Oct. 7, 2024—What keeps Natalie DeWitt up some nights is no less than the future of her small town, Auburn, located in a sleepy corner of Indiana that's a short drive from the Ohio border.
DeWitt, president of Auburn's city council, has gained a reputation locally and statewide as an advocate for better cybersecurity in rural areas. About 14,000 people live in Auburn.
As DeWitt sees it, the town is on the "cusp of massive growth" as a "bedroom community" to nearby Fort Wayne. Any major problems — including, say, a digital assault on local utilities or a broader ransomware attack — could bring negative attention and financial pain to the city, slowing the progress DeWitt and her colleagues are working toward.
"We have great things on the horizon," she told Government Technology. "If we were to get hacked, that could divert some really great growth."
That's why she's among the countless local and regional officials across the country who have embraced whole-of-state (WOS) cybersecurity and are depending on it to protect their civic futures.
Backed by $1 billion in federal grants, joint contracting, security conferences, and other efforts, WOS pushes states to provide detailed help to smaller agencies that need to strengthen their cyber defenses. It's a team effort in cybersecurity that involves officials from the largest state agencies to one-person local IT shops.
"Cybersecurity is everyone's business," said John Israel, chief information security officer for Minnesota, which kicked off its $23.5 million whole-of-state program in September 2023.
More Help Needed
WOS is still in its early phases, but successful approaches are emerging even as concerns mount that funding won't be sustained. Whether whole-of-state cybersecurity programs take hold will influence the government's never-ending fight against cyber criminals in one way or another.
Speak to public-sector tech leaders in areas with relatively small populations and you'll sense a hunger for more cybersecurity support from larger governments. One reason is that smaller agencies often find it hard to afford a lot of IT help or to buy the newest cybersecurity software. And often, state officials might have a better grasp of the newest cyber threats that keep popping up.
"There is still a lot of progress to be made in municipalities" regarding cybersecurity, said Brent Birkeland, IT director for Douglas County, Minn.
And those smaller towns and counties hardly lack attractive targets.
Utilities are among the largest sources of worry for Birkeland and others charged with defending public-sector tech, and election systems are another huge concern, especially in 2024. WOS theory calls for bringing together experts from various agencies—as well as the necessary funding—to build higher and thicker digital fortress walls protecting those tech assets.
You can't have the state dictating policy to all local governments. Things are so unique that no one size fits all. The state has to work with a lot of flexibility.
That help comes in several forms.
State-backed or statewide training sessions and conferences, for instance, provide cybersecurity updates to IT officials in smaller agencies while also helping them expand their professional networks, which can be handy later, including during emergencies.
DeWitt, for instance, appreciated the Indiana Public Sector Cybersecurity Summit,* now in its second year, for raising awareness of the issue among the more than 300 people who attended — a group that included city and county officials eager for more information about how to protect the upcoming elections. Speakers included an "ethical" hacker and tech leaders from state government, including CIO Tracy Barnes.
"We talked about cybersecurity insurance, which some communities don't have," said DeWitt, who is on the summit's advisory board. "That's a little scary."
A more direct — and expensive — form of help came when Indiana decided to spend $20 million for endpoint detection and response services to 31 local agencies in the state.
The money originated from year one of the State and Local Cybersecurity Grant Program (SLCGP), the billion-dollar, multiyear federal effort to support WOS work, and is meant to help monitor end-user devices for cyber threats.
Texas, meanwhile, has $40 million in federal funds to spend over four years on projects that conform to the state's SLCGP Cybersecurity Plan. Successful applicants for those grants also face other requirements, including using web application vulnerability scanning and undertaking annual cybersecurity reviews, which are free thanks to federal backing. Recipients also must join the Texas Information Sharing and Analysis Organization, a cybersecurity education and collaboration group.
New York State offers another way to do whole-of-state cybersecurity. In 2022, Gov. Kathy Hochul and local leaders announced the launch of the state's Joint Security Operations Center, designed to help the state gain a broader, more comprehensive view of cyber threats while boosting security coordination among various governments.
"There is a new type of emerging risk that threatens our daily lives, and just as we improved our physical security infrastructure in the aftermath of 9/11, we must now transform how we approach cybersecurity with that same rigor and seriousness," Hochul said at the time.
Douglas County, Minn., population 39,000, uses the state's shared-services model to boost its cyber posture.
Enterprise Class Abilities
Back in Minnesota, the state — with the participation of Minnesota IT Services and the Minnesota Cybersecurity Task Force — has outlined plans to spend its $23.5 million worth of federal and state WOS funding.
We are now looking at this problem holistically. With the WOS model, there is this notion that not every agency is for itself.
The state says that at least 80% will go toward programming. Minnesota has also earmarked 25 % for rural areas (funding will also go to tribal areas). The general goals of the spending include advanced cybersecurity detection and defensive tools, more threat intelligence analysis and collaboration, and enabling access to security products, services, and resources.
"Getting everyone access to foundational cybersecurity abilities" is one of the main needs of the state, according to Israel, Minnesota's CISO. That will involve, he added, "bringing enterprise-class abilities to small governments."
That appeals to tech leaders in lower-level public agencies, including Douglas County. Birkeland said that while Minnesota already offers a shared-service delivery model, there are still more benefits from what he called "collective buying power."
