The 2023 Cybersecurity Policy Advisors Network In-Person Convening was held on September 27-28th in Washington, DC. Hosted by the National Governors Association (NGA), the event convened the Cybersecurity Policy Advisors Network, including Governors’ advisors and state chief information security officers and other state cybersecurity officials, as well as NGA corporate partners, to share best practices and discuss cybersecurity challenges and strategies across a range of topics.
The Cybersecurity Policy Advisors Network (CPAN) serves as a forum for Governors’ advisors and state chief information security officers to share ideas and troubleshoot challenges with colleagues from other states, connect advisors with valuable resources and materials, and provide opportunities to hear from subject-matter experts via periodic calls, webinars and workshops. Members of the network are identified by Governors’ offices to speak to their Governor’s cybersecurity priorities.
More than 90 participants, including 39 state representatives from at least 28 states and the District of Columbia, attended this event. Outcomes from the convening included:
- Creating and enhancing relationships between members of the Cybersecurity Policy Advisors Network;
- Building knowledge and expertise in a variety of cybersecurity areas;
- Sharing challenges and lesson learned with peers across the country;
- Identifying opportunities for future intrastate and interstate collaboration;
- Fostering public and private partnerships; and
- Discussing gubernatorial priorities in the area of cybersecurity.
Featured speakers included Deputy National Cyber Director Drenan Dudley of the Office of the National Cyber Director, Deputy Director Mara Winn of the Department of Energy’s Cybersecurity, Energy Security, and Emergency Response (CESER) office, and Kevin Stine, Chief, Applied Cybersecurity Division, at the National Institute for Standards and Technology (NIST). The convening included a number of discussion-based plenary sessions, as well as state-only conversations. Session topics included cyber emergency response, energy critical infrastructure defense, the development of statewide cyber strategies, the NIST Cybersecurity Framework, artificial intelligence, data privacy and the role of the state chief privacy officer, state agency fraud detection and others. See a full list of sessions and speakers below.
The article was prepared by Maria Kearl, for more information, please contact the NGA Cybersecurity Team at cyber@nga.org.
Agenda
Day 1
Keynote: Office of the National Cyber Director
- Drenan Dudley, Deputy National Cyber Director for Strategy and Budget, Office of the National Cyber Director
State Chief Cyber Officers’ Panel
All 50 states have a chief information security officer responsible for developing and implementing cybersecurity strategies, with threats of attack ever-present for state and local governments. However, three states have also established a “cyber czar” position. Attendees heard directly from these leaders about how they approach their role, their day-to-day responsibilities, and their relationships with their Governors and CISOs.
Speakers:
- Kirk Herath, Cybersecurity Strategic Advisor, Ohio Governor Mike DeWine
- Colin Ahern, Chief Cyber Officer, New York Governor Kathy Hochul
- Dustin Glover, Chief Cyber Officer, State of Louisiana
- Chris Shank, former senior policy advisor to former Maryland Governor Larry Hogan, Moderator
National Incident Management System & SLTT Cyber Emergency Response
The National Incident Management System (NIMS) provides stakeholders across the whole community with a shared vocabulary, systems, and processes to empower the delivery of disaster response capabilities. This session provided an overview of how NIMS guides all levels of governmental, nongovernmental, and private sector organizations to work together to prevent, protect against, mitigate, respond to, and recover from incidents. It explored how cybersecurity fits into NIMS and share how the State of Iowa leverages NIMS in its cybersecurity incident response and information technology disaster recovery operations.
- Hank Rowland, Chief, NIMS Documents and Tools Branch, National Integration Center, National Preparedness Directorate, FEMA
- Wes Rogers, Emergency Communications Division, CISA
- Shane Dwyer, Chief Information Security Officer, State of Iowa
Energy Critical Infrastructure Defense: Threats and Trends
Remarks by the U.S. Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response on current threats and policy, regulatory, and compliance trends affecting energy critical infrastructure defense.
