States look for partnership (up, down, and sideways).
By Katie Aulenbacher, the CyberWire
Jan 25, 2021

The National Governors Association’s 2021 Summit on State Cybersecurity

States look for partnership (up, down, and sideways).

This month the governors of the US states of Arkansas and Louisiana joined other cyber leaders at the National Governors Association's (NGA) fourth biennial National Summit on State Cybersecurity to discuss "ways to improve the resilience of state systems, including schools, elections and other infrastructure." Louisiana Governor Edwards and Arkansas Governor Hutchinson co-chair the NGA’s Resource Center for State Cybersecurity, founded in 2012 to promote best practices. The NGA was founded in 1908 to connect US state and territorial governors. 

Partnership was a recurring theme of the summit, which touched on the role of governors, the FBI, state CISOs, educators, industry, and legislators.

In days one and two of the event (which were closed to members of the press), stakeholders from all fifty-five territories and states participated "in a series of interactive sessions sharing innovative solutions to address the evolving threat landscape." 

Edwards opened the January 21st portion of the event with a prerecorded speech addressing “governors' priorities” and recognizing the five winners of the NGA Cyber Competition, which was sponsored by the Cybersecurity Youth Apprenticeship Initiative and tested high schoolers’ “knowledge on general trivia, cybersecurity, and problem-solving skills.” Nearly fifteen-hundred students participated, and the winners, all male, said they “learned a lot” from the contest. Edwards connected the competition to the 500 thousand unfilled cybersecurity positions in the US.  

As for governors’ priorities, Edwards urged others to implement a “validated” cyber emergency preparedness plan, plugging his Louisiana Cybersecurity Commission and its statewide incident response plan. Thanks to these preparations, the state was able to curtail the 2019 ransomware attacks on Louisiana schools with the help of the National Guard and state police.

The Feds can’t help you if they don’t know you’ve been hit. 

FBI Deputy Assistant Director of Cyber Policy Tonya Ugoretz delivered a prerecorded message on the importance of looping in the FBI when experiencing a cyberattack. Just like physical break-ins, virtual break-ins are a crime, and need to be treated as such. Using its particular set of skills, the FBI can help identify the perpetrator and his motives—which might otherwise be opaque to organizations—and prevent future incidents. Ugoretz explained that the FBI “can use an array of tools, pivot in multiple directions, and support a broad range of partners responsible for both network defense and for going on offense.” The agency’s toolkit includes classified intel, criminal legal processes, national security mechanisms, confidential sources, and foreign alliances. 

An ongoing goal of law enforcement is changing threat actors’ cost-benefit analyses by “imposing risk and consequences” that “make it harder and more painful” to break the law. Ugoretz wants your help in bringing the pain. Your point of contact should be the cyber task force (CTF) at your local field office. Noting that “cyber is not just for the IT department anymore,” Ugoretz also encouraged state and local officials to pursue cyber trainings, like the one the FBI is developing in partnership with the Secret Service, for law enforcement officers.

State cybersecurity trends. 

National Association of State Chief Information Officers (NASCIO) Director of Policy and Research Meredith Ward reviewed what we can learn from the 2020 NASCIO-Deloitte Cybersecurity Survey, which "provides the most comprehensive analysis into the state of state cybersecurity." All fifty state CISOs participated in the biennial survey.

Respondents identified legacy structures and staffing and funding deficiencies as primary obstacles. While Federal agencies spend an average of sixteen percent of their IT budget on cybersecurity, states spend roughly two percent. Ward advised CISOs to shoot for five percent, and to continue to push for a seat at the table. A majority also reported insufficient local government collaboration, and a supermajority reported a lack of confidence in local governments’ cybersecurity practices. Ward encouraged CISOs to build bridges and look out for the little guys, saying local governments often aren’t aware of available offerings or the proper point of contact. 

