In March 2022, the FBI issued a warning that ransomware attacks were straining local governments and public services. This was not news. Nationwide, numerous city and county offices, police departments, schools, and other local agencies had reported suffering data breaches and service disruptions.
In North Carolina, state leaders recognized that such attacks are not just local problems with local ramifications. City and county offices and services interconnect with one another and with state agencies. They all have a vested interest in working together to improve their collective security.
Challenge
The FBI said that most attacks targeted smaller municipalities and counties, given that they were likely to have resource and budget limitations. Being underfunded and understaffed and working with outdated systems “often put them in the position to pay ransoms simply to get the data back,” the FBI noted.
“We’ve got to recognize that government entities don’t all have the same capabilities,” said James Weaver, Secretary of Technology and Chief Information Officer (CIO) for North Carolina, speaking during a recent GovLoop online training. “Even at the state level, we have agencies with varying capabilities.”
The North Carolina Department of Commerce annually ranks the state’s 100 counties based on economic well-being and assigns each a tier designation. The 40 most economically distressed counties — Tier 1 — are the likeliest to struggle with cybersecurity.
“In some Tier 1 counties, the IT guy is probably also the person who is mowing the grass, who’s doing three or four other things,” Weaver said. “And in some cases, they’re also running critical infrastructure systems.”
But larger municipalities and counties are struggling to staff up, too; the competition for cyber experts is fierce.
“There are over 21,000 cyber jobs today in North Carolina across public and private sector that are unfilled, and that number will continue to grow,” Weaver said.
Such a shortage makes it difficult for any organization to develop systems and processes to prevent cyberattacks, and to respond quickly and effectively when attacks happen.
Solution
To address these challenges, North Carolina is taking a whole-of-state approach to cybersecurity. The initiative, which began in 2018, encompasses a wide range of entities, from state and local government and educational institutions to organizations managing critical infrastructure.
Every organization is doing its best to secure the data under its purview, to protect the state’s citizens and businesses. A whole-of-state approach means “bringing all those resources together,” Weaver said.
The initiative has three key components:
- The NC Information Sharing Analysis Center (NC-ISAC), which collects and analyzes emerging threats and cyber incidents
- Mandatory cyber incident reporting by all local government entities, with reports required within 24 hours of a confirmed attack
- The NC Joint Cybersecurity Task Force, a cross- government team that supports agencies dealing with an attack
With mandatory incident reporting, NC-ISAC can provide a comprehensive view of the cyber landscape statewide, which helps cyber experts understand and prepare for emerging and active threats.
Meanwhile, the joint task force brings the kind of cyber expertise that many individual agencies lack, including in advanced threat hunting and incident response. But just as important, they help agencies build their own expertise in preventing and responding to attacks.
Outcomes
Weaver makes clear that a whole-of-state approach does not mean a Big Brother approach. It hinges on giving local entities a voice in the process.
The task force includes representatives from the North Carolina Local Government Information Systems Association, an IT professional association that also manages an IT Strike Team that assists local agencies with emergency responses.
The association’s involvement is not just for appearances, Weaver said. “If it’s a local government-related incident, [the association] is driving the conversation. Everyone else is a partner [in the process].” This is one of the guiding principles of a whole-of-state approach: Everyone is a stakeholder.
This article appears in our guide “Bright Ideas for Making Cyber Stick.” To see more about how agencies are implementing cybersecurity, download the guide.