Last week, Iowa Gov. Terry Branstad directed the state’s top IT and emergency management agencies to develop a comprehensive strategy by next July to defend Iowa from and respond to cyberattacks. Declaring cybersecurity a “top priority,” Branstad issued an executive order that will “update Iowa’s emergency response plan to better deal with the physical consequences of a cyberattack against the state’s critical infrastructure,” as the governor said in a statement.
The order directs the state Office of the Chief Information Officer, the state Department of Homeland Security and Emergency Management, the Iowa National Guard, the Public Safety Department and the Iowa Communications Network to work together and with other agencies to submit a cybersecurity strategy to Branstad by July 1, 2016.
According to the order, the strategy must “address high risk cybersecurity areas for the state’s critical infrastructure and develop plans to better identify, protect, detect, respond, and recover from significant cyber incidents.” Among other things, the agencies must also create a process to regularly assess the state’s cybersecurity infrastructure and activities and compile data-breach reporting and notification requirements.
Further, the agencies’ strategy must “provide recommendations related to securing networks, and data, including interoperability, standardized plans and procedures, and evolving threats and best practices to prevent the unauthorized access, theft, alteration or destruction of data held by the State of Iowa.”
In addition to calling for cybersecurity awareness training for state government employees and a public education campaign on ways residents can protect their personal data, the order also calls for other elements of the new strategy.
Another part of the strategy must focus on encouraging the state to work with the private sector and educational institutions to follow cybersecurity best practices. And it must also emphasize the importance of science, technology, engineering and math (STEM) programs in K-12 education and higher education as a way to continually increase the number of cybersecurity workers.
As The Gazette, an Iowa newspaper, reported: “Mark Schouten, director of Iowa’s Department [of] Homeland Security and Emergency Management, said an attack against Iowa’s electrical, gas or water systems could cause significant damage to property, loss of life or civil unrest.”
“Although we are currently aware of no credible cyber threats of this scope against our state, like floods, tornadoes and winter storms, it’s important that we be prepared to respond to a significant cyberattack should one occur,” Schouten told The Gazette.
States are taking varying approaches to address cyberattacks. For example, in October, Indiana entered into a partnership with Purdue University and Intel Security to organize responses to cyberthreats. State agencies and their private-sector collaborators created the Security Operations Center, which relies on both state employees and Purdue students to keep tabs on security incidents in the state’s IT systems. The students’ role is to help resolve lower-level issues so that security specialists at the Indiana Office of Technology in Indianapolis can spend more of their time on higher-priority and more sensitive issues, according to a statement from Purdue.
“For the state of Indiana as a whole, it’s just a win in the fact that it’s going to create a more secure infrastructure,” Indiana CIO Dewand Neely told StateTech shortly after the program was launched. “We’re going to do some information sharing with Intel. They’re going to take that back to the global network and just use it to help everyone in the end.”
And Michigan, as StateTech has reported, unveiled the Michigan Cyber Civilian Corps (MiC3) in 2014. Bringing together volunteers from government, education and the private sector, MiC3 serves as a state-of-emergency response team to cyberattacks and offers training opportunities throughout the year.