The National Governor’s Association (NGA) has released a new issue brief calling on state governments to create cyber resiliency plans in response to the growing number of high profile cyber-attacks hitting state and local governments.
Cyber incident response plans are commonplace in the enterprise world as they are usually required for business continuity and cybersecurity insurance. However, state governments are further behind in creating a formalized response to cyber adversaries. For states that have plans in place, they usually fall under the aegis of the Chief Information Officer and are limited to the technology department. The NGA is calling on states to widen the scope and prepare for significant disruptions in state systems and other operations.
NGA is pushing for states to recognize the scope of several recent attacks including ones in California, Georgia, Maryland and South Carolina which resulted in citizen information being compromised, transit systems being delayed and the loss of city computer systems until they could be restored. Coordinated ransomware attacks now routinely go beyond the scope of a simple IT problem where everyone has to just change their passwords.
NGA has identified 15 states that have comprehensive plans in place and uses the issue brief to highlight best practices. Those practices include the creation of a threat-level schema such that state agencies and organizations can respond proportionally. Others rely on an escalation matrix that is mapped to specific response plans and potential communications to the general public.
“Strengthening state preparation for and response to a significant cyber incident is critical to
achieving national resiliency,” writes Michael Garcia, Senior Policy Analyst, Homeland Security and Public Safety Division National Governors Association Center for Best Practices in the brief. “Significant cyber incidents could affect CI across state lines and stretch the federal government’s ability to respond. In such a situation, states will need plans in place to ensure they are organized and prepared to respond without federal assistance.”
The issue brief also outlines how states should think through and audit agencies to identify cyber first responders who will lead during times of attack. The result of the audit should not only identify individuals for leadership roles, but also identify specific responsibilities for each individual and agency. From there state governments can go about setting up procedures to ensure a timely response to cyber-attack.
The full brief is available here.