Thirty states, up from ten in 2018, identified financial fraud as a major cause of breaches, while hacktivism, external web applications, and malicious code took first, second, and third place, respectively. States named identity and access management as a top priority, second only to risk assessment, in another evolution from 2018.

Finally, Ward advocated for increased centralization as a way to reduce risks (while an audience member questioned whether centralization would diminish local governments’ voices), pointing to the following advantages: accelerated adoption of best practices, easier distribution of Federal funding, elimination of redundancies, smoother operations management, and improved opportunities for cross-training. Ward noted that some states will never go for centralization, sharing an industry joke, “If you’ve seen one state, you’ve seen one state.”

NSA sends the states some love (and some actionable information). 

NSA Deputy Director of Cybersecurity David Luber spoke on the agency’s shift towards greater transparency with the Cybersecurity Directorate. On the realization that partners won’t act on information if they don’t trust its source, the Directorate made efforts to emerge from “the shadows” and blossom as a “public-facing organization.” Strategic changes included taking credit for accomplishments and opening a Twitter account. Luber encouraged interested parties to check out the Directorate’s first annual Year in Review product.     

Luber also touched on the importance of assuming a risk-based approach. The NSA, for example, is partnering with the military and Defense Department to protect “twelve key weapons and space systems” chosen for their vulnerability or consequence in an initiative called the Strategic Cybersecurity Program. Luber urged listeners to adopt a “stop assessing; start addressing” mindset and prioritize supply chain vulnerabilities. 

The Deputy Director’s third point concerned the value of public-private collaborations. Highlighting the good work of election security partnerships, he expressed a desire for “continuous, agile information sharing…in real time” between local, state, and Federal stakeholders, calling cybersecurity the “ultimate team sport.” Since defeating APT actors requires cooperation across law enforcement, intelligence agencies, and private sector groups, Luber said the NSA is leading the way by providing enhanced assistance to the defense industrial base and creating a Cybersecurity Collaboration Center.

The role of the Legislative Branch.  

Senator Hassan (Democrat of New Hampshire) offered a prerecorded talk on her legislative priorities. Calling Solorigate “extremely concerning” and a “sobering reminder about the vulnerabilities in our systems,” she named mapping and remediating the breach a top concern. One step would be the “supercharging” of private, state, and Federal coordination. A cyberattack on a city or hospital is a cyberattack on us all, she said, given the interdependency of our systems. 

Hassan described the path forward as twofold: more funding, and smarter strategies. Resource constraints inhibit state and local governments’ resilience and ability to modernize: Hassan sees a role for the Federal government in remedying these constraints. She touted the IoT Cybersecurity Improvement Act and a National Defense Authorization Act provision giving each state a Federally-funded cybersecurity coordinator as positive developments, and previewed a grant program that would boost state initiatives and a bill that would authorize states to use the National Guard for cybersecurity purposes. 

Workforce development, and the temptations of credentialism. 

A panel composed of Hutchinson, former Secretary of Homeland Security Janet Napolitano, Amazon Web Services VP Teresa Carlson, and CompTIA CEO Todd Thibodeaux discussed workforce development, moderated by NGA Center for Best Practices Director Timothy Blute. Hutchinson noted that Arkansas was the first state to require public high schools to offer computer science. Course enrollment jumped from one-thousand to ten-thousand following the mandate, bolstering the state’s cyber reputation and appeal to industry. He called out teachers’ difficulty recruiting cyber professional guest speakers as one of the biggest educational challenges. 

Napolitano said enticing students into public sector roles, while competing with private sector incentives, is another big challenge. UC Berkeley is working on a Technology in the Public Sector program, but it needs greater support from industry in terms of grants and internships for those who commit to public service. Students also need greater exposure to what public sector roles entail. Thibodeaux held up the Defense Department as an example for other agencies to follow, noting that the Department mapped out the onboarding pathways to its information assurance roles.

