Hearing Statement – Cybersecurity and Emergency Management

STATEMENT FOR THE RECORD
Joint Hearing: Bridging the Gap Between Cybersecurity and Emergency Management

Submitted to the House Committee on Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies and Subcommittee on Emergency Preparedness, Response and Communications
United States House of Representatives

On behalf of the nation’s governors, thank you for the opportunity to comment on bridging the gap between cybersecurity and emergency management. Protecting the nation from cyber threats and their potential consequences requires strong partnerships among all levels of government, law enforcement, the military and the private sector. Over the past several years, governors have been working to improve the cybersecurity posture of their states and to improve state-federal coordination. Based on these efforts and states’ interaction with the federal government, we are pleased to offer the recommendations below.

State Efforts to Address Cybersecurity

Since the terrorist attacks of September 11, 2001, and Hurricane Katrina in 2005, national preparedness and response activities have emphasized a “whole community” approach. Despite this progress, state-federal coordination efforts for cybersecurity are still in their early stages. In the absence of unified federal guidance, states are moving forward to develop methods, strategies and partnerships to improve their cyber resiliency and strengthen capabilities to prepare for, respond to and recover from potential cyber attacks.

Governors are leading efforts to expand collaboration and drive change at both the state and federal level. This is taking place through initiatives such as the National Governors Association (NGA) Resource Center for State Cybersecurity and the Council of Governors. Through these collaborative forums, governors have identified a number of areas where enhanced federal support and engagement could further assist states in this national effort. For instance, the federal government should:

• Enhance federal coordination and consultation with states and recognize that governors have emergency powers and authorities that can benefit the federal government.

• Leverage all available resources, such as the National Guard, to support both federal and state cybersecurity missions.

• Provide flexibility for state investments in cybersecurity through reform of federal grant programs and support for innovative state solutions that leverage existing resources such as fusion centers.

• Clarify federal statutes, roles and authorities to address cyber incident response, taking into consideration the role of states and the impact on current state laws and regulations.

• Improve information sharing and state access to federal cybersecurity resources, such as those for technical support, education, training and exercises.

Encouraging Action and Promoting Best Practices

Governors’ efforts are focused on the need to improve not just states’ cybersecurity, but that of the nation. To help governors address this challenge, NGA formed the Resource Center for State Cybersecurity in 2012. The Resource Center, co-chaired by Maryland Governor Martin O’Malley and Michigan Governor Rick Snyder, brings together experts from key state and federal agencies and the private sector to provide strategic and actionable recommendations governors can use to develop and implement effective state cybersecurity policies and practices.

On September 26, 2013, the NGA released Act and Adjust: A Call to Action for Governors for Cybersecurity, a paper that provides strategic recommendations governors can immediately adopt to improve their state’s cybersecurity posture (attached). NGA also released an electronic dashboard designed to provide governors with an overview of their state’s cybersecurity environment and assist them in monitoring implementation of the paper’s recommendations. The dashboard is currently being pilot tested in Maryland and Michigan in conjunction with the Multi-State Information Sharing & Analysis Center (MS-ISAC). Through the Resource Center, governors are exploring other vital areas as well, including:

• The role of fusion centers in collecting and disseminating real-time information on cyber threats to state agencies and law enforcement;

• Enhancing the cybersecurity of energy systems and the electrical grid in coordination with utility commissions, owners and operators at the state level; and

• Developing a trained and enduring cyber workforce within state government.

Leveraging Resources Government-wide

Identifying innovative solutions to address cybersecurity and secure the nation against the growing cyber threat requires engagement by senior leaders at all levels of government.  In addition to their work within their respective states, governors also have engaged directly with the federal government through the Council of Governors (Council). Currently co-chaired by Governor O’Malley and Iowa Governor Terry Branstad, the Council brings together 10 governors and the Secretaries of Defense and Homeland Security to address issues regarding the National Guard and homeland defense.

