Executive Summary
With a dramatic uptick in ransomware attacks across the country, governors, state chief information officers (CIOs) and state government executives are designing and implementing programs to strengthen local partnerships in cybersecurity. State governments are increasingly providing services to county and municipal governments, including endpoint protection, shared service agreements for cyber defensive tools, incident response and statewide cybersecurity awareness and training. This publication outlines promising programs that states have initiated to enhance collaboration with their local government counterparts for cyber resilience. It also provides high-level recommendations for state officials looking to strengthen partnerships with local government officials on cybersecurity. At a minimum, increased engagement can provide a more accurate threat picture to enhance state and local governments’ cyber posture. However, there is a need to move beyond information sharing to leverage limited resources for enhanced cyber capabilities.
Introduction
The majority of all publicized ransomware attacks in the United States have targeted local governments, according to 2019 estimates. Some, like the August 2019 Texas Cyber Incident, the attack on Louisiana public schools and the Baltimore cyber disruption, have been well publicized. However, one can assume that many other incidents are publicly unknown. Additionally, in the 2018 Deloitte-NASCIO Cybersecurity Study, more than 70 percent of state chief information security officers (CISOs) identified ransomware as a very high or somewhat higher threat than other cyber threats. Ransomware is just one example demonstrating the need for broader engagement between states and locals.
Some states have little to no engagement with their local counterparts, especially where 100 percent of state resources are exclusively directed toward state agencies. Other states do provide a limited amount of services or have advanced engagement with local agencies. In the 2019 State CIO Survey, 65 percent of states reported providing security infrastructure and services to local governments. But, as the old adage goes, if you’ve seen one state, then … you’ve seen one state; the scope of services provided varies widely. How are state CIOs, homeland security advisors (HSAs) and other state offices doing this? All states have a business relationship with local governments who are agents of state services (much like states are for the federal government). Still, some have jurisdiction or an executive directive and some because they feel it is the right thing to do.
Many CISOs believe that increased engagement with locals has strengthened the state’s overall cyber posture, and they have made it a top cybersecurity priority. For example, in NGA’s Workshops to Advance State Cybersecurity in 2019, several states focused their efforts on enhancing state and local partnerships.
So, which cyber services are states providing to their local counterparts? Anecdotally, we know that states are providing security-as-a-service programs to local governments—for example, managed security services, election security, phishing training, cyber response teams and ransomware response.