What States Are Up to In Cybersecurity
Devastating breaches have hit U.S. government agencies during recent years. Perhaps the best known is the 2015 Office of Personnel Management computer breach in which more than 20 million Americans’ personal data was stolen by the Chinese government. State agencies have also been hit. For example, at least 10 California state agencies, including the DMV, Social Services, California State University system, and Employment Development, have had significant breaches over the past several years.
We celebrated the United States of America’s founding and inception this week. While it’s important to recognize our country as a unified nation, our states are hard at work creating laws and policies that enhance the lives of all Americans. It’s worthwhile to highlight the cybersecurity work some states are doing to better secure their state infrastructures, both public and private, and examine the precedent they’re setting for nationwide programs that will be effective in protecting our people, power grids, critical information, and more.
The need to improve cybersecurity at the state level has fortunately been well understood. At the most recent National Governors’ Association meeting in February, a key session focused on the “serious cybersecurity issues” faced by the states and the associated critical infrastructures. Governors from both parties are united in their recognition of the problem (with the governors of Virginia (D), Arkansas (R), and Oregon (D) leading the discussion), and they are paralleling developments in the federal space with actions of their own. In May, President Trump issued an executive order requiring federal agencies to report their cybersecurity status using the NIST Cybersecurity Framework (CSF). Over 30 states are considering or have passed legislation that would require state agencies to report using the NIST CSF.
The National Association of Insurance Commissioners (NAIC) comprises leaders of the insurance-regulating agencies of the states. Although each state governs the insurance operations that take place within its boundaries, the NAIC recognized the need for standardization of state insurance laws governing cybersecurity. To achieve more uniformity, for the last year they have been developing a Model Law to serve as a template for each state.
The New York State Department of Financial Services (NY DFS) has taken the most aggressive cybersecurity initiative to date of any state, even more stringent than national actions. Their rules require all financial services companies operating within New York state to meet minimum requirements that include following a specific list of policies and procedures, recognizing who’s responsible within each entity, appointment of a CISO, limiting information access to only those persons requiring it, managing third party relationships that could introduce risk, and putting an Incident Response Plan in place.
In 2014, California passed a law requiring any entity responsible for a breach of social security numbers or driver’s license numbers to offer identify theft protection or some type of other mitigation service for the period of a year. Current legislation being considered would strengthen laws to protect personal information in the event of a cyber breach.
On June 2, Nevada created a new state office to address cybersecurity threats. The Office of Cyber Defense Coordination was set up within the Department of Public Safety by a bill that was passed unanimously in the state’s Senate and almost unanimously in the House. The Office will conduct periodic assessments of state agencies, suggest improvements to their operations, institute training for state personnel, and appoint a statewide cybersecurity response team.
Last fall, Oregon governor Kate Brown “outlined the need for a more focused cybersecurity posture in Executive Order 16-13, which opened the door for the Office of the State Chief Information Officer to assume a more enterprise role across the largely federated state landscape.” Legislation codifying the executive order was passed in June. It creates more centralized efforts to combat cyber breaches.
On June 12, Texas passed a bill requiring all state agencies to assess their internal processes and practices, create a detailed improvement plan, and report their status to a centralized body. Reporting must include measures of how well agencies are conforming to national and state regulations, and ongoing cybersecurity training for state personnel is mandated.
The federal government’s powers are restricted by the U.S. Constitution, with much power being reserved to the individual states. It’s therefore reassuring to see initiatives on improving the cybersecurity posture of the states emerging from governors and state legislatures. The pace of cyber governance efforts is accelerating, and the states’ and U.S. government’s collective efforts will strengthen our resolve to fight cyber attacks on our infrastructure and economy.