Whole-of-state cybersecurity is an approach that emphasizes partnership among different levels of government, educational institutions, tribal entities, and other organizations in the public and private sectors to mitigate cybersecurity threats. By breaking down governmental silos, this methodology enables entities across an entire state to share cybersecurity resources and information to improve their collective security posture.
Over the past few years, state and local governments have faced an unprecedented level of cybercrime. Ransomware attacks on state and local governments increased 485% in 2020. Local governments suffer a brutally high price: The cost of rectifying a ransomware attack, including the costs of resources, downtime, lost opportunity, and ransom paid, averaged $1.64 million in 2021.
Many of these public-sector entities don’t have the internal resources, knowledge, and skills necessary to head off their attackers.
Whole-of-state cybersecurity allows state and local governments and their partners to pool their resources and collaborate to fortify their defenses against ransomware, supply chain attacks, and other cybersecurity threats.
Why is whole-of-state cybersecurity necessary today?
Whole-of-state defense is necessary today because of the increase in cyberattacks targeting state and local governments.
Typically, every jurisdiction handles its own cybersecurity with its own resources, but with varying levels of success. Differences in budgets, staffing, tooling, and so on can be determining factors in how successful a party is in fending off an attack. Given that a state’s different government entities are facing an expanding landscape of common threats, it makes sense for them to pool resources, share information, and work together to strengthen their digital defense.
What steps enable whole-of-state cybersecurity?
There are four main steps to enabling whole-of-state cybersecurity. They involve:
- Relationships. No one can survive the current onslaught of cyber threats going it alone. It has become essential to adopt a collective approach to cybersecurity that brings in all stakeholders and enables them to leverage their combined resources, knowledge, and expertise. It’s first necessary to build trust between individuals and departments. Listening is essential for all good communication; ask others what they need and how you can help them. From their feedback, you can start identifying commonalities across multiple relationships.
- Governance. As the relationships you build mature, you can start building more formal structures around them, such as establishing a place where stakeholders can gather to discuss issues and exchange information or developing a framework for making decisions. You may also start creating more formal agreements with each party—for example, writing a memorandum of understanding (MOU) that establishes a starting point for collaboration by defining the scope and purpose of the relationship.
- Implementation. Next, you’ll need a plan and funds to implement your new tools, policies, or other measures. Federal and state funding play a critical role during implementation. If there are limited-time federal funds or grants available, this is when to use them to jump-start and accelerate your plan, which will need to be sustained over the long term by state funding. The implementation phase is also where you should start working with your private partners. Strategize with all your vendors to find ways to save money and stretch budgets by pooling them together.
- Validation. The final step is to validate that what you put in place is working effectively. As you gain visibility into the other entities you’ve partnered with, you’ll be able to identify who is struggling and where the weak links are. Reach out and ask how the larger group can help. This may mean having someone in the same geographical area drop by to help strategize the solution to an issue or having your IT architect help solve a problem with one of their systems. This is the phase where the relationships established at the beginning of the whole-of-state process bear fruit.
What are whole-of-state cybersecurity best practices?
It’s important to follow a couple of best practices to ensure your whole-of-state approach is successful.
No one can survive the current onslaught of cyber threats going it alone.
The first is to plan for long-term funding. While federal grant disbursements can supply a much-needed injection of cash for a fledgling project, they shouldn’t be relied upon to sustain the project over the long haul. Federal grants are offered on a time-limited basis, and once the funding stops, your whole-of-state efforts could stop along with it. Also, stakeholders will be less likely to participate in a whole-of-state cybersecurity plan, and support it with their resources, if it looks like it doesn’t have the funding necessary to be implemented effectively. It’s critical, then, to establish long-term state funding up-front.
The second is to have a collaborative attitude in your relationships with other entities. The best way to foster this attitude is to ask rather than tell other parties what they need. If you listen to their concerns and work together with them to find workable solutions, they’ll do the same for you. It’s this synergy more than any tool set or policy from which whole-of-state cybersecurity derives its effectiveness.
How is whole-of-state cybersecurity funded?
Whole-of-state strategies can be funded in different ways, but they are typically supported by federal and state outlays. Federal grants are a great way to jump-start whole-of-state initiatives. They can be used to get a project off the ground and prove out different tools and ideas that can then expand as the project progresses.
