Why Governors Are Your Cybersecurity Allies
By David Forscey, Senior Policy Analyst, Cybersecurity, Homeland Security & Technology, National Governors Association
This summer, North Dakota Governor Doug Burgum announced a new partnership with a California cybersecurity company that donated $1.6 million to expand cybersecurity education at Bismarck State College. Public-private partnerships like this are essential if businesses and communities are to deter, detect, and thwart attackers. Readers know that cybersecurity is not an IT problem; it is a core business challenge demanding constant attention across the enterprise. Likewise, cybersecurity is not solely a private sector problem. The federal government deserves credit for its longstanding initiatives to build stronger relationships with the private sector, but these efforts suffer from a fundamental weakness: most businesses reside outside of Washington. Security firms and the infosec community more broadly should look to governors as the true drivers of a whole-of-nation approach to cybersecurity.
"The coming months present an opportunity for the security community to educate a new class of governors who want to keep their citizens safe, promote innovation, and execute a whole-of-nation approach to cybersecurity"
Businesses lack clear authority to pursue criminals and nation-state adversaries and rely on law enforcement to identify and pursue perpetrators. Resource constraints mean that federal investigators can only pursue a relatively small number of the most serious cybercriminals. As a result, governors are building out state computer crime units. One standout example is in Michigan, where Governor Rick Snyder established the Michigan Cyber Command Center (MC3) within the Michigan State Police to modernize and coordinate computer crime investigations. For businesses large and small, stronger ties with state police can smooth the process of incident response.
Building communities that are resilient to the nightmare scenario—a high consequence cyber disruption that interferes with day-to-day life—depends on close consultation between private enterprise and state offices. Governors understand that perfect security is impossible, and they are positioning their states to respond quickly and efficiently if ambitious attackers succeed. In March, Governor John Hickenlooper made history when he activated the Colorado National Guard to help beat back a ransomware attack on the Colorado Department of Transportation. Massachusetts recently finalized a formal Emergency Support Function to organize statewide, public-private response to cyber-related emergencies. In May, Wisconsin Governor Scott Walker’s cybersecurity and emergency management agencies teamed up with energy companies to test how the state would respond to a cyberattack that caused a long-term, statewide outage of the electric grid. Other states have formalized their own statewide cyber disruption response plans. Private executives can simultaneously safeguard business functions and serve the broader public interest by collaborating with state planners in this area.
Governors are also forging ahead in an area where Washington remains paralyzed: cybersecurity legislation. Amid widespread concern that insecure IoT devices pose growing risks for the Internet ecosystem, Governor Jerry Brown this month signed legislation requiring manufacturers of connected devices to issue reasonable cybersecurity measures by 2020. Ohio Governor John Kasich broke new ground with the Ohio Data Protection Act. This first-in-the-nation law aims to incentivize best practices by creating an affirmative defense for companies who are subject to civil suit resulting from a data breach. Whether one opposes or supports mandatory cybersecurity standards, engaging with governors’ offices is essential for those who want to shape rules and regulations.
Reaching out to governors’ offices may seem daunting for some, but avenues for engagement exist. In Indiana, Governor Eric Holcomb’s Executive Council on Cybersecurity included private sector participation from across the state. The Council’s new Cybersecurity Strategic Plan contains detailed implementation plans—many developed by private experts who volunteered their time— for protecting every sector of critical infrastructure and building a better cybersecurity workforce pipeline. Either through executive order or legislation, over 20 other states have established their own cybersecurity councils, commissions, or task forces. Governor Dannel Malloy’s cybersecurity team has spent the past two years working closely with state utilities to understand how critical infrastructure owners and operators are defending themselves, publishing annual reviews that educate the public without disclosing sensitive security information. State bodies such as these are eager to connect with executives and technical experts to identify how the state can better protect the public welfare and support private enterprise.
This November will mark the conclusion of thirty-nine gubernatorial races. At least eighteen of the victors will be first-time governors. The coming months present an opportunity for the security community to educate a new class of governors who want to keep their citizens safe, promote innovation, and execute a whole-of-nation approach to cybersecurity. Exploring how your company can engage with governors and state agencies should be a top priority.