Cybersecurity has long been seen as a federal domain, but an initiative announced by the National Governors Association seeks to shift the discussion to the state level.
The newly created Resource Center for State Cybersecurity will be led by Maryland Gov. Martin O’Malley (D) and Michigan Gov. Rick Snyder (R) and will focus on what states can do in the face of a growing cybersecurity threat.
“It’s more than just encrypt your BlackBerry and do good computer hygiene,” said Thomas MacLellan, the division director for the association’s homeland security and public safety division. “There’s a lot more governors could and should be doing.”
The first stage of the project involves the creation of the National Policy Council on State Cybersecurity, which will comprise about 25 individuals from private industry and federal agencies and include participation from the Departments of Defense and Homeland Security.
The council will share information on statewide cybersecurity problems and resources, and ultimately will draft a policy framework for governors to put into action. MacLellan said the association would begin identifying members for the council in the coming weeks.
In August, Senate Republicans blocked an Obama administration-approved cybersecurity bill. The U.S. Chamber of Commerce — which feared the bill would over regulate industry — lobbied against it. With cybersecurity legislation on the Hill in limbo, MacLellan said he’s aware of the need to get private companies on board.
“We’re looking at those issues right from the outset, and that’s why having private industry at the table at the formation of this is going to be essential,” he said.
The association has already engaged some individual businesses and the Information Technology Industry Council, a lobbying organization for technology companies including Apple Inc. and Google Inc., MacLellan said.
Statewide critical infrastructure and key resource assets, which include the electrical grid, banking industry and transportation systems, have become more vulnerable to cyber-attacks as they become increasingly connected to the Internet. MacLellan said about 85 percent of these assets are owned by the private sector, which increases the importance of cooperation. Without their participation, he said, “You’re not going to get the type of security that you need.”
After the council establishes a policy framework, the focus will change to implementation, which will be uniquely crafted to each participating state, MacLellan said.
“That may be a standing policy council that informs the governor or the CIO,” he said. “It may require legislation on a state-by-state basis. It might require some business practice changes, or it may just require the creation of different partnerships.”
Meanwhile, a former director of the CIA and the National Security Agency said during a Chamber of Commerce panel that creating cybersecurity laws and regulations is the role of the federal government.
“I think everyone can agree, we can’t live with 50 different standards,” retired Air Force Gen. Michael Hayden said. “We feel as if national standards are going to be difficult because this is a non-geographic domain we’re working in, so why would we let 50 different states create different rules?”
Combating cyberthreats continues to be a problem not only for states, but for the federal government as well.
Business organizations such as the Chamber of Commerce see information sharing as the best route to improve cybersecurity. American Gas Association President and former Rep. Dave McCurdy, D-Okla., praised existing information-sharing efforts but criticized the pace of how quickly intelligence is passed on to companies.
“We’d like to be able to share more [information],” he said at the panel. “We’d like it to be able to be more real time, because it is happening in real time.”
Jenny Menna, director of the critical infrastructure cyber protection and awareness branch of the Department of Homeland Security’s National Cyber Security Division, said the department is working to make information sharing quicker and also improve how it distributes sensitive information.
While the department sometimes discloses classified information to companies, there are cases where the department opts not to release sensitive information, Menna said.
“But at least it’s not an automatic, ‘no,’” she said. “There is a lot that goes into it. I think we really try to boil down to the really actionable information.”
When asked under what circumstances the government would hold on to information that a cybercrime was committed against an organization, Menna could not think of a situation where the federal government had known of a specific victim of a network intrusion and not alerted that entity.Photo Credit: iStockphoto