GovDefenders Wednesdays | NASCIO Midyear Conference: Focus on Cybersecurity

DLT Solutions has been a corporate member of the National Association of State CIOs (NASCIO) for several years. We support the organization's conferences and serve on several NASCIO committees.

This year's Midyear Conference was held in April in Washington D.C. and was attended by about 500 state CIOs, CIO staff members, and corporate sponsors. The event is usually rich with panels on topics of keen interest to members and presentations by Federal Government officials, and this year was no exception. State CIOs are as concerned about cybersecurity threats as their Federal Government counterparts. This topic was a special focus at this year's conference. State CIOs are gaining support from elected officials who are beginning to see successful cyberattacks as not only a technical problem but also a political problem. Constituents are becoming more aware of information security issues and are demanding that stronger and more effective measures are taken to protect their personal information.

A panel of security officers and/or CIOs from Texas, Georgia, Michigan and Nevada addressed the topic of cybersecurity governance, compliance and collaboration. The panel discussed the importance of establishing proactive versus reactive approaches to meeting the challenge of information security and shared ideas about how to solve both organizational and technical issues through inter-organizational collaboration and development of a risk management plan appropriate to each state and agency. A key point was that the cost of mitigating damage after the fact was exponentially greater than the cost to prevent damage before an attack.

Jim Lewis, senior fellow and director of the Technology and Public Policy Program at the Center for Strategic and International Studies (CSIS), made a presentation on cybersecurity that highlighted national level issues. He spoke in detail about the threat posed by bad actors based in China, Iran, and Russia and the difficulty in bringing pressure on the governments in these countries to eliminate threats. Mr. Lewis also discussed the various Administration and legislative initiatives (e.g., the Executive Order on Improving Critical Infrastructure Cybersecurity, the Cyber Intelligence Sharing and Protection Act (CISPA)) and the difficulty and time required to gain the necessary consensus and momentum needed to effectively implement these measures. The message to NASCIO listeners was to work out simple, high-payoff risk management strategies and implement them rather than delaying for guidance on comprehensive approaches that might be two or three years in coming. He specifically called out application whitelisting, patch management, restricting administrative access to a minimum of staff, and implementing continuous monitoring as four measures that would reduce a high percentage of the most common risks.

Andy Ozment, Senior Director for Cybersecurity at the White House, addressed the President's Executive Order to improve critical infrastructure cybersecurity and spoke directly to the state CIOs interests as the "owners" of much of the country's critical infrastructure. These assets include power plants and the electricity grid, water pumping/distribution systems, food supply chain assets and similar critical infrastructure elements that comprise the nation's infrastructure. He pointed out that the states own much of the critical information technology that is used to deliver Federal program benefits and that these IT resources were also deemed to be critical infrastructure in the context of the Executive Order. Mr. Ozment discussed the practical issues with respect to information sharing and warned the state CIOs that the Federal Government would not be able to share threat information that compromised intelligence sources and methods. In other words, information sharing about threats may at times appear to be a one-way exercise.

Mr. Ozment said that, with respect to critical infrastructure cybersecurity, one of the defining moments for the Administration was last year's successful attack on Saudi Aramco information technology assets by a foreign government that resulted in the destruction of over 30,000 computer hard drives and operating systems. That was a wake-up call.