• While many cybersecurity recommendations have focused on the activities of the federal government, AFCEA Cyber Committee members recognize the role of state and local authorities in information security. Credit: Shutterstock/ESB Professional
     While many cybersecurity recommendations have focused on the activities of the federal government, AFCEA Cyber Committee members recognize the role of state and local authorities in information security. Credit: Shutterstock/ESB Professional

Cyber Defense Starts Locally

The Cyber Edge
January 22, 2021
By Maryann Lawlor
E-mail About the Author

Experts recommend digging deep to protect information from the bottom up.

The cybersecurity of civil government, critical infrastructure and business infrastructure remains uneven. Worrying reports of ransomware affecting city and county governments as well as local health care organizations have put leaders and administrators, and infrastructure operators on edge.

In the second of its Strengthening the Nation’s Cybersecurity Strategy white paper series, AFCEA International’s Cyber Committee members share their recommendations about improving state and local cybersecurity. Similar to the first white paper, it offers observations about both current strengths and possible solutions to weaknesses.

Among its proposals, the white paper’s authors point out that states and cities have a place to turn when forming their cybersecurity plans. For example, a capability exists at the federal level to share information between state and local officials regarding best practices. The Cybersecurity and Infrastructure Security Agency (CISA) points to the National Infrastructure Protection Plan 2013, which includes a section about the state, local, tribal and territorial government coordinating council and how it can serve as a flagship for local leaders.

Although this approach increases the amount of data localities receive, a surge of information also can cause challenges. What is needed are good models for organizations and programs to help them consume and apply data where the rubber meets the road, the committee members agree.

Two-thirds of states have already created a strategic plan for cybersecurity; most have adopted a whole-of-state approach characterized by collaboration among state agencies, local governments, utilities, private companies, universities and other stakeholders. COVID-19 has accelerated interaction and collaboration on security between state and local governments, with nearly half of states planning to expand the services they offer to local governments in 2021.

But a one-size-fits-all model doesn’t exist for governance of cybersecurity at the state, local, tribal and territorial levels because their members vary in size and complexity, cyber capability and need. The committee points, however, to the approach embodied in South Dakota’s cyber plan as a model that states may wish to study and from which they could design their own organizational and programmatic initiatives.

Each link in South Dakota’s cybersecurity program offers practical information about the services covered, including clients served; services provided; client responsibility; investment costs; staffs; training requirements; security software; software maintenance; cost-saving tips; and service rates. States and counties can build a useful program architecture from this template, expanding or changing it to suit their needs.

Defining the scope of a utility company’s cybersecurity strategy can be complex, but clarity can help drive effective collaboration. The National Association of Regulatory Utility Commissioners points to the clarity with which the Washington Utilities and Transportation Commission (UTC) expressed the intent of its cybersecurity strategy. The commission succinctly outlines its strategic cybersecurity goals in its overarching mission statement, which describes its goal as protecting the people of its state by ensuring that investor-owned utility and transportation service are safe, available, reliable and fairly priced.

To ensure its mission when considering cybersecurity, the UTC’s strategy facilitates risk-based decision making that weighs trade-offs and supports action to prevent cyber attacks against critical infrastructures; reduces vulnerability to cyber attacks; and minimizes damage and recovery time from cyber attacks that do occur.

The AFCEA Cyber Committee recommends that state-level regulators consider both approaches but notes that the increasing dependence on cyber systems of civil, critical and business infrastructures should spur consideration of the most comprehensive approach affordable.

Read all of the AFCEA Cyber Committee’s recommendations in Strengthening the Nation’s Cybersecurity Strategy series by tapping into SIGNAL Media’s free Resource Library online.

Enjoyed this article? SUBSCRIBE NOW to keep the content flowing.


Share Your Thoughts: