‘No middle ground’: State, local collaboration essential to cyber defense

In August, New York Gov. Kathy Hochul unveiled the state’s first ever statewide cybersecurity strategy in a bid to protect its digital infrastructure from cyber threats foreign and domestic.

Describing the strategy as a “nation-leading blueprint,” Hochul said the strategy clarifies the roles each state agency plays in protecting cybersecurity, outlines how its various existing initiatives provide a unified approach and emphasizes New York’s commitment to helping its county and city governments respond to threats.

An “interconnected world demands an interconnected defense leveraging every resource available,” Hochul said in a statement. That interconnectedness is foundational to New York’s whole-of-state approach to cybersecurity, which has at its core intergovernmental collaboration and better information sharing.

“We can either succeed together or we can fail separately—there's no middle ground,” New York Chief Cyber Officer Colin Ahern said during a recent GovExec webinar.

The whole-of-state approach emphasizes partnerships across state, county and municipal governments as well as between the public and private sectors. It acknowledges common risks and encourages sharing resources to reduce financial burdens.

The cybersecurity strategy ensures every stakeholder in the across sectors is pulling in the same direction, towards a “unified, resilient and prepared state,” Ahern said. It has five pillars: operating government networks securely and resiliently, regulating critical industries, communicating cyber advice, investing in a cyber workforce and collaborating with key stakeholders through shared services. 

Those shared services include the state’s Joint Security Operations Center, which is a hub for cyber threat detection and response in New York and provides a variety of cyber defense tools and training, including threat monitoring and analysis, endpoint detection and tabletop exercises to prepare for the next incident.

When it comes to working with city and county governments in the state, “we're not seeking to put up a wall and say, ‘You'll do this, and I'll do that,’” Ahern said. “That's an agreement not to work together. What we're saying is, we're going to do things together that we could not do separately.”

The effort to bring governments closer together on cyber defense and preparedness has meant a lot of engagement, he said, and “meeting people where they are,” or understanding their experiences to learn how they can better work together in the future.

And Ahern pointed to the economic argument for a whole-of-state approach to cybersecurity. To keep up with the cyber threats New York faces will require engaging with academic institutions at all levels to produce a trained workforce. 

The state will look at new ways to get people into the cybersecurity workforce, including by potentially changing some educational requirements in a bid to widen the talent pool and encouraging other pathways like fellowships, Ahern said. There are a “lot of ways to be a cyber professional,” he added.

That effort has gotten underway with inspiration from the White House, which earlier this year released its National Cyber Workforce and Education Strategy to try and attack the nationwide shortage of cyber workers. It is imperative for the federal and state governments to coordinate on those efforts, Ahern said, to ensure governments at all levels are working toward the same goals. 

We want to be “training the next generation of cyber professionals who we think will carry this discipline forward,” he said.

Other states have taken a similar whole-of-state approach to cybersecurity. Arizona’s cybersecurity strategy also embraces leveraging partnerships between the various levels of government and creating efficiencies where possible in the use of vendors. 

The concepts of interconnection and shared risk sometimes means that local governments can get access to state-level tools

Ian Milligan-Pate, area vice president of state, local and education at security company Zscaler, said these whole-of-state programs show how reliant local governments are on the state in areas like cybersecurity, and that funding for those programs must be “top down.”

“If you can go to the municipalities and the smaller counties and offer these kinds of programs in a box, where it's funded, the architecture is fully baked and you bring them the resources to implement it, they're very receptive to that,” he said during an interview at the National Association of State Chief Information Officers’ annual meeting in Minneapolis last week.

Sometimes, he said, larger cities may resist statewide mandates for specific products or services because they have their own staff and resources and “don’t want the state in their business.” But information sharing can help get the larger municipalities engaged, whether it be within the state or through the national Multi-State Information Sharing and Analysis Center, which works to increase communication across state, local, tribal and territorial governments.ns through coordination, collaboration, cooperation, and increased communication.

The biggest issue for implementing any whole-of-state strategy is money, even as federal cybersecurity grants for state and local governments continue to be doled out. 

“If you talk to the state CISOs, most of them have the vision,” said Milligan-Pate. “They have the plans; they know what they need to execute on. They know how to do it; they may need more resources from a program management and implementation standpoint. But there's this massive funding gap."

Ahern said if leaders want to develop their own cyber strategies and embrace the whole-of-state approach, the best time to start is now.

“Ultimately, this is a shoe leather issue,” he said. “This is a relationship business. Yes, this is about computers. But this is about services to residents.”