It’s essential that states also commit funds to keep whole-of-state cybersecurity initiatives going. States must start looking at their IT systems as critical infrastructure that’s equally as important as their roads, power grids, and water supplies. The public sector is entrusted with a treasure trove of information and data that make its entities a prime target for cybercriminals. The state must recognize this and provide sustainable funding to make sure its IT systems are being secured in perpetuity.
How is whole-of-state cybersecurity governed?
There’s no one way to govern whole-of-state security. You can establish a formal committee, as Louisiana Gov. John Bel Edwards did when he created a 15-member cybersecurity commission that includes members from the state’s law-enforcement agencies, local governments, major industries, and public universities. Alternatively, you can take an informal roundtable approach where everyone has an equal say.
States must start looking at their IT systems as critical infrastructure that’s equally as important as their roads, power grids, and water supplies.
Whatever governing structure the whole-of-state initiative adopts, the goal should be to bring all parties together to share information and best practices, discuss concerns and issues, and make decisions collaboratively.
It’s important to understand that in a whole-of-state approach, one size rarely fits all. Not every tool and every policy will work for every entity. The group may decide on implementing a particular monitoring solution, for example, but one entity may be contractually obligated to use another. In this case, the group may agree that the outlying entity will continue to use its monitoring tool until the contract term expires and then switch over to the tool used by the rest of the group. The governance model the whole-of-state participants choose will determine how to address conflicts like these and the way to strategize for the good of the group.
How do you measure whole-of-state success?
Whole-of-state success can be measured in several ways. If your group has established a framework and agreed on key principles, that itself is an indicator of success because it means the parties have stepped out of their silos and are communicating with each other and working together well.
Once the group has implemented its agreed-upon policies and tools, success can be further measured by how many parties are using them. This can reveal how well the group is cohering around its plan. You can also measure the effectiveness of your whole-of-state initiative by traditional system metrics like uptime, mean time to remediate (MTTR), and the number of security incidents. These are important indicators that can signal success when they’re trending in the right direction.
While these are all important metrics, perhaps the most accurate barometer of whole-of-state success is how many people or entities are participating in the initiative. The larger the group, the more powerful the network you’re building because everyone is now defending on the same page. Even if every group member isn’t actively adopting every policy and tool, they are at least participating in discussions and sharing feedback that helps bolster the group effort.
Relationships are the foundation whole-of-state is built upon, and the strength and effectiveness of those relationships is a reliable indication of the strength and effectiveness of your initiative as a whole.
How does information sharing affect a whole-of-state plan?
The gathering and disseminating of information is critical for combating cybercrime. By sharing information, all stakeholders can improve their cybersecurity posture and, by extension, the collective security posture of the group.
Threat intelligence—aggregated and analyzed data that helps understand a threat actor’s motives, targets, and attack behaviors—is particularly important because it helps organizations make better cybersecurity decisions and shift from a reactive to a proactive security posture. Some threat intelligence data, such as malicious IP addresses and domain names, is easy to automate and can be found via free and open-source data feeds. Other types of threat intelligence, such as a threat actor’s motivation or behavior, require human resources and analysis.
One of the easiest ways for whole-of-state initiatives to receive and act on threat information is to take advantage of the Multi State Information Sharing and Analysis Center (MS-ISAC). It’s an around-the-clock security operations center (SOC) that provides intelligence, detection, and response assistance to state and local governments.
Some of the benefits MS-ISAC offers include incident response and digital forensics services, a weekly top-malicious domains and IPs report, access to its Malicious Code Analysis Platform (MCAP), and access to the Malicious Domain Blocking and Reporting (MDBR) service, which blocks ransomware. Membership is free and open to employees or representatives of all state, local, tribal, and territorial (SLTT) entities.
How do cyber command centers enhance whole-of-state operations?
A cyber command center formalizes whole-of-state principles and functions in a centralized hub. Arizona Gov. Doug Ducey recently launched his state’s cyber command center, which will operate as the headquarters for coordinating Arizona’s cybersecurity operations. It provides a centralized location from which cybersecurity professionals and local, state, and federal agencies can share information and prevent and respond to cyberattacks.
Whole-of-state starts by reaching out to other parties, fostering communication, and identifying common challenges.
