Senior IT officials from Texas and Pennsylvania agreed this week at the Route Fifty Tech Summit that the key to success in meeting cybersecurity challenges is collaboration among all the governmental entities – Federal, state and local – along with their vendor partners.
The Route Fifty event featured a “C-Suite Session: Cybersecurity” with a panel including: Amanda Crawford, Executive Director and State Chief Information Officer, Texas Department of Information Resources; Erik Avakian, Chief Information Security Officer, Commonwealth of Pennsylvania; and moderators Karen Robinson, President and CEO, KWR Strategies, and Claire Bailey, President and CEO, G2C CXO Strategies.
Teamwork Leads to Charges
Texas’s Crawford kicked off her remarks with a timely observation regarding a new round of cyber criminal charges filed this week.
“The Department of Justice announced that they had unsealed the indictments on two individuals that are allegedly responsible for a string of ransomware attacks, including the one that impacted 23 Texas local governments back in 2019,” she said.
Crawford explained that her office led the state’s response to those attacks, and hailed the law enforcement action. “We’re really excited to see that some progress was made and the investigation was fruitful,” she said. “It’s also important to note in those incidents none of the Texas entities paid the ransom, but plenty of other private entities and public entities across the country did.”
She explained that the state’s success was a huge step in showing what partnerships can achieve. “I just keep harping back to relationships because when we responded to that event, it wasn’t just by ourselves,” she said. “We had our state partners. We had our federal partners, including the FBI, and private sector partners as well.”
Crawford said the multi-governmental collaboration was not a one-off deal, as the groups continue to work together. “The Cybersecurity and Infrastructure Security Agency (CISA) actually came down to Texas just a couple of weeks ago to have a meeting on how we can strengthen those partnerships,” she said. “So it is all about relationships, and that’s one of the things that we try to do with our state agencies and higher ed and local government customers as well here in Texas,” she said.
Her final point remains a critical one. Like half the states in the country, Texas uses a federated IT governance model, where the state CIO has limited enterprise-wide authority or jurisdiction. “We don’t have the authority to necessarily mandate for all government,” she explained. “We can set standards, we can set policies, we can try to guide and lead the way, but at the same time we do want to provide services and solutions,” Crawford said of that demanding set of tasks.
Legislative Efforts Help
Fortunately, and making her agency’s task easier, the Texas legislature recently has been quite supportive in passing a comprehensive cybersecurity and data management bill. “We also received quite a bit of funding to be able to provide endpoint detection and response software for state agencies at no cost to them. That’s huge,” Crawford said.
Her agency also received continuing funding for a state agency multi-factor authentication program, and money for other cyber initiatives including a pilot program for a security operations center at a Texas university. This will help provide local governments with those resources that they need to be able to connect in through infrastructure, outreach and incident response.
Bailey, a former Arkansas CIO herself, pointed out that state Gov. Asa Hutchison recently created a cyber task force through an executive order. The task force will function as a clearinghouse, among other purposes, to bring everybody together to make sure they’re sharing cyber-related knowledge and best practices.
She asked Pennsylvania CISO Avakian about his state’s collaboration efforts in a similar vein.
“There are different approaches that we’re taking when it comes to collaboration initiatives that the commonwealth has going on. First of all, we look regionally, and we look at the states that we partner with,” he said. For example, Pennsylvania, being in Federal FEMA Region 3, is in a regional group along with five other mid-Atlantic states and the District of Columbia, and meets regularly on cyber issues in addition to hosting related workshops.
“I think leveraging our regional capabilities when it comes to task forces is really important because we can look at the bigger picture,” Avakian said.
He also explained that there’s a narrower focus as well. “It starts with governance. We have a security governance committee that works in the commonwealth, and which comprises all of the different agency information security officers,” the state CISO said. The committee meets regularly, working with all the different agencies, and this provides a strong collaborative approach to cybersecurity when it comes to policy, or when it comes to establishing new shared service for the greater agency-wide community.
“We’re putting in services that everybody has a piece of, right? So, they have a seat at the table. They’re able to talk about their needs, and so that whatever we’re putting in place, it’s a collaborative approach,” Avakian said. “They’re making sure that they’re putting in the right solutions and policies to meet everyone’s needs collectively.”
Avakian also pointed out that Pennsylvania recently participated in a National Governors Association working group on cybersecurity. “The outcome of that working group has now been this ongoing project in the commonwealth, where we’re involving different agencies within emergency management, our state police, our Fusion Center, Homeland Security plus our department and others to plan and decide on what does the next level of cyber assistance look like for our counties.”
Find out more about how collaboration is front and center in Texas and Pennsylvania by checking out the link to the panel video-on-demand.