- Mara Winn, Deputy Director, Preparedness, Policy, and Risk Analysis, U.S. Department of Energy’s Cybersecurity, Energy Security, and Emergency Response (CESER) office
Beyond IT: Designing Statewide Cyber Strategies
In an increasingly interconnected digital landscape, the urgency for robust and comprehensive cybersecurity strategies at the state level has never been more pronounced. During this panel discussion, we heard from three state cybersecurity leaders as they delved into the challenges and opportunities in designing statewide cyber strategies. The panelists shed light on the complexities of executing statewide strategies that include safeguarding state and local government assets, critical infrastructure, private institutions, and their individual citizens from cyber threats. Attendees gained a deeper understanding of the pivotal components that underpin successful state-level cybersecurity strategies, the role of public-private partnerships, and the importance of adopting collective defense models in which organizations collaborate to detect, share intelligence, and respond to threats together in real time. By sharing best practices, lessons learned, and forward-thinking initiatives, this discussion was a cornerstone for anyone committed to fortifying his or her state’s digital defenses.
Speakers:
- Jesse Sloman, Deputy Chief Cyber Officer, New York Governor Kathy Hochul
- Michael Geraghty, Director, New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) and Chief Information Security Officer, State of New Jersey
- Ryan Murray, Deputy Director, Department of Homeland Security & Interim Chief Information Security Officer, State of Arizona
National Guard Assets & Cyber Protection Teams
The National Guard Bureau delivered a briefing on how the Guard’s cyber assets support states’ strategic planning and incident response efforts.
Speaker:
- Lieutenant Colonel Janice Hernandez, National Guard Bureau (Detailee to Office of Secretary of Defense for Cyber Policy)
The NIST Cybersecurity Framework 2.0 for Risk Management
NIST’s Kevin Stine will share the latest details on the recently released NIST Draft Cybersecurity Framework (CSF) 2.0—a document first developed in 2014 to help organizations manage their cybersecurity risk. Kevin shared some of the major changes, explained how to contribute feedback, and discussed what’s next along the journey to the CSF 2.0.
- Kevin Stine, Chief, Applied Cybersecurity Division, National Institute for Standards and Technology (NIST)
Reflections on Artificial Intelligence in New York City Government
Artificial intelligence and machine learning have emerged as increasingly ubiquitous technologies across a wide range of areas in both the private sector and government. Dr. Neal Parikh—who served as New York City’s first Director of AI—discussed some key projects including the city’s first comprehensive AI strategy.
- Neal Parikh, Ph.D., Adjunct Associate Professor, School of International & Public Affairs, Columbia University
Critical Infrastructure Funding for Cybersecurity
The State and Local Cybersecurity Grant Program (SLCGP) is not the only federal funding available for state cybersecurity. Attendees learned about additional federal formula and grant funding available to states to help protect their critical infrastructure—including water utilities, transit, airports, energy, and ports—from cyberattacks.
Speakers:
- Marty Edwards, Vice President of Operational Technology Security, Tenable
- Danielle Nicole Cox, Chief Information Security Officer, State of West Virginia
Data Security, Data Privacy, and the Chief Privacy Officer
This session covered the role of the state Chief Privacy Officer (CPO), emerging trends in data security, and the overlap between cyber and privacy equities at the state government level. Panelists discussed how the CPO role has developed in states to mitigate data privacy challenges and how states can address emerging privacy issues.
Speakers:
- Cherie Givens, Chief Privacy Officer, Department of Information Technology, State of North Carolina
- Lisa Turbis, Vice President and Assistant General Counsel, Privacy & Product, Okta
- Maria Kearl, Policy Analyst, Center for Best Practices, National Governors Association, Moderator
Threat Landscape Briefing
Google-Mandiant’s chief intelligence analyst delivered a current cyber threat briefing. Mr. Hultquist has over 15 years of experience covering emerging threats in cyber espionage and information operations, working in both the private sector and the federal government.
Speaker:
- John Hultquist, Chief Analyst of Intelligence, Mandiant, Google Cloud
State and Local Cybersecurity Grant Program: 2024 and Beyond
State-local partnerships to enhance whole-of-state cybersecurity resilience remain a key priority area for state cybersecurity leaders. Panelists discussed current efforts, priority areas, and takeaways from collaborative programming.