While Arizona’s cyber command center is one of a kind, every U.S. state and territory has at least one fusion center. These entities are state and locally owned and operated, and they serve as hubs for communicating threat-related information across the federal government, SLTT entities, and private-sector partners. A fusion center may serve a major urban area or an entire state, and each is a vital resource that governments and their partners can lean on to support their whole-of-state initiatives.
How does a whole-of-state model shape incident response?
Incident response in a whole-of-state model leans into outside services and organizations when necessary. When the Colorado Department of Transportation got hit by a ransomware attack, for example, the state’s IT leaders brought in the National Guard and its emergency management office and leveraged their cyber expertise and crisis-response skills, respectively. This allowed the parties to approach the problem with an organized battle plan rather than improvising a response.
What are the benefits of a whole-of-state strategy to the state and those participating?
The primary benefit of a whole-of-state strategy is increased visibility. Various sectors of government often face common threats but don’t communicate sufficiently for any of them to effectively combat them. Once they start sharing information, they have more data to act upon, which helps secure more assets, make better decisions, and respond to threats more quickly.
Another benefit is access to more resources. By pooling funding, parties can acquire a better class of tools, employ full-time rather than part-time roles, and make other cybersecurity improvements at no additional cost.
How does a whole-of-state approach address today’s IT and cybersecurity workforce challenges?
Whole-of-state enables municipalities to overcome workforce challenges through their partnerships with community colleges and universities. Texas, for example, recently created a regional security operations center (RSOC). Students in these programs get real-world IT experience monitoring complex systems using cutting-edge tools and gain a leg up when they enter the workforce after graduation.
The organization gains 24/7 coverage they otherwise could not afford and the confidence of knowing they have trained people to actively watch over their systems. It’s another example of how the whole-of-state benefits all involved parties.
How can states develop their own whole-of-state goals?
States can develop their own whole-of-state strategy by taking the following steps:
- Start talking about it. Whole-of-state starts by reaching out to other parties, fostering communication, and identifying common challenges. This lays the foundation for governance.
- Knock down the challenges. Implement your strategy and validate that it’s working. Tackle one challenge at a time, and build on each success to increase confidence and motivation.
- Be patient. No cybersecurity strategy is easy, and attempting to develop one with this level of coordination can be especially challenging. Be patient and understand that there will be some stumbles along the way. Setbacks don’t mean the strategy won’t be effective in the long run. Just keep moving forward toward your goal and the successes will come.
- Keep building relationships. Each time you run into a challenge you don’t know how to resolve—it means there’s a person out there you haven’t talked to yet. Keep building new relationships to ensure continued success. Private-sector partners are particularly valuable for this, as they have more resources and can help you find someone who can bring a new perspective to your problem.
What do successful whole-of-state strategies look like?
Several states are embracing a collective approach to cybersecurity. Some of the more successful examples include:
- Arizona. As mentioned, Arizona has established a statewide cyber command center, a project four years in the making. In a move that further shows its commitment to a whole-of-state cybersecurity strategy, it moved its CISO to the Arizona Department of Homeland Security, where he is director of the agency and reports directly to the governor.
- New York. New York City Cyber Command has included ordinary citizens in its whole-of-state strategy. It rolled out the NYC Secure App, which delivers free real-time protection to users’ mobile phones. It also partnered with Quad9, a free cybersecurity platform that replaces the default internet service provider or enterprise domain name server configuration to secure 3,000 public Wi-Fi access points across the city. And it has partnered with the city’s small-business services office to deliver basic cyber hygiene information to the business community.
- Virginia. In York County, the IT department is working with the Department of Elections to share basic cybersecurity guidance to all jurisdictions. The deputy director of information technology has engaged directly with small businesses and through a small-business regional development center to deliver information on cybersecurity basics. He provides citizens with similar information, such as how to secure personal information online.
What are some lessons learned by those who have adopted whole-of-state cybersecurity?
The main lesson is that in a whole-of-state approach, you need to let people control their destiny. It’s tempting to tell people what they need to do to solve a particular problem or push them to use a specific tool because it’s best-in-class. But that will just result in poor tool adoption and policy compliance. Asking people what they need and listening to their feedback are key to fostering a collaborative environment and determining the ultimate success of your whole-of-state strategy.