Coordination key to state cyber responses
Connecting state and local government leaders
State officials tell Congress on how they are preparing for (and responding to) cyberattacks.
Several state officials came to Capitol Hill on May 24 to discuss their cybersecurity challenges and provide Congress with insights into their practices and successes.
Like their federal counterparts, state cybersecurity teams are challenged by the velocity and variety of threats, which are growing in sophistication, Connecticut CIO Mark Raymond told a joint House Homeland Security subcommittee panel. “The top three are malicious code, hacktivism and zero-day attacks.”
One way to address those threats is through automated cybersecurity solutions, which can help in two ways, said Raymond, who also serves as the vice president of the National Association of State CIOs. They can act on threat data at machine speed, and they can help reduce demands on government security staff, which are already in short supply.
Uneven software quality also puts strain on cybersecurity teams, according to retired Brig. Gen. Steven Spano, who now runs the Center for Internet Security. Acknowledging that for software vendors “ to get the speed and agility” they need to compete, beta releases are inevitable. Yet “ many of the software products are coming out of the box with inherent vulnerabilities… and require a lot of lift” to sustain them, he said.
Although budget and staffing constraints have put states on the defensive, information sharing -- with both local and federal authorities -- has allowed them to be better prepared against known threats, Raymond said.
One resource several panelists cited is the Multi-State Information Sharing and Analysis Center (MS-ISAC), a 24x7 cybersecurity operations center that provides real-time network monitoring; early cyber threat warnings and advisories; vulnerability identification; mitigation; and incident response for state, local, tribal and territorial governments.
If there were an attack in Connecticut, “our first call is to the fusion center and to MS-ISAC in terms of coordinating our events,” Raymond said. “Then we will pull together a cyber response team that includes both Homeland Security and my office.”
The Port Authority of New York and New Jersey has a cybersecurity operation center “that would likely be either the initial point of contact or the discovery point for a potential incident,” Port Authority CTO Robert Galvin said. “We would assess as much as possible the depth of the breach before reaching out – we would certainly contact MS ISAC… and if we identify that the breach involves personally identifiable information or something of that sort, we would initiate a call to the FBI.”
If there is a criminal component to a cyber intrusion in California, the state police have a cyber crime investigation unit that will take the lead, according to Mark Ghilarducci, director of emergency services in the California governor’s office.
Raymond highlighted additional examples of how other states have tackled incidents in his written testimony. Michigan’s “whole community” approach, for example, prompts critical infrastructure owners and operators “to address data backup, disaster recovery/business continuity, equipment shutdown, communications and activation of a cyber disruption response plan.”
Massachusetts, New Hampshire and Rhode Island, meanwhile, have worked together to develop a comprehensive cyber response plan that “outlines how cyber responders will support industrial control system structure in each jurisdiction, how critical cyber incident information will be shared and how IT organizations can support public safety and each other,” Raymond wrote.