High-profile cyberattacks have certainly produced cause for concern, but bigger threats loom on the horizon, say state and local leaders. “Data breaches are going to be the least of our problems if and when the day comes that threat actors hack into connected physical systems and cause serious injuries and deaths,” warns New Jersey CISO Michael Geraghty.
As director of the New Jersey Cybersecurity and Communications Integration Cell, Geraghty is responsible for preparing for such doomsday scenarios. The aim of the NJCCIC is to make New Jersey more resilient against cyberattacks by serving as a cybersecurity clearinghouse, sharing threat intelligence and best practices with public agencies, private businesses and citizens throughout the state.
NJCCIC’s reach has extended far beyond the borders of the Garden State. As the nation’s first state-level cyber-security information-sharing and analysis organization, it has opened the door for similar centers in California, Georgia and a handful of other states. These state cybersecurity centers now serve as the coordinating organizations for identifying a range of threats, marshaling stakeholders to combat those threats and training the next generation of cybersecurity experts.
“I think everybody’s realizing that there’s a need for a focal point — people who are focused on this on a daily basis and not as 25 percent of their jobs,” says Michael Garcia, senior policy analyst with the Homeland Security & Public Safety Division of the National Governors Association Center for Best Practices. Cybersecurity touches every aspect of government — hospitals, schools, even elections. “You can’t just have a hodgepodge of activities,” Garcia says. “It requires a coordinated effort.”
New Jersey Pushes to Think About Cybersecurity Holistically
A year after NJCCIC’s creation, New Jersey moved responsibility for strategic and enterprise cybersecurity out of its Office of Information Technology and into its Office of Homeland Security and Preparedness, which oversees NJCCIC.
“Today, cybersecurity is much more than just an IT issue. In the days when IT consisted of data processing and communications, organizing information security within an IT organization made sense. But now, technology — embedded systems — exists in all aspects of a business and all aspects of our lives,” Geraghty says.
Over time, the Internet of Things will become a greater part of everyday life, likely disrupting solutions to various problems, he adds. IT officials will face many challenges outside of their traditional domain, but they also will find new opportunities to impact the health and welfare of citizens.
“Instead of looking at this only as a cyber problem, we have to treat this holistically as a security problem,” Geraghty says. “The lines between physical security and cybersecurity have been blurred, and eventually they will be erased.”
As a component organization within OHSP, the NJCCIC works with a broad array of partners, including the New Jersey State Police, the FBI, the Department of Homeland Security, the Multi-State Information Sharing and Analysis Center and a host of other public and private organizations, creating a sort of security ecosystem. At last count, that ecosystem consisted of more than 4,000 organizations globally.
“No one organization has all the answers,” Geraghty says. “Going at this problem alone is foolish and doomed to fail, but by working together and sharing information, we have a much better chance of succeeding.”
NJCCIC uses an array of tools and technologies to support its defense-in-depth approach to cybersecurity. These technologies include intrusion detection and prevention systems, security information and event management systems, incident response systems, web application firewalls, endpoint security and a data lake that takes in various security events from agencies across state government.
“We are agnostic when it comes to technology,” Geraghty says. “Our decision on what technology to use comes down to whether it works for us in our environment. We make a lot of our decisions based on simplicity. We do not want to spend our limited resources caring for and feeding the technology. Does the security technology work for us, or are we winding up working for the technology?”
MORE FROM STATETECH: Find out about Vermont's plans for its own cybersecurity center.
California Forges Alliances with Its Cybersecurity Center
Cybersecurity centers operate much like fusion centers, except instead of compiling and distributing intelligence about broad vulnerabilities, they focus specifically on digital threats. In fact, many cybersecurity centers, such as NJCCIC and the California Cybersecurity Integration Center, or Cal-CSIC, grew out of their state fusion centers.