Carlson said her team is committed to cultivating a workforce able to protect our technological infrastructure. Partnership between companies and institutions of higher learning is one way forward, as is continuous credentialing, a necessity given the “unbelievable” pace of innovation in the tech sector. If “not run and managed properly,” that innovation “can create risk,” she said. Amazon Web Services offers a total of five-hundred free courses, to this end.      

Thibodeaux shared an interesting statistic: of the 12 million employed in technology in the United States, roughly half work for non-tech organizations. Thousands of subject matter experts assist his organization with tech job task analyses to distill the required knowledge and skills, and backwards-plan curricula, exams, and career paths, including the necessary credentials, sequence, cost, and time. One workforce development challenge Thibodeaux mentioned is the lack of alignment between what universities prepare students to do, and what jobs require of them. He said oftentimes schools only teach fifty percent of what industry says it needs. He urged institutions of higher learning to listen to the private sector and “take advantage of all the work” they’ve done on this problem.    

Thibodeaux identified the main clog in the talent pipeline, however, as a “confidence gap”: a widespread belief that all cyber jobs require deep STEM expertise—when in actuality, several months of quality training is sufficient for many roles. He encouraged employers to open their doors to employees who need a little investment, saying the ROI will be worth it. He shared a success story from 2020, where CompTIA partnered with Texas using CARES Act funding to run a twelve-week boot camp in border communities. All participants secured jobs at the conclusion of the program, including one individual with no degree who landed a six-figure position.  

Hutchinson chimed in that “the intimidation factor” also affects teachers, and the state overcame it through leadership and financial incentives. Six years ago, only twenty individuals were certified to teach computer science. Today, there are enough teachers for every high school in the state. Some were inspired to join up by the governor’s rallying cry; others were likely motivated by the accompanying stipend. Hutchinson’s next goal is mandating computer science courses for graduation, a goal that will require even more certified teachers.   

Thibodeaux noted that CompTIA is currently piloting a prefabricated solution to the teacher shortage that would enable non-expert “facilitators” to lead computer science courses with the support of CompTIA’s tools and materials.   

Napolitano transitioned to addressing the question of how to cultivate workforce diversity, a challenge she said requires “persistence and intentionality,” explaining that “you go where those diverse communities are, you go to the high schools, you go to the community colleges, you go to your four-year institutions.”  

Carlson added that the focus of hiring managers should be skills (hard and soft), not degrees, and highlighted retention as another crucial investment. While 600 thousand women exited the workforce during the pandemic, her company faced no retention issues, because they led with grace and flexibility, and offered opportunities for advancement. She recommended open communication, sharing that Amazon runs instant polls.

Thibodeaux recognized the outgoing Administration for expanding alternative credentialing pathways. He mentioned that employers sometimes view those educated by alternative means as “broken” or “lesser,” arguing that it’s incumbent upon industry to stop being discriminatory and to recognize that not all individuals have the opportunity to attend college. Some companies like Google and Amazon are taking the lead in that regard, opening positions to people without four-year degrees. No CompTIA positions require a degree. Thibodeaux emphasized that most cyber work is mid- or entry-level, and oftentimes companies unnecessarily exclude candidates that are perfectly qualified for the job. He added that it should not—and does not—require a four-year degree to switch fields.      

Hutchinson agreed that career shifts should be easier, sharing that his state has revamped grant programs to allow non-traditional students access and partnered with organizations like Women Who Code.

Carlson said states should take advantage of this moment to “prioritize cybersecurity,” and companies “stand ready to support” them. She said governors should swap best practices so as not to reinvent the wheel fifty times, improved internet access being one such practice, so trainings can reach people where they are.    

Hutchinson reiterated the value of high-speed internet access in rural areas, then offered an important last word: “we think of these as tech jobs. They’re ‘technical skills.’ But we also have to expose…those that are entering this field into the realm of policy and ethics. I think you’re going to see that as an ongoing debate in the coming years…It is a part of this educational system…how we conduct ourselves on this global enterprise called the Internet.”