No state or local entity should assume that it’s too small or innocuous to undergo a cyberattack. Hackers will breach every government network eventually, and agencies that are underfunded and overconfident in their cyber defenses make successful attacks all-too-easy.
To manage and recover from a cyber event, organizations need updated, coherent strategies — not faded handbooks pulled off a shelf. For certain, officials must “prepare for the worst,” said Michael Gregg, North Dakota’s Chief Information Security Officer, “and be ready to deal with whatever comes [their] way.”
The Journey So Far
Over the past year, Gregg and his team have focused on the increased volume and variety of cyberthreats. “The attacks that we see and the number of attacks coming in are really amplified way up from what [they were] just a few years in the past,” he said. For instance, nation-state actors are targeting state entities in the U.S., denial-of-service attacks are more common, and AI is defeating traditional cyber protections. “Controls that we put in, historically, to try to prevent … problems can now very easily be bypassed with AI,” Gregg said.
His office also has worked toward a whole-of-state security approach, as per a 2019 North Dakota law that gave the cyberteam command-and-control over cybersecurity in all branches of state government. Every public-sector entity — city, county, school, library, police station, etc. — gets its network services from his office, Gregg explained, and the goal is for all entities to buy and use the same tools.
A third priority has been readying the North Dakota public sector for future events “because it’s not if the next bad thing will happen, but it’s when,” he said. That includes staff training and running through cybersecurity processes so they become second nature. Gregg calls it “sharpening the saw.”
On the Horizon
Through 2025, strengthening agency preparedness will be a major objective, he said. His team has begun visiting with state and local entities, spending at least half a day with each of them, to review their cybersecurity and business continuity plans. Officials discuss whether the strategies are “living,” if hard-copy backups exist — because electronic documents could be inaccessible during a cyberattack — and which communication options would be available during a major event . “In a previous job, I asked someone for a plan, and they pulled it off the shelf, blew the dust off it … and said, ‘Sure, we’ve got a plan from [about] 30 years ago,’” Gregg remembered. That’s a problem for any organization, and certainly for government.
Soon, Gregg’s office will develop its approach for the North Dakota legislative session, which takes place every other year. Working with public-sector entities to discuss their priorities and the related security impacts, he and his team will consider, for instance, whether third-party risk assessments and new vendors would be appropriate.
The idea is to create a unity of effort, Gregg said, “so when we go to legislative session, we can help support our partners with what they need, and they can help support us, where we can do things to move the program forward.”
This article appeared in our guide, “Going Places: Priorities for State and Local Tech.” To read more about how local governments are making the most of technology, download the guide.
Leave a Reply
You must be logged in to post a comment.