Early in September, Suffolk County, New York’s fourth-largest county, suffered a ransomware attack that brought down the county’s 911 system and other services and nearly led to a leak of more than 4 terabytes of stolen data. In October, Russian-speaking hackers targeted New York’s La Guardia Airport, only months after Chinese government–backed hackers breached the networks of at least six other U.S. state governments.
In the first six months of 2022 alone, 27 attacks against U.S. public-sector entities led to almost $220 million in ransomware payments. These attacks show no signs of slowing down.
Public-sector organizations stand a much lower chance of defending themselves against cyberattacks when they work in isolation. But when they join forces to develop a whole-of-state strategy across state and local levels in partnership with the private sector, the odds begin to shift in their favor.
My recent appointment as vice chair of the New York State Forum, a public-private IT collaboration working across state agencies, counties, and cities, gives me a unique vantage point on the situation. The forum’s security workgroup has adopted whole-of-state as a key topic and is currently seeking event speakers to educate, collaborate, and share ideas.
Whole-of-state cybersecurity is an approach that emphasizes partnership across departments and agencies to mitigate cybersecurity threats. By breaking down government silos, this methodology enables entities to share cybersecurity resources and information to improve their collective security posture.
Suppose one county is under attack. With a whole-of-state strategy in place, security and IT operations staff across the state can quickly share information about how to defend their respective organizations and prevent attacks from taking hold.
One of my main goals for the New York State Forum is to help public and private organizations come together to meet complex IT challenges. On the public side, participants include cities, counties, and the state, as well as educational institutions, tribal entities, and other organizations in the public sector. On the private side, we have roughly 90 member companies, ranging from the smallest startups to the largest systems integrators.
The forum is a place for IT leaders and staff to collaborate and build relationships as they tackle tough problems, like how to create a single identity framework across all state services and how to defend against constantly shifting cyberattacks.
That said, the approach is not easy. In a large state like New York—with 62 counties, hundreds of cities, and scores of public-sector organizations—I have seen four main challenges to implementing a whole-of-state approach.
1. Overcoming politics
Some people think there’s nothing political about cybersecurity—that networks serve everyone regardless of their political affiliation. And that’s true. Even so, local governments sometimes haven’t accepted help from the state because of political differences. But that can change quickly when government leaders see their neighboring counties struggle with disruptions of services following an attack.
Public-sector organizations stand a much lower chance of defending themselves against cyberattacks when they work in isolation.
I’ve also seen some reluctance to share information about vulnerabilities. Few organizations want to share information about a ransomware attack, only to be held up as the poster child for how not to defend a network.
Part of my mission at the forum is to help build trust among the participants in our whole-of-state strategy—trust that the experts will listen to local IT staff, that their willingness to share failures won’t be punished, and that information will be shared openly. I want to build trust by bringing people together and encouraging them to work together to solve problems that affect us all.
2. Attracting and retaining talent
A major challenge for public-sector organizations is attracting and retaining cybersecurity talent. According to the New York section of the talent gap map at Cyberseek.org, more than a third of all cybersecurity positions in New York state are not being filled, despite the fact that entry-level information security analysts in the state can earn more than $121,000 a year—higher than any other state in the union.
“There’s an underworld of consultants who work gig-to-gig with their IT talents, cherry-picking the best opportunities for the best hourly rate,” says Kevin Carpenter, senior director of business development for MVP Consulting and the former chair of the New York State Forum’s IT Corporate Roundtable. “During the Covid pandemic, as work-from-home became the norm, finding talent from outside of one’s area code brought experience and skills not available in the past. Now as we come into the post-pandemic world, much of this talent has decided, ‘No, I don’t want to sit at a desk in Albany like I used to,’ and they are resigning in droves.”
Even the most altruistic cybersecurity professionals will choose what’s best for their careers and their families. If the public sector can’t provide for their needs, the talent will go elsewhere. One of the benefits of a whole-of-state strategy is that, by working together, smaller public-sector entities can gain access to highly trained cyber experts—without having to put them on the payroll.
3. Achieving standardization
Also challenging is a lack of standardization across most states in the ways they defend against cybercriminals. Clearly, there is no one method to ensure cybersecurity. But coming together gives participants the opportunity to create unified standards, such as what skills to hire for, how to map each organization’s attack surface, and how to collect attack-related data. If your state has 50 different ways of doing something, it becomes much harder to act quickly—or at all.
The private sector has a large role to play in creating standards. The best technology companies come together with the public sector and offer solutions that can be readily integrated into disparate systems.
4. Securing more funding
Implementing a whole-of-state strategy is not free. While much of the up-front work involves building relationships and trust, at some point organizations need to install tools and technology. We’re fortunate in New York, because the state has earmarked $61.9 million for cybersecurity measures in the 2023 state budget and another $30 million to help local governments deploy high-quality cyberdefenses. In October, Gov. Hochul announced an additional $246 million in federal funding to combat, among other threats, cyberattacks on the state’s election system.
[With a whole-of-state approach,] leaders gain access to high-quality cybersecurity skills without having to add headcount—and they might even save money on their cyber insurance premiums.
Whole-of-state advocates can also turn to the federal government’s $1.2 trillion infrastructure bill, which boosts government cybersecurity spending by nearly $2 billion. State, local, tribal, and territorial governments can use the funding to better protect sensitive data and critical infrastructure, respond faster to cybersecurity intrusions, and take other steps to shore up cyberdefenses. States that build relationships among their state and local entities can pool their funding to achieve common goals.
Making whole-of-state a reality
In the past, many public entities have been reluctant to improve cybersecurity as much as they need to. The threat of ransomware attacks has gotten their attention, but so has the increased cost of cyber insurance. This year, New York’s Clinton County paid almost $50,000 for its cyber insurance coverage. The county’s insurer told executives to expect an estimated premium of $72,000 for 2023, an increase of nearly 50%.
An important way for public entities to avoid such astronomical increases is to prove that they’re taking concrete steps to combat cyberattacks—and have the data to back that up. State colleges, universities, and laboratories that get external funding are also finding that many funding agencies are beginning to require the same kind of proof. Working together with a whole-of-state strategy, public entities can learn how to reduce premiums by, for example, implementing multifactor authentication, risk scoring, and improved data collection.
As organizations build a whole-of-state strategy, they can start by sharing basic cyber hygiene practices, then move on to sharing tools and technologies and working together to develop cyberdefense strategies. Finally, they can help each other stop cyberattacks in real time. In the process of collaborating, leaders gain access to high-quality cybersecurity skills without having to add headcount—and they might even save money on their cyber insurance premiums.
At the moment, the nation is divided, and this division can keep us from mounting a unified defense against our foes. If our country were being attacked by a conventional military force, we would put aside our political divisions and work together as Americans. The cyberattacks we are experiencing across the public and private sectors at all levels of government are in fact a form of modern warfare.
To respond to rapidly escalating threats, security leaders from public-sector organizations across a state must come together with their peers—from the lowest level to the highest—to listen to each other, help each other, and build relationships. While technology is very important, a collaborative mindset is even more critical. By adopting a whole-of-state strategy, leaders can accelerate their shared journey toward a robust security posture that is capable of meeting the looming threats.