How Can State and Local Agencies Better Collaborate on Cybersecurity?

State governments need to raise awareness of their services and coordinate more directly on IT security, a report argues.

Your browser doesn’t support HTML5 audio

Some state governments, such as Massachusetts, have established formal plans to work with localities within their states on cybersecurity. However, as ransomware attacks proliferate across the country and strike big cities and small towns alike, state-level organizations say there needs to be greater IT security coordination between states and municipalities. 

Last month, the National Governors Association and the National Association of State Chief Information Officers released a report, “Stronger Together: State and Local Cybersecurity Collaboration,” designed to showcase best practices for such collaboration. 

“State governments are increasingly providing services to county and municipal governments, including endpoint protection, shared service agreements for cyber defensive tools, incident response and statewide cybersecurity awareness and training,” the report notes. 

At a minimum, the report says, increased engagement can provide government agencies with “a more accurate threat picture to enhance state and local governments’ cyber posture.” Yet agencies need to move beyond mere information sharing to “leverage limited resources for enhanced cyber capabilities,” the report notes. 

How States Can Work with Local Entities on Cybersecurity

In “The Responsive State CIO: Connecting to the Customer,” NASCIO’s 2019 survey of state CIOs, 65 percent of states reported providing security infrastructure and services to local governments. However, the scope of such services varies widely from state to state. States are providing Security as a Service programs to local governments, such as managed security services, election security, anti-phishing training, cyber response teams and ransomware response. 

For example, the report notes, Colorado has created the Colorado Threat Information Sharing network, which enables the rapid sharing of “threat information, indicators and other pertinent information among state agencies and local governments, industry and other nongovernment entities.” In October 2019, the Colorado Governor’s Office of Information Technology released a cybersecurity guide for local government to assist with cyber preparedness across the state.

Meanwhile, Illinois established its Cyber Navigator Program in 2018 as a partnership between the Department of Innovation and Technology and the Illinois State Board of Elections. Using funding from the Help America Vote Act of 2002, Illinois hired dedicated personnel to help local election officials in “improving their cybersecurity posture, mitigating risks to elections infrastructure and building their resilience.” The navigators “conduct risk assessments, connect local election officials to resources, and seek to demystify cybersecurity by converting jargon into business-friendly terms.”

MORE FROM STATETECH: Find out why localities need to prepare for ransomware.

In neighboring Indiana, the Indiana Executive Council on Cybersecurity created a toolkit for local emergency managers in line with its statewide cybersecurity strategic plan. The toolkit includes an Emergency Manager Cyber Situational Awareness Survey, aimed at facilitating conversations between local emergency management offices and critical infrastructure on cybersecurity; a cybersecurity incident response template for local government entities; and a cybersecurity training and exercise guide to enhance emergency preparedness for IT security incidents.

At the very minimum, the report notes, states should be building relationships with local governments, and IT security leaders should be working via state-municipal leagues and county associations, with emphasis on local IT associations. 

States should also aim to raise awareness of existing services offered to local governments. According to the 2019 state CIO survey, just 31 percent of states have a formal awareness and marketing campaign to promote state offerings to local governments. To raise awareness, state governments can hold cyber summits and educate stakeholders. 

Additionally, the report says, state governments should be exploring cost savings that can be achieved through including local governments in service contracts. 

IT leaders can consult local governments during the contract planning process solicitation and offer “a conduit for discussions about pooling resources among shared risk pools at the local level.”

More On IT Governance, Policies, Threat Prevention, Threat Prevention,