just the technology itself. A top state security official in Indiana said last year that “80% of the threats faced by an organization could have been mitigated through basic nontechnical education of teams and leaders.”^[28]

Creating a culture of information security must come from the top, starting with the governor. In the first 200 days of 2023, the governor can launch a public campaign to improve cybersecurity that includes all state agencies, employees, vendors, private companies and the public. State leaders can announce several initiatives, described further below, which can dramatically improve security. 

Statewide employee cybersecurity training

According to a 2018 Microsoft report on strengthening cybersecurity in state governments, only 18 states require cybersecurity training for all employees. While this number has likely increased, it is also likely that gaps remain. Ensuring that every worker understands the basics of cybersecurity practices and their importance is critical for keeping state systems safe. This is particularly important as more governments let employees work remotely. Workers should be given practical recommendations and support to protect their state system and personal digital identities and accounts, since professional and personal accounts can be targeted. 

“Cybersecurity hygiene” refers to the standards that staff follow and the habits workers can form to protect sensitive information and systems.^[29] It’s akin to the daily choice to wash our hands to prevent the spread of germs. Proper cybersecurity hygiene includes:^[30]

State leaders, in collaboration with the CIO, CISO or other cybersecurity advisor, should be tasked with developing and deploying basic cybersecurity hygiene training for all state employees, contractors and vendors.

Use multifactor authentication for state employees and contractors

Using multifactor authentication for state employees and contractors is one of the most effective ways to increase information security. It is “an authentication method in which a computer user is granted access only after successfully presenting two or more pieces of evidence to an authentication mechanism that involve: knowledge (something the user and only the user knows) and possession (something the user and only the user has).”^[31]

Multifactor authentication (MFA) is important because even if the first credential is compromised, it is unlikely the second credential will be illicitly obtained because it requires having a physical tool like a mobile phone or access to a particular physical location.^[32] The strongest forms of MFA are designed to be resistant to phishing attacks (this is sometimes referred to as “security keys” or “WebAuthN”), and should be preferred where possible for new systems. It is also a best practice to invest in Single Sign On systems wherever possible, so that state employees only need to interact with one sign-on system for all of the systems they use in their jobs.

Installing MFA in hundreds of systems can take years. States can start by focusing on core email and productivity tools to build momentum and then move toward more comprehensive improvements over time. The Illinois Department of Innovation and Technology details its plans for rolling out multifactor authentication here.

Identify and protect government websites not on a .gov domain 

All 50 states have .gov domains, which let users know they are on an official government website. Moreover, .gov domains provide built-in access to important security features such as two-factor authentication and continuous vulnerability monitoring.^[33]

Some older websites affiliated with agencies and departments, as well as numerous local governments, still house their websites on .com or .org domains. In 2020, the computer security company McAfee released a study that showed 80% of county election offices had yet to move to a .gov domain, posing a potential risk to election security.^[34] Similar risks exist for any online government services sites that might be spoofed by a malicious actor in order to obtain sensitive personal information from the public. States can help local governments move their websites to .gov, especially now that those domains are available at no cost. This would also make it easier to monitor the performance and security of all state-run websites.

Set minimum security standards for new technology investments

Governments are attractive targets for hackers because of the valuable information they keep and vital services they provide. These systems are often built or purchased from third parties, so it is critical to ensure that all suppliers are also secure by developing standards that their technology projects must follow. This includes state vendors, service and technology providers, as well as state offices and agencies. Establishing and enforcing such requirements demands collaboration across many teams. Moreover, the state CISO must continually monitor and update standards to match rapid changes in the industry and the security threat environment.

In September 2022, the White House’s Office of Management and Budget released guidance for federal agencies entitled “Enhancing the Security of the Software Supply Chain Through Secure Software Development Practices.” While this only applies to federal agencies, states can use it as a model for addressing their own technology supply chain issues. Similarly, both CISA and NIST have published best-practice guidance that states can use as they make decisions about purchases. States may even require software vendors to certify that they are following secure development practices that meet these best practice requirements.

Back to top

Although some steps can be taken within a year, governors can also make improvements in cybersecurity that will have a longer range impact. Specifically:

ENCOURAGE COUNTY AND LOCAL GOVERNMENTS TO PRIORITIZE SECURITY

States can encourage local governments to strengthen their cybersecurity with financial support and by holding them accountable to agreed upon standards. As noted above, many cybersecurity incidents occur at the local level and it is important for state leaders to build trusted relationships with local governments over time rather than swooping in during a crisis. As partners, state and local resources can support each other with information, threat analysis and other assistance.

As noted by the National Association of Counties (NACo), local governments need resources — funding and technical support — to develop and maintain security.^[35] To assist local governments, states can apply for CISA’s $1 billion state and local cybersecurity grants, which will be released in phases. Local governments can also seek help from programs, including some suggested by NACo, that offer free assistance like vital alerts and notifications on cyber threats and cyberattacks. 

ESTABLISH A VULNERABILITY DISCLOSURE PROGRAM

States should establish vulnerability disclosure programs,^[36] which let anyone inside or outside the government securely report cybersecurity weaknesses. A team and process should be created, likely within the CISO office, to handle incoming reports. Most federal agencies are required^[37] to maintain such programs, and states can learn how they might do this themselves. See the CISA and the federal General Services Administration^[38] resource pages for examples. 

WORK WITH COLLEGES AND UNIVERSITIES TO BUILD A SECURITY WORKFORCE

Cybersecurity training programs are growing. From university degrees to certificates and apprenticeship programs, there are many paths to cybersecurity expertise. The most successful states are building relationships with colleges, training programs and businesses to support cybersecurity training and provide a pathway to government service. 

One promising model is the federal Cybercorps Scholarship Program, which provides up to three years of financial aid for graduate or undergraduate students studying cybersecurity. When they complete their course work, students agree to work for the federal, state or local government for the same number of years for which they received scholarships. States can use these students to fill cybersecurity jobs. They can also develop their own similar scholarship programs at home. 

CONSIDER BUILDING A VOLUNTEER RESPONSE TEAM OR REGIONAL COALITIONS

As states struggle to fill cybersecurity positions, many are appealing to individuals’ sense of civic duty to build volunteer cybercorps. While the structure and formality of these models differ across states, the focus is on recruiting teams that can be activated during a large-scale cyberattack or one that puts the delivery of government services at risk. 

States, including Ohio and Michigan, have invested heavily in building a corps of cyber experts who can be called to duty during a cyberattack. Michigan’s model, known as MiC3, requires all volunteers to pass a background screening and to complete annual training. MiC3 members are assigned to regions of the state and work alongside state employees to respond to a cyberattack.^[39]

The National Governors Association’s Center for Best Practices has compiled a list of recommendations for states that are considering this option. Case studies from Michigan, Ohio and Wisconsin can be found here. These approaches can be explored to complement full time technical leaders.

ACCELERATE CLOUD TECHNOLOGY TO MAXIMIZE THREAT MONITORING, PREVENT BREACHES

Moving information technology to the cloud can enhance a state’s cybersecurity, decrease costs and strengthen system reliability. While most states are increasing their use of the cloud, many agencies still rely on their own antiquated systems, which are costly and vulnerable to hackers. To accelerate adoption, state leaders can:

Back to top

Back to top