Such a process could lead to, for instance, better security incident and monitoring tools, including real-time alerts, and more advanced digital dashboards that help officials respond even more quickly to cybersecurity threats and incidents.
Gaining access to better tools, including through joint contracting efforts, promises to prove even more vital over the next couple of years. As Birkeland pointed out, more systems will soon run on artificial intelligence, presenting fresh challenges to public-sector IT and security leaders.
Contracting Benefits
According to Torry Crass, the state's chief risk officer, North Carolina, too, has made contracting a major part of its whole-of-state cybersecurity work.
The North Carolina Department of Information Technology (NCDIT) "has developed a comprehensive state term contract that provides a flexible portfolio of cybersecurity software, products and services," Crass said via email. "This contract is intended to be an option across all government entities within the state. In turn, this will help reduce costs, improve adoption of best-in-class cybersecurity technologies and reduce the risk across the state."
On July 2, NCDIT requested proposals for what will become the cybersecurity products and services contract, he said. Such contracts are "pre-negotiated agreements between the state and a vendor," allowing eligible agencies to choose tools and services that best fit their needs.
By having the department purchase such tools in bulk, the state can get a lower price than individual agencies could, which is passed along to NCDIT customers. They include local governments who can leverage a particular contract.
"Most local governments need a much smaller quantity and acquiring these services on their own would translate to higher prices per unit," Crass said. "These lower costs also enable recipients of grants such as the state and local cybersecurity grants to stretch funds further."
As all that happens, NCDIT continues to seek more funding that could help small governments fight off cyber criminals.
Crass said the state's FY 2024 budget will "centrally fund" a web application firewall that offers edge protection for applications and services. The budget also has money for two years for what he called "generation endpoint protection."
While that money will go to executive branch agencies, local governments could also get a piece of the pie, so to speak, even if indirectly.
"We have been able to extend these tools to local governments in a few instances where funding has been available," he said. "In addition, state agencies and local governments have connected systems. Protections on the state network have downstream benefits to the local governments who are connected or rely on those systems to provide services."
municipal building in Lafayette, Ind.
Tippecanoe County, Ind., CIO Kent Kroft stressed that smaller jurisdictions like his benefit from cybersecurity guidance and standards from the state.
Flexibility and Standards
According to Kent Kroft, the CIO of Tippecanoe County in Indiana, contracting and other types of cooperation are vital to the future of whole-of-state cybersecurity.
"You can't have the state dictating policy to all local governments," he said. "Things are so unique that no one size fits all. The state has to work with a lot of flexibility."
From his point of view, it's also important that state officials offer guidance on cybersecurity — help on how to achieve the common goal of protecting the public's digital properties — without trying to assign blame to smaller agencies that might be behind the curve. Common standards also go a long way toward strengthening defenses.
Indeed, recognizing the specific needs of communities before handing out federal funds is New Hampshire's approach during its first year in the SLCGP.
The state received $2.5 million in cybersecurity funding and could have distributed the funds directly to local agencies. Instead, officials took a hard look at what specific areas were needed, using feedback and other data points as part of the analysis, and then used the grant money to fill cybersecurity gaps.
One of the gaps had a relatively simple fix: getting local agencies to adopt the .gov domain, generally considered safer against criminals and more legitimate by constituents than other domain options. The New Hampshire WOS plan also calls for more multifactor authentication, security training, and other defenses.
Will It Last?
All good things come to an end. That is what some WOS and public-sector tech leaders worry might happen to those cybersecurity improvements, and just as these efforts are really starting to catch air.
From a government tech supplier perspective, whole-of-state cybersecurity software is a growing source of revenue, according to Drew Bagley, vice president and counsel of privacy and cyber policy for CrowdStrike. CrowdStrike has sold WOS-related software to New York, Minnesota, and Wyoming clients.
Speaking to GT in early July (before the company's flawed update impacted systems worldwide), Bagley said a big change is happening now in whole-of-state cybersecurity. The change roughly reflects ongoing trends in emergency dispatch, community engagement and other tools used by state and local governments.
"We are now looking at this problem holistically," he said. "That is the revolutionary part. There is a unified visibility into the threats. And with the WOS model, there is this notion of it's not every agency for themselves."
CrowdStrike sells its tool and works with states in various ways. In Minnesota, for instance, the company functions as a managed services provider, which helps states deal with staffing shortages. But as such relationships progress, there is the looming worry that funding won't last.
One of the big questions, Bagley said, is whether states can sustain WOS funding, especially given that cybersecurity tends to find more strength via long-term strategies instead of ad hoc, year-to-year responses.
An eventual lack of funding — SLCGP money could run out in 2025 — could take away some of the fuel for serious cybersecurity work that, really, is just getting started in some places. That includes parts of Indiana, where officials are working to expand WOS to many more towns, cities, counties, townships and other relatively small governments.
DeWitt, for instance, worries about an attack on the local water utility in Auburn as she works for more cybersecurity resources and lobbies for state laws to help officials like her better defend their towns. Even fresh "best practices" regarding cybersecurity would help.
"I hope we can build in more of a [cybersecurity] budget for small, rural communities," she said.
*The Indiana Public Sector Cybersecurity Summit is hosted by Government Technology.
This story originally appeared in Government Technology magazine's September/ October 2024 issue. Click here to view the full digital edition online.
(c)2024 Government Technology
Visit Government Technology at www.govtech.com
Distributed by Tribune Content Agency, LLC.