A look at the conversation that Governors had at NGA’s 2022 Winter Meeting with public and private sector experts on addressing the rapidly evolving and expanding technological threats we now face.
By Mary Catherine Ott
As an ongoing effort to look at how states and territories can work to improve their cybersecurity posture, the National Governors Association Pandemic and Disaster Response (PDR) Task Force held a session specifically on preparing for and responding to a cyber crisis during the NGA Winter Meeting. Task Force Co-Chairs Connecticut Governor Ned Lamont and Tennessee Governor Bill Lee were joined by the Director of the Cybersecurity and Infrastructure Security Agency (CISA) Jen Easterly, Chief Executive Officer of Ergo R.P Eddy, Merritt Baer, principal at Amazon Web Services, Office of the Chief Information Security Officer and Kemba Eneas Walden, assistant general counsel, Digital Crimes Unit at Microsoft.
The panel explored a variety of topics, from advancing workforce development efforts around cybersecurity and partnering with CISA to implement the new state and local cybersecurity grant program created in the Infrastructure Investment and Jobs Act (IIJA), a long-time priority for NGA, to the geopolitical landscape, combatting cybercrime and increasing resilience.
Specifically, CISA Director Easterly was able to provide a quick overview of the agency’s recently released Cyber Incident Resource Guide for Governors. This guide was developed by CISA at the request of the PDR Task Force during its Summer Meeting session with Department of Homeland Security Secretary Alejandro Mayorkas. The guide is a critical first step in addressing concerns on the lack of understanding of federal resources and capabilities available to states and territories in the event of a cyber incident.
Director Easterly said of the guide, “it is a resource guide for Governors but really anyone at the state and local level to understand how to partner with federal government when facing a major incident…everyone is very likely to face an incident at some point and time. It is increasingly difficult in this highly digitalized, highly connected world we live in to prevent a cyber-attack from happening. So, the more you are prepared for it, the more you are able to respond and recover and mitigate risk and damage to your networks the better off you’ll be. That resource guide should serve as a very useful capability but most importantly we need to exercise those capabilities and come together and plan and ensure we understand how we all work together.”
The guide outlines federal resources available to states and territories from CISA, the Federal Bureau of Investigations (FBI) and the Secret Services and emphasizes the importance of preparing to ensure architectures are adequately protected and resilient in the event of a cyber incident.
Building off CISA, the private sector partners—Ergo, Microsoft and Amazon—emphasized the importance of increasing resiliency and building security into the architecture of digital systems. Understanding who maintains and owns the network, as well as awareness of gaps that may exist, are critical in building security and redundancy.
New Mexico Governor Michelle Lujan Grisham asked how states can work together with both the federal government and private sector as they look to upgrade their tech systems while also addressing the threats and challenges of today. Director Easterly noted the importance of leadership in communicating in a way that is easily understood by all stakeholders.
Connecticut Governor Ned Lamont reminded the audience at the end that “99 percent of intrusions can be stopped by multifactor authentication” and highlighted the interconnectedness of the systems and the impact cascading failures can have on the public trust.
Moving forward, the PDR Task Force will take the opportunity to work with Governors across the country on ways states and territories can partner with the federal government and the private sector to enhance efforts already underway to secure assets as well as look at the low hanging fruit opportunities to address the most vulnerable systems and areas, where it is easiest to improve protections.