Whole-of-state strategy needs more ‘carrots’ than sticks, cyber leaders say
Maskot via Getty Images
By
Chris Teale
Partnership between a state government and its localities is crucial in making information-sharing work, rather than just being enforcement and auditing when things go wrong.
One of the most notable parts of a whole-of-state cybersecurity strategy is encouraging state governments to work closely with localities, school districts and other organizations, when in the past there may not have been much trust.
But those intergovernmental partnerships are a crucial part of cyber resiliency, and not just as an enforcement mechanism when things go wrong and governments are hacked. Speakers said during last week’s Rubrik Public Sector Summit that it’s a different approach than in the past, and more focused on “carrots” than “sticks” in the form of financial help.
“The carrot is the big thing,” said Ben Spear, chief information security officer for the New York State Board of Elections. “When we started our elections program, we didn't just tell everyone the requirements we have to meet. We did do that, but we also threw money behind it. We were able to provide subgrants. And the other big thing that I find important is really showing the people that you're a partner. You're not just there to enforce… How can we work together to get there? As opposed to, how many times do we have to slap you on the wrists?”
New York’s efforts to secure its elections started with federal grant money, then the board of elections worked with the state’s homeland security department, county IT directors and other associations. Originally intended to just support elections, the effort has since widened to support all local governments with endpoint detection, incident management and response, training and other shared services.
The state announced even more investment last year in the form of a new cybersecurity grant program to help its local governments. The program, funded by $6 million from its portion of the $1 billion State and Local Cybersecurity Grant Program from the federal government, is intended to expand access to cyber tools, information, resources and services, with the state using its purchasing power to directly procure “best-in-brand” services to provide to localities.
Having such a close relationship with localities can be tricky territory for state agencies in New York, which is a home rule state and so grants significant power and authority for local governments to manage themselves without state interference.
Instead, they get creative. Daniel Krebs, chief information security officer for Monroe County in the west of the state, said localities must demonstrate a certain level of “cybersecurity posture” before they can access shared services. Once they achieve those aims, counties and other localities can access those shared state services for free.
“That carrot has been very appealing in a lot of instances,” Krebs said.
In the face of shared threats, it helps having everyone working closely together. Spear said sharing services and threat intelligence creates a sense of shared resiliency. It means “extra eyes” to see “across the board,” especially as threats against one unit of government may end up threatening others, he said. Those insights can then be leveraged to improve response times and build expertise for future threats, Spear added.
New York State Comptroller Thomas DiNapoli said in a 2023 report that cyberattack complaints in the state jumped 53% between 2016 and 2022, with the number of attacks on critical infrastructure nearly doubling. The state had the third most cyberattacks in 2022, behind only California and Texas for ransomware attacks and California and Florida for corporate data breaches.
Spear said, given those statistics and the ongoing threats government organizations face across the country, attacks will happen. Now, governments are measured on how quickly they can resume some form of normal operations, which is a crucial part of cyber resiliency.
“The reality is, and the framing that we need to look at now is, we have to rebound,” Spear said. “Where we're being measured now, is how quickly we come back. How do we respond? The attack’s going to come, it will get through somewhere, potentially. And what are you doing? You're being measured on how quickly the agency or the business can get back up to work.”