Today, Council of Governors co-chairs Governor Tim Walz of Minnesota and Governor Mike DeWine of Ohio sent a letter to President Joseph R. Biden, Jr. in response to a March 18 letter President Biden sent regarding the heightened cybersecurity threat stemming from Russia’s ongoing attack on Ukraine.
The Honorable Joseph R. Biden, Jr.
The White House
1600 Pennsylvania Avenue NW
Washington, DC 20500
As co-chairs of the Presidentially-appointed Council of Governors (Council), we write in response to your March 18th letter to Governors regarding the heightened cybersecurity threat stemming from Russia’s ongoing attack on Ukraine. We acknowledge the power of a unified response to President Putin, and we continue both to apply pressure and — in partnership with local industry — ramp up our defenses. We remain vigilant against retaliation on our homeland and allies, including potential cyberattacks.
We share your concern on the importance of cyber resilience as a national priority, and we assure you that our fellow Governors remain committed to safeguarding the networks, systems, and operational technology on which our Nation and economy rely. Guarding critical infrastructure operations within our borders is not a new obligation, and we understand the importance of collaborating with our states’ service providers in this elevated threat environment.
We recognize that the federal government bears unique responsibility to strengthen our Nation’s cybersecurity posture, and we stand ready to bolster our Nation’s response. Enhanced measures to guard against cyberattacks are most effective through a combination of reasonable, uniform federal guidelines and a carefully considered state processes. However, we caution against rushed or uncoordinated actions that risk undermining or preempting state policymaking and regulatory processes.
Further, we urge careful consideration of the likely consequences of states’ independent adoption and enforcement of disparate cybersecurity standards governing private utility providers. Absent uniform federal guidance, legal difficulties and service disruptions could ensue. Our concern for federal leadership and consistency is underscored in the May 2021 Executive Order on Improving the Nation’s Cybersecurity, which espouses “essential, baseline cybersecurity standards that [you] directed all federal agencies to adopt.”
We believe an immediate, impactful course of action would be to provide resources to states, including Public Utility Commissions; non-regulated utilities, such as municipal and rural cooperatives; state law enforcement; IT services; and comparable entities in developing cybersecurity initiatives with state governing bodies, executive branch offices, and legislative committees of appropriate jurisdiction. We remain committed to enhancing cybersecurity protections by having appropriate tools at our disposal, while continuing our collaboration with you and our federal partners in the development of uniform federal standards.
We, and many of our fellow Governors, have established cybersecurity governance bodies –commissions, task forces, and advisory boards — to oversee our states’ cybersecurity policies, programs, and procedures.
Despite a variety of authorities and reporting requirements reflecting our states’ distinct circumstances, we navigate differences in our collective interest and overcome resource limitations by sharing information about cyber anomalies and incidents. We strengthen our collective posture by engaging resources, such as the Multi State Information Sharing and Analysis Center (MS-ISAC); our local Federal Bureau of Investigation field offices; U.S. Secret Service, regional Cybersecurity and Infrastructure Security Agency offices; the U.S. Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response; the Energy Government Coordinating Council; and the various guides and campaigns that CISA oversees. Indeed, we value the coordination of federal efforts, and we encourage continued alignment of resources and expertise as outlined in the Cybersecurity and Infrastructure Security Agency Act of 2018.
As early as 2014, the Council worked with federal officials to develop a Joint Action Plan for State-Federal Unity of Effort on Cybersecurity that describes the importance of “promot[ing] a national approach to preventing, protecting against, mitigating, responding to, and recovering from cyber incidents, including the development or refinement of a national cyber incident response framework.” Although it aims to “deconflict, synchronize, and enhance the effectiveness of security measures,” the plan does not establish a way to synthesize or prioritize guidance from potentially competing sources. Over a decade later, this objective should remain of paramount concern to the federal government.
Over the past decade, most of our Council members’ states have implemented robust cybersecurity strategies in preparation for a major incident. In these plans, our states leverage best practices, such as those outlined in the National Institute of Standards and Technology (NIST) Cybersecurity Framework. Still, NIST compliance is currently only mandatory for federal agencies, which means that our state and local governments and small businesses have varying levels of cyber hygiene and resources. We are eager to receive additional support through the appropriations outlined in the American Rescue Plan and Bipartisan Infrastructure Investment and Jobs Act and appreciate your Administration’s funding of cybersecurity initiatives, which demonstrates your understanding of this issue’s gravity at a perilous moment in our Nation’s history.
Achieving cybersecurity depends on sustained awareness, partnership, information-sharing, and coordination. We appreciate the investments provided in recent legislation. The persistent threat posed by cyberattacks will require continued investment, and we look forward to strengthening our Federal-State partnerships to ensure the Nation’s cybersecurity posture is poised to defend against these threats.
Governor Tim Walz
State of Minnesota
Governor Mike DeWine
State of Ohio