I was recently asked how state governments could more effectively leverage the federal government to improve their own cybersecurity. With a change in the executive branch at hand, it seems the perfect time for state chief information security officers to begin thinking about how to take advantage of not only the gravitas of the White House but also the growing funding and contracting opportunities provided by federal agencies.
But let's first look at what the current presidential administration has accomplished. It has not been idle on issues related to cybersecurity and should be given credit for the hard work of identifying critical policy issues that needed attention.
The Trump administration delivered, among other things, the 2018 National Cyber Strategy, along with four critical cyber-specific executive orders covering federal networks and critical infrastructure; the cybersecurity workforce in both the public and private sectors; information and communications technology and its services supply chain; and the nation's bulk-power system. These are significant issues and provide some foundational background for CISOs embarking on similar cybersecurity policy issues at the state level.
While there are a number of ways state CISOs could potentially leverage support from within the new administration to advance their states' cybersecurity programs, I'd like to highlight three that I think could achieve immediate and critically important results.
Leverage the White House
During my tenure in the Obama administration as deputy undersecretary for cybersecurity at the Department of Homeland Security, I was fortunate to participate in Cabinet and national security meetings where then-Vice President Joe Biden was present. I remember coming away from those meetings with a feeling of assurance that he was actively engaged in and attentive to the cybersecurity issues we were dealing with. I have high confidence that cybersecurity will be a front-and-center issue in the Biden administration.
Looking forward into the new administration, the 2021 National Defense Authorization Act passed by Congress last week and sent to President Trump would create a leadership role for cybersecurity in the White House: a position of national cyber director. This Senate-confirmed appointment in the Executive Office of the President would have influence within both the White House and Congress, so while certainly not an independent office, a degree of nonpartisanship should prevail. The role would have two key functions: policy and budget authority over the implementation of the national cyberstrategy and coordination for national cyber-incident response efforts.
Why does this matter? This is where state CISOs can use the intangible influence of leadership in the White House to promote cybersecurity within their own governors' offices and state legislatures. In the national cyber director's role of orchestrating responses to cyber-incidents at the national level, relationships with state CISOs will be acutely important and provide them with a highly visible platform.
In addition to sources of funding typically unheard of in state government, the federal government has long had the advantage of broad situational awareness. In contrast, states have the advantage of micro-level local knowledge critical to defending against the vast array of malicious actors attempting to create cyber-chaos. State CISOs also have the personal networks, extending to the local-government level and their private-sector counterparts, that can mitigate against the cybersecurity variant of "contagion risk," a term the financial industry uses to describe market disturbances that can spread quickly.
Leverage Grant Funding
It's no surprise to this audience, but state-level funding for cybersecurity lags well behind the levels our private-sector brethren enjoy. As I noted previously in this space, according to the 2020 Deloitte-NASCIO cybersecurity survey, many private-sector companies allocate more than 10 percent of their overall information technology budgets for cybersecurity, while most state government cybersecurity budgets come in at less than three percent of IT spending.
With this paucity of funding, CISOs need to seek out every creative opportunity at their disposal. One of the best is the 2020 Homeland Security Grant Program (HSGP), where DHS has identified four critical priority areas: cybersecurity; soft targets and crowded places; intelligence and information sharing; and emerging threats. Importantly for CISOs, those receiving grants from the HSGP's State Homeland Security Grant Program and Urban Area Security Initiative are required to dedicate a minimum of five percent of those funds to each of HSGP's critical priority areas — 20 percent in all.
Leverage Federal Procurement
Finally, DHS' Continuous Diagnostics and Mitigation (CDM) program was expanded several years ago to provide state CISOs, among others, with a procurement vehicle to acquire cybersecurity tools for ongoing risk identification and mitigation. The CDM initiative is one of the programs we started in 2013 when I was at DHS, and it is an efficient and cost-effective way for state governments to procure the same kinds of proven security tools being deployed by other states and by federal and local-government organizations.
While these ideas aren't entirely new or revolutionary, there is no better time to take advantage of these kinds of opportunities than every four (or eight) years as a new presidential administration takes hold. Be bold.
Governing's opinion columns reflect the views of their authors and not necessarily those of Governing's editors or management.