Beyond the Network: a Holistic Perspective on State Cybersecurity Governance

• Publication year: 2021
• Citation: Vol. 96

96 Nebraska L. Rev. 252. Beyond the Network: A Holistic Perspective on State Cybersecurity Governance

Beyond the Network: A Holistic Perspective on State Cybersecurity Governance

Michael Garcia, David Forscey and Timothy Blute(fn*)

TABLE OF CONTENTS

I. Introduction .......................................... 252

II. Governance: The New Frontier of Information Assurance ............................................ 254

III. State Cybersecurity Governance Extends Beyond The Network .............................................. 258

IV. Centralizing Security Governance to Defend State Networks ............................................. 262

V. Governance Beyond Network Defense ................. 269
A. Disruption Response .............................. 269
B. Law Enforcement ................................. 271
C. Cybersecurity Centers ............................. 274

VI. Conclusion ............................................ 276

Appendix: States and Indicators .............................. 277

I. INTRODUCTION

Cybersecurity is no longer the sole province of computer scientists, information technology (IT) departments, and hackers. A working understanding of digital technology and its attendant risks is now a prerequisite for the effective management of any complex organization in the twenty-first century. Executives in government and business must strengthen their own internal cybersecurity programs and prepare for the fallout when preventive measures inevitably fail. They must also plan to respond to attacks on external, unrelated entities that can have cascading effects throughout the economy and society. Although

1

the United States has yet to suffer from a widespread, persistent cyber attack on critical systems, discrete incidents illustrate that criminals and foreign adversaries have the capability to cause massive economic and physical damage. A single "cyber apocalypse" is unlikely, but even the most mundane instances of cyber crime, in aggregate, inflict a tremendous toll on the national economy.(fn1)

Traditionally, the federal government has taken the lead in defending the nation against man-made national security threats. Constitutional law and practice generally left it to states and their political subdivisions to safeguard the public welfare from more mundane dangers such as crime and weather-related hazards. The September 11 attacks and the subsequent struggle against decentralized terrorist networks solidified a newly assertive role for state and local government in national-security matters.

Similarly, the distributed structure of networked communications, combined with the sheer size of the United States and the decentralized federalist system on which it is founded, means that the federal government cannot secure the nation's computer-based infrastructure alone. Whatever the origin of a given cyber attack-whether it is a disruptive attack against infrastructure or a more common email scam-its effects are inherently local, as is the response. Huge swaths of the nation's critical infrastructure are controlled or regulated by state and local entities. Citizens' and businesses' interactions with state and local officials far outstrips their engagement with federal entities. As a result, assessing the impact of cybersecurity policy requires a bottom-up flow of information from citizens and businesses to the federal government. Standards and recommendations to improve one's risk exposure often flow from national or federal organizations back down to the local level. States lie at the nexus of these information flows.

States might have difficulty contributing to cybersecurity policy if they cannot secure their own information assets. The information-security community long ago identified the best practices that can meaningfully reduce risk to the confidentiality, integrity, and availability of state-owned and -controlled data and related systems. Modern software and hardware offerings reduce the burden of integrating those best practices with IT management and adapting them to new threats. As a result, the core challenge for state cybersecurity professionals today is not technical; the cutting edge of cybersecurity is governance. From basic firewalls to the most sophisticated malware analysis, all technology solutions must be configured and imple-

2

mented by humans. In academic literature and corporate guidelines, cybersecurity governance is commonly described as the process through which humans understand organizational risk, prioritize resources, and establish procedures to erect technical defenses against computer-based attacks.

We argue that state cybersecurity governance deserves a broader definition that reflects the expansive role for states in the broader cybersecurity ecosystem, one that obligates state officials to do more than defend state networks. States have a fundamental responsibility to protect constituents, including interstate businesses, from day-today cyber attacks and to prepare public and private institutions for a widespread cyber disruption. States also have an abiding interest in growing the cybersecurity workforce through innovative education and training initiatives. A deeper talent pool is a precondition for optimum risk management in the public and private sectors, as well as a driver of employment and economic growth more broadly. Across the nation, state chief information officers (CIOs), chief information-security officers (CISOs), homeland security advisors, and other officials or advisors are attempting to implement wide-ranging cybersecurity initiatives to achieve these purposes. However, such officials are generally equipped with small budgets and limited authority.

Success demands a whole-of-state approach that assembles stakeholders, assigns responsibilities, sets timelines, allocates resources, and establishes accountability mechanisms. Officials must involve municipalities, educational institutions, and small businesses in addition to state IT agencies and critical infrastructure operators. Good governance functions to overcome resource constraints and bureaucratic resistance, thereby empowering officials to manage technical controls and user behavior across the state enterprise, boost information sharing among public and private partners, share best practices, plan for cyber incidents and cyber disruptions, align educational standards with business needs, and prepare for future threats that have yet to materialize. This is state cybersecurity governance. It extends beyond the network's edge.

II. GOVERNANCE: THE NEW FRONTIER OF INFORMATION ASSURANCE

A resilient information-security posture requires three core competencies: (1) the deployment of technical and administrative controls to harden vulnerable information assets; (2) user awareness programs and training to maximize compliance with established controls; and (3) the collection and dissemination of information needed to adapt the current security posture to emerging threats. In implementing these key elements of cybersecurity, today's businesses and government

3

agencies are most commonly frustrated not by technical questions but rather by organizational ones.

Widely available technical solutions can reduce cybersecurity risk to tolerable levels. Modern developments in cryptography, software applications, and hardware have simplified the process of implementing time-tested techniques to mitigate most, if not all, known security vulnerabilities. A wide array of native and third-party solutions smooth the process of conducting risk assessments, segmenting networks, whitelisting applications, disabling active content in emails, and detecting intruders, among other measures.(fn2) Basic defenses such as these would block many of the most common forms of cyber attack, as well as some of the most devastating ones.(fn3) Even when sophisticated attacks circumvent these safeguards, raising the cost of intrusions via technical best practices filters out standard criminals, freeing up defenders to focus on the most advanced threats. Although states have access to the proper technology to implement effective technical countermeasures, dispersing that technology throughout a state's bureaucracy is fundamentally an organizational problem.

Security technology cannot be effective if misconfigured, misapplied, or ignored by its users. Human error is a common cause of security breaches in the private and public sectors.(fn4) Many of the most

4

sophisticated malware variants-including those used by nation-states-depend on a lapse in human judgment to compromise target systems.(fn5) In the information-security community, a truism has taken hold: information assurance depends on maximizing user compliance with security policies.(fn6) State CISOs want to prioritize training and awareness programs for state employees,(fn7) but inculcating a culture of risk requires organizational change beyond mandatory training videos.(fn8)

Properly designed information-security programs cannot stop all attacks, particularly those that exploit unknown security vulnerabilities. Evolving threats have generated a broad desire for more information sharing among entities who might otherwise resist working together. In recent years, Information Sharing and Analysis Centers/ Organizations (ISACs/ISAOs) have emerged across the private sector from finance and energy to healthcare and transportation. Federal officials have devoted significant time, funding, and political capital to establish nationwide information-sharing organizations, including the National Cybersecurity Communications Integration Center (NCCIC) and the Multi-State Information Sharing and Analysis Center (MS-ISAC). States, too, have begun creating their own information-sharing bodies, building on the law enforcement fusion centers that...