Former California Gov. Jerry Brown established Cal-CSIC through an executive order on Aug. 31, 2015, but it took until June 2017 for the team to fully ramp up, says Mario Garcia, the agency’s acting commander. In September 2018, Brown signed a bill codifying the center into law.
“Absolutely every state should make sure that they have this addressed,” says California CISO Peter Liebert. “There are states that are lagging behind, but we’re talking about it, which is good news.”
Rather than dedicate a single organization to focus on cybersecurity, California opted to pull representatives from various agencies onto the Cal-CSIC team so that it would have multiple perspectives — a model recognized by the National Association of State Chief Information Officers with a 2018 special recognition award.
Cal-CSIC partnerships begin with what it refers to as the 4-Core Partnership — full-time representatives from the California Military Department, the state’s department of technology, the California Governor’s Office of Emergency Services and the state’s highway patrol — and extend to various state and federal agencies and businesses.
“The end result is that you don’t have multiple agencies all trying to attack the same problem in a stovepipe,” Garcia says.
Cal-CSIC’s goal is to incorporate new automated threat intelligence–sharing technologies so that it can receive real-time alerts and threat information from its many partners. “We’d like to see very quickly whether the entire state or a specific sector or industry is under attack so we can more readily focus our energy on protecting that particular sector or alerting the entire state,” Garcia says.
The California Department of Technology has been working toward that end by passing information from state stakeholders on the California Government Enterprise Network to Cal-CSIC. “Kind of like a hub-and-spoke model — we provide all that information to Cal-CSIC and then distribute that across the state,” Liebert says.
CDT’s cybersecurity portfolio includes Splunk Enterprise, FireEye Network Forensics, Trend Micro TippingPoint Advanced Threat Protection for Networks, CrowdStrike endpoint protection and Symantec endpoint protection and encryption, according to the Cal eProcure portal.
CDT is internally vetting a host of technologies — including endpoint protection, endpoint detection, and response and lateral (east-west) traffic security analysis — with plans to offer them as services to partner agencies and departments next year. It also plans to offer anti-phishing training and security training as a service and continuous monitoring as a service, Liebert says.
MORE FROM STATETECH: Discover why cybersecurity planning should be a top priority for local agencies.
Georgia Works to Build the Cyber Workforce of Tomorrow
Like Cal-CSIC, the Georgia Cyber Center was built on its partnerships, which come together in a $100 million, 332,000-square-foot facility encompassing two buildings, the first of which opened in July 2018 and the second of which was completed in December.
In fact, the primary driver for the center was to meet the needs of the U.S. Army Cyber Command, which is consolidating its operations and moving to Fort Gordon in Augusta.
“This new division coming to Georgia is like a Fortune 100 business,” says Calvin Rhodes, Georgia CIO and executive director of the Georgia Technology Authority. “The No. 1 issue that we believe the state can help with is workforce development.”
That goal drove the first of several components of the center: education and training. Through partnerships with Augusta University and Augusta Technical College, the Georgia Cyber Center will offer certificate, undergraduate and graduate cybersecurity programs and training for state and local government employees through the Georgia Cybersecurity Workforce Academy.
Another major component of the center is its innovation incubator. To fuel the growth of Georgia’s cybersecurity industry, the Georgia Cyber Center partnered with theClubhou.se, a nonprofit independent incubator, to connect startups and individuals with mentors who can help them turn their ideas into successful businesses.
The center also includes a research and development component, the Georgia Bureau of Investigation’s cybercrime unit and a cyber range, where partners can test new technologies and conduct cyberattack drills.
The final component of the center is private sector space — 100,000 square feet of office space available for lease by businesses in the cybersecurity field, giving them access to the center’s partners, resources and students.
The space is key to the center’s sustainability. All funds from the market-rate leases go toward the center’s technology budget, “so there will be an ongoing financial model that allows the technology to stay current,” Rhodes says.
“These opportunities don’t come along often,” he adds. “If we think about what we can accomplish over the next decade, it will be significant.”