Enhancing cybersecurity comes down to three keys: public, people, and partnerships.
That’s the message White House National Cyber Director Harry Coker, Jr. delivered to NGA’s Cybersecurity Policy Advisors Network, which serves as a forum for Governor’s offices to collaborate, share best practices, and develop policy solutions to combat ongoing challenges and emerging threats. Addressing Governor’s cybersecurity policy advisors, Chief Information Security Officers (CISOs) and other cybersecurity leaders from 23 states and territories, Coker broke down cybersecurity strategy along each of those three pillars at the network’s annual meeting highlighting the impact that state policies and actions can have on cybersecurity.
Public
Public awareness and action are essential, Coker noted. “Every American needs to know that this threat is applicable to them individually and collectively,” he said. “The public needs to know that we’re under attack every moment of every day.”
Coker summarized a handful of concerning trends included in the 2024 Report on the Cybersecurity Posture of the United States. Trends include evolving risks to critical infrastructure, ransomware, supply chain exploitation, commercial spyware and artificial intelligence.
Cybercrime is on the rise, Coker underlined – with ransomware attacks from nation-state actors and non-nation-state actors targeting “those that are least able to defend themselves in cyberspace; those that are what we call target rich and cyber poor,” including schools and hospitals.
Regarding Artificial Intelligence (AI), Coker offered a measured assessment. “As with most technologies, there are pros and cons,” he explained. “We do not want to run away from generative AI, or AI in general. We want to leverage it, but we need to be clear-eyed.”
The bottom line for public awareness: “Cyber knows no boundaries; the public needs to know: rural, suburban, interstate – it impacts us all.”
People
With hundreds of thousands of open cybersecurity positions, building a cyber workforce is a top priority. The shortage is “not because we don’t have talent” Coker emphasized. “We need to do better spotting that talent, reaching that talent, inspiring that talent, hiring it and retaining it.”
He highlighted programs like the Service for America campaign. This joint initiative – led by the Office of the National Cyber Director (ONCD), the Office of Management and Budget, the Office of Personnel Management, the Department of Labor, and the Department of Veterans Affairs – aims to connect more Americans around the country to good-paying, meaningful cyber jobs. One of the campaign’s central messages is “to ensure the public knows that cybersecurity defends our nation, cybersecurity enhances our economic prosperity, and cybersecurity advances our technological innovation.”
Partnerships
“Federal government cannot succeed, will not succeed, in cybersecurity without partnership with state, local, tribal and territorial governance [and] without the partnerships of the private sector,” Coker emphasized.
“It’s often lost on people that the private sector owns and operates the majority of our critical infrastructure,” Coker explained. “They are our mission partners, and we have to support those owners and operators of critical infrastructure.”
Coker outlined a few of the resources and services federal agencies like CISA provide to state partners, including Protective Domain Name Service (PDNS), which is available to K-12 schools at no charge. ONCD has identified PDNS services as common solutions that all schools and districts should utilize to help prevent ransomware and other cyberattacks. PDNS services prevent computer systems from connecting to harmful websites and other dangerous areas of the internet without the user having to take any action. He encouraged the audience to refer their school districts to ONCD’s webpage to learn more.
State Spotlight
Governors are implementing a number of strategies – tailored to their states – to achieve these priorities. This snapshot of four states illustrates just a few of the actions Governors are leading in cybersecurity.
New York
Governor Kathy Hochul announced the appointment of a chief cyber officer and the creation of a Joint Security Operations Center in 2022 to serve as the nerve center for joint local, state and federal cyber efforts, providing a statewide view of the cyber-threat landscape. In 2023, Governor Hochul unveiled the state’s first-ever statewide cybersecurity strategy, which clarifies agency roles and responsibilities, outlines how initiatives and investments knit together into a unified approach, and reiterates the state’s commitment to providing assistance to county and local governments. Following the release of the statewide framework, the Governor announced an expansion of the State’s cybersecurity shared services program to enhance whole-of-state cybersecurity by providing endpoint detection and response tools to more local governments and introducing attack surface management as a new shared service for counties. The Hochul administration also recently adopted new regulations to help NY hospitals establish cybersecurity policies and procedures.
North Carolina
North Carolina’s whole-of-state strategy includes a Joint Cybersecurity Task Force. Formally established by Governor Cooper’s Executive Order in March 2022, the Task Force encompasses the state’s Department of Information Technology, Emergency Management, National Guard and Local Government Information Systems Association Cybersecurity Strike Team. It fosters cooperation between the public and private sectors to fight cyberthreats to critical infrastructure. Adding to its arsenal, North Carolina also enacted legislation that prevents government entities from paying ransomware.
North Dakota
Governor Doug Burgum signed legislation in 2019 authorizing a central service approach to cybersecurity strategy across all aspects of state government including state, local, legislative, judicial, K-12 education and higher education. The state also adopted Computer Science and Cybersecurity Standards toward its goal “Every Student. Every School. Cyber Educated.” Building on this priority, North Dakota approved legislation in 2023 requiring the teaching of computer science and cybersecurity and the integration of content standards into school coursework for K-12 students, making it the first state in the nation to require cybersecurity education.
Ohio
Governor Mike DeWine issued an executive order in 2022 creating a new cabinet-level position of Cybersecurity Strategic Advisor to guide the state’s cybersecurity efforts across agencies. Governor DeWine previously signed legislation forming the Ohio Cyber Reserve, a civilian volunteer cyber force under the command of the Adjutant General. In coordination with the Ohio National Guard, the Ohio Cyber Reserve is organized into regional teams of trained and certified cybersecurity experts across the state, ready to deploy and respond anywhere a cyber incident occurs in Ohio. Ohio further complemented the Ohio Cyber Reserve with the Ohio Cyber Integration Center, which is a cyber fusion center directed by the Department of Public Safety’s Ohio Homeland Security and co-located with civilian staff from the Ohio Adjutant General. The Center is the hub of coordinating incident response activities from the state of Ohio. Through CyberOhio, the DeWine administration has developed free training and consultation services for local governments, as well as grant funding to assist local government entities with cybersecurity software and services to boost their preparedness and resilience.