As the association releases its latest report on a ‘risk-based’ cybersecurity approach, state technology leaders from around the country emphasize the need for strong governance.
Throughout the sessions of the 2017 National Association of State Chief Information Officers’ midyear conference, the themes of cybersecurity and collaboration remained central discussion points, whatever the topic at hand.
State CIOs noted the challenges they now face in securing their systems as they attempt to expand operations and include an ever-widening group of allies. Among these discussions came Michigan’s announcement of a cybersecurity center fueled by predictive analytics. And on Tuesday, the association released a new report — called Better Data Security Through Classification: A Game Plan for Smart Cybersecurity Investments — that recommends states take a risk-based approach as they decide where to focus resources.
Craig Orgeron, CIO of Mississippi, shared his state’s mission to take on the “intractable” challenge of the digital divide, the disparity in access to technology between socioeconomic classes, and the value of seeking help from outside government.
“We think public-private partnerships are the way to go. Those allow capacity building,” Orgeron said. “But to do that, you’re doing something somewhat different and you’ve got to have governance.”
“Good governance” means creating a statute to support the partnerships, it means legislative oversight and it means clear divisions of labor, he said.
“In addition to putting something in statute, in addition to having our oversight committee made up of four statewide elected officials and our state agencies, we empower that group to govern this process which cuts across lines, provides services to agencies to universities and provides services,” he said.
One way Mississippi is using partnerships to fight the digital divide is through its mobile application, which extends easier access to state services for people who don’t have access to a computer, but do own a device like a smartphone.
Orgeron reported the state’s applications, which have been downloaded more than 200,000 times, are also helping the state realize $7.1 million in cost avoidance.
“We try to do the things we are good at and we try to partner where we need to partner and we try to exploit those relationships and involve as many folks as we can,” he said.
With new applications come a larger attack surface, noted Nelson Moe, Virginia CIO. Cybersecurity, he said, is becoming more sophisticated.
As the latest version of the Internet Protocol (IP) takes hold, the magnitude of the shift becomes more apparent.
“The IPv4 is the size of a stamp. IPv6, the next version, is the orbit of Neptune,” Moe said.
Virginia is a state leader in cybersecurity, with Gov. Terry McAuliffe calling on states to fortify their databases and systems with a new set of 10 basic protocols drafted by the National Governors Association. These protocols are to be finalized June 14-15 when state representatives meet in Leesburg, Virginia, to review them.
Michigan CIO David Behen said his state is pursuing a “citizen-centric government” by being mobile first, using big data, and focusing heavily on cybersecurity. Through a “personal concierge” service called MiPage, 10 of Michigan’s “high profile” systems are providing citizens a portal to government services informed by personal data.
About three years ago, the state began talking about how they were going to continue protecting their data as these new avenues of service became available, Behen said.
“When you launch an app for 10 million people, if there’s a breach, you lose that trust and that confidence,” he said.
To help defend its networks, the state will soon start using its data, Behen said. In the next couple weeks, the state will launch the Michigan Cyber Threat Analytics Center, a group that brings brings together historical data and the current threats facing the state and uses predictive analytics to foresee the next potential attack, he said. In a simultaneous release, Behen said, the state will also release a playbook that walks a state through how to “attack those issues.”
“It’s a story everyone is facing. We’re going to use our data to try to customize and personalize our services to people and protect it. … Five years ago we were talking about systems,” Behen said. “Today we talk about how our data is going to fundamentally change the way we offer our customer service.”