Since it was formally established in 2010, the Council has served as a valuable forum to facilitate coordination between state and federal military activities, such as a 2010 agreement establishing dual status command authority during major disasters. This authority was employed during recent events such as Hurricane Sandy and the Colorado floods. The Council is now working to turn this commitment to collaboration into similar actions to address state-federal coordination on cybersecurity and the development of National Guard cyber capabilities.

Governors firmly believe the Guard’s unique status serving both governors and the President and its access to civilian-acquired skillsets makes it an ideal and cost-effective resource to address our nation’s growing cyber vulnerabilities. With the flexibility to support both federal and state-related cyber missions, the Guard can be a force multiplier in support of the Department of Defense, the Department of Homeland Security (DHS), the Federal Bureau of Investigation and states. While the National Guard’s role in cybersecurity is still being deliberated, Guard cyber units across the country are already demonstrating their unique capabilities including:

• Serving as a key coordinating hub between various stakeholder groups. Several National Guard cyber units are actively engaged with their governor’s office, state emergency management agencies, state Chief Information Officers and other state, local and federal officials in the development of state cyber incident response plans. Several states have also integrated Guard units within their fusion center.

• Providing key support services in planning, testing, training and exercises. Guard unit participation is continuing to grow in state and national-level cyber exercises such as Cyber Guard, Cyber Storm and Cyber Shield. Several state Guard units also are providing risk assessment and vulnerability testing support to state agencies and local critical infrastructure owners and operators.

• Providing a readily available and highly trained workforce. National Guard cyber units include personnel from a significant number the nation’s top cybersecurity and information technology companies such as Microsoft, Cisco, Siemens, Intel, GE, Boeing, IBM and Google. This access provides a unique opportunity to leverage and sustain “leading edge” civilian-acquired cyber skillsets not readily available or easily built from within the federal government.

Earlier this year, governors secured the commitment of former U.S. Department of Homeland Security Secretary Janet Napolitano and departing U.S. Department of Defense Deputy Secretary Ash Carter to work with them to identify new opportunities to strengthen the state-federal partnership on cybersecurity and to better leverage existing resources such as the National Guard. This work is ongoing, and we look forward to providing the Committee an update on our progress early next year.

Opportunities for State-Federal Engagement

As the development of federal legislation to address cybersecurity continues, governors urge Congress to consider the following recommendations:

• Ensure coordination and consultation with states. Like all disasters, response and recovery begins at the state and local level. Federal cyber incident response guidance such as the National Cyber Incident Response Plan (NCIRP) must not be developed using a federal-centric approach, but must integrate key state officials and consider governors’ authorities throughout the process.

• Promote the role of the National Guard to support both federal and state cybersecurity missions. This includes ensuring that the National Guard is considered concurrently with active duty forces in any new cyber force structure developed by U.S. Cyber Command and the military services.

• Support state investments in cybersecurity through reform of homeland security preparedness grants. In recent years, decreased funding levels across preparedness grant programs combined with their current rigid requirements has limited states’ ability to address emerging threats, such as cybersecurity, or provide adequate support to fusion centers.

• Address ambiguities with cyber incident response. This includes clarifying current statutory authorities governing disaster management, such as the Stafford Act and the Economy Act. Roles and responsibilities of the various federal agencies with cybersecurity coordination and operational authority during an incident should be better defined and corresponding guidance to state and local authorities (such as the NCIRP) should be updated accordingly.

• Improve information sharing with states to provide real-time intelligence on threats. Improving existing information sharing capabilities such as the MS-ISAC and state and local fusion centers can further support this effort. DHS also can provide more structured and coordinated access to federal cybersecurity initiatives such as workforce and training programs, federal cybersecurity exercises and forums for public-private partnerships.

Cybersecurity is a Shared Responsibility

Governors recognize the critical need to improve our nation’s cybersecurity posture.  This is an immense challenge that requires an unprecedented level of coordination among all levels of government and the private sector. Governors are committed to addressing this challenge within their states and are actively seeking to partner with their federal counterparts. As the Committee continues to consider the legislative path forward for cybersecurity, NGA stands as a ready resource for innovative policy solutions that will both support governors’ efforts and enhance the state-federal partnership to address our nation’s most pressing cybersecurity challenges.