Speakers:
- Jim Weaver, Secretary & Chief Information Officer, State of North Carolina
- Hemant Jain, Chief Information Security Officer (Indiana Office of Technology), State of Indiana
- Karen Sorady, Vice President of Member Engagement, Multi-State Information Sharing and Analysis Center (MS-ISAC), Center for Internet Security (CIS)
- Carlos Kizzee, Senior Vice President, Stakeholder Engagement Operations, Center for Internet Security (CIS), Moderator
Day 2
Defend Together: Scaling Cyber Defenses
State and local governments continue to face significant challenges in meeting the demands that increasingly sophisticated threat actors pose to government networks. Compounding this is a range of larger contextual issues—workforce shortages, budget cycles, financial resource constraints, and disjointed legacy systems—that make defending networks even more difficult. However, there is a growing trend of different units of government working together in new ways to create more resilient, comprehensive, and affordable cybersecurity ecosystems. This discussion highlighted several of those initiatives, with a particular focus on shared security operations as well as the growing role of AI.
Speaker:
- Thomas MacLellan, Director, Government Affairs & Strategy, Palo Alto Networks
The Complexity and Security Challenges of Cloud Computing
In an era of rapid technological transformation, cloud computing has emerged as a cornerstone for modern governance. While the advantages of cloud adoption in streamlining operations and enhancing service delivery are numerous, the intricacies of cloud security across environments remains a pressing concern for state and local government leaders. This fireside chat with industry leaders will delve into the evolving landscape of cloud security, identify trends, and impactful strategies for dealing with risks. This dialogue offered actionable insights for states whether at the cusp of their cloud journey or navigating its complexities, with the intention of ensuring a secure and transformative approach for modernizing government services.
Speakers:
- Nathan Willigar, Chief Information Security Officer, State of Maine
- Christopher Montgomery, Strategist & Advisor, Digital Transformation and Cybersecurity, VMware
Public Safety Organizations & Emergency Communications: Posture & Trends
Public safety agencies are working hard to improve the timely delivery of emergency services to their constituents, to include the fielding of a growing array of advanced technology integrating voice, video, and data feeds to allow dispatchers and first responders to make decisions with greater focus, certainty, and speed. At the same time, Cyber threats to public safety organizations are increasing in scope, scale, and complexity, but many agencies are challenged by a lack of cybersecurity resources required to mitigate risk and ensure continuity of no-fail public safety operations. A panel of public safety agency leaders discussed challenges and opportunities with public safety cybersecurity and the need for closer collaboration and resource allocation at the federal, state, and local levels.
Speakers:
- Chris Rodriguez, Ph.D., Director of Homeland Security & Emergency Management Agency, Washington, DC
- Netta Squires, Director of Local Cybersecurity, State of Maryland
- Jay Kaine, Director, Threat Intelligence, Motorola Solutions, Moderator
Adoption of NIST Frameworks for Zero Trust
Government organizations continue to adopt Zero Trust principles to enable all of their distinct technology teams, trusted industry partners, and agency government leaders and workers to effectively play the team sport of cybersecurity. The growing rate and sophistication of cyber threats is pushing the need for robust and continuous verification of increasingly mobile users, protection of devices and highly distributed workloads, and automation to counter increasingly automated threats. In this session, panelists shared ways to leverage the NIST framework, including CISA guidance built around the NIST framework, and practical advice for starting and sustaining your Zero Trust journey.
Speakers:
- Jayson Cavendish, Chief Security Officer, State of Michigan
- Chris Crider, Senior Security Engineering Leader, Cisco Systems
- Mike Witzman, Senior Director, U.S. SLED Engineering, Cisco Systems, Moderator
State Agency Fraud Detection: A Case Study
This session will detail the New Jersey Department of Labor’s journey during the initial stages of the pandemic and its evolution up to the present day. Panelists provided an overview of the mechanics behind risk scoring claims and explored how data analytics can be repurposed to detect various forms of fraud within state government.
Speakers:
- Chris Perkins, Staff Solutions Architect, Public Sector (State, Local, and Education), Splunk
- Joe Beck, Deputy Chief Information Officer & Chief Information Security Officer, New Jersey Department of Labor
