The Benefits of Michigan’s Cyber Infrastructure

WASHINGTON — Michigan’s state government had several luxuries developing its Cyber Disruption Response Plan that other states often lack, which can make information sharing more difficult in those jurisdictions.

For starters, IT has been centralized in Michigan under a single state chief information officer for 16 years, CIO David Behen said during an Effective Cyber Disruption Strategies session at the Symantec Government Symposium in the nation’s capital on Tuesday. All IT infrastructure projects and cybersecurity go through his Technology, Management and Budget department and out to the state’s 50,000 employees and 18 primary agencies—each with its own liaison.

Large, decentralized states like California require strong leadership to bring together all CIOs, and some like Ohio are attempting to morph their structure. Still the more centralized states tend to have the most mature cyber risk frameworks, said fellow panelist Thomas Duffy, who chairs the Multi-State Information Sharing and Analysis Center, and those attempting to transition must overcome IT fiefdoms that have arisen.

A second benefit of Michigan’s structure, Behen said, is the fact Gov. Rick Snyder, who jumpstarted the state’s cyber plan in February 2011, has an IT background as a former board chairman at Gateway. That made forging the federal, law enforcement and private sector partnerships necessary for crafting a comprehensive cyber disruption strategy, now on version 2.0, a lot easier.

“There has to be that cohesive relationship between federal, state and local as well,” Behen said.

Cybersecurity is risk management, so everyone values things differently, and local strategies aren’t one size fits all, said panelist Mike Echols, chief executive officer at the International Association of Certified Information Sharing and Analysis Organizations. That makes information sharing, within organizations and with the feds, all the more important. And that’s why banks and utilities have spent vast sums of money on it for years.

Symantec shares information with competitors like Intel and Palo Alto Networks through the Cyber Threat Alliance and supports the Information Sharing and Analysis Center because the federal government can’t do it all.

While he was with the Department of Homeland Security, Echols said, the focus was on “making sure that [breach] that happened the one time doesn’t happen the next time.”

Often local law enforcement investigates online crimes but doesn’t understand cybersecurity, so it’s become increasingly reliant on resources like fusion centers for assistance.

Behen also discussed his philosophy for recruiting top talent, which embraces the idea of employing young workers and those on the verge of retirement for several years.

“I like to say I can convince seven out of 10 people coming out of college or at the end of their careers to come and work in public service for two or three years,” he said. “Then you’re an ambassador for the state of Michigan. That alumni concept … is huge.”

And rather than working on one big project for a big company, the worker will be able to sample different technologies on different projects before bringing that newfound versatility to the private sector.

The public and private sectors can’t keep stealing from each other by increasing salaries, said panelist Ken Durbin, Symantec unified security strategist. All parties suffer, he said, in the end but especially state governments.

Increasing the size of the workforce then becomes paramount, exploring new avenues like the training of military veterans.

Panelists lamented that there’s no technology requirement within the P-20 curriculum, and cybersecurity is not always built into computer science courses at the university level.

“The kids have their hands on these devices early on … yet we’re not requiring them to use them in their educational life,” Behen said. “If you’re educated, we can train you.”

Graduate-level courses continue to be populated mostly by foreign nationals, Duffy said.

Sometimes agencies must outsource for the technical expertise, Echols said, but the danger there is that you’re no longer developing your own workforce.

One other source of concern is uptick in variance and volume of ransomware attacks since January, Duffy said.

Hackers now use advanced techniques once reserved for espionage and data theft, exploiting server vulnerabilities to infiltrate networks and then using common tools to navigate without raising suspicion, Durbin said. Bad actors are patient, taking their time to compromise credentials and learn an organization’s backup strategy, so they can encrypt and hold those hostage as well—yielding bigger payouts. They might threaten to release files slowly over time or delete them.

“Our perimeter has been dissolved,” Duffy said, referring to the rise of the Internet of Things, bring-your-own-device and remote work culture.

Offline backups are once again necessary, and simple phishing attacks can’t be ignored either—frequent patching and employee training required.

Behen’s office holds sticky online “cyber hygiene” training for workers, but its own phishing exercise showed those lessons were only going so far. A change in education and awareness is needed, he said.

“We see [ransomware] every once in awhile. I don’t want to say anything that will jinx us, but we see it and we’re concerned about it,” Behen said. “We’re patching and doing that stuff, but I’m more worried about the individual.”