No state has emerged as "the" model for cyber security policy and information sharing; nor is any likely to - given the varying needs, resources, and strategic priorities of the many states. Rather, as Justice Brandeis suggested, we've seen in cyber security a classic example of the complexities of federalism and the "laboratories of democracy." That said, the Garden State has shown thoughtfulness and innovation in its recent policy and organizational choices related to cyber security. In recent years, a number of states and localities have been innovating on cyber security policy and information sharing, but few have done as much or as quickly as New Jersey has.
Virginia, Rhode Island, Idaho, and New York among others have stood up state-level cyber commissions, task forces, and advisory boards to prioritize and drive strategic initiatives. Louisiana's fusion center has rightfully gotten attention for it's innovative state-level cyber security programs, as have centers in Washington State, Vermont, and Kansas. Regional fusion centers in Northern California, Kansas City, and elsewhere have been engaging partners across sectors and levels of government. Many states and localities are engaged with both federal partners, as well as with each other through mechanisms like the Multi-State Information Sharing and Analysis Center (MS-ISAC), the National Fusion Center Association (NFCA), and the National Governors Association (NGA) among others.
However, New Jersey has embraced several bold, new, or innovative strategies to improve cyber security in the Garden State:
1) Wide and Transparent Information Sharing, Including with Non-Law Enforcement Partners and the Public
First, and arguably most important, New Jersey has embraced a broad set of stakeholders outside the law enforcement community - a key to effective cyber security coordination. New Jersey has targeted its law enforcement partners, but also businesses in the state, and even individual computer users. They've been publicly sharing information on various cyber threat actors from hacktivists to advanced persistent threats, and targets from point-of-sale terminals to the healthcare sector. They've described high profile data breaches, as well as attack vectors and tactics from exploit kits to social engineering, and have even served as a platform for neighboring states to make cyber security related announcements. This broad perspective seems like the inevitable trajectory of an effective cyber security policy, and seems likely to spread further beyond New Jersey.
2) Coordination and Co-Location With Numerous State Agencies Across Disciplines
New Jersey has created the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) that serves as "the State’s one-stop shop for cybersecurity information sharing, threat analysis, and incident reporting." The NJCCIC is located within the Regional Operations Intelligence Center (ROIC) - pronounced "the Rock" - that is home to the state's fusion center as well as the state emergency operations center (EOC). The NJCCIC combines law enforcement (both NJ State Police and the NJ State Attorney Generals Office), homeland security (NJ Office of Homeland Security and Preparedness), and state information technology (NJ Office of Information Technology) personnel and expertise together in one place. This co-location and coordination is not a guarantee of seamless information sharing, but seems like an important acknowledgment of the limitations of the unequal partnerships that often plague information-sharing efforts by creating "insiders" and "outsiders." The NJCCIC is also inviting businesses and individuals to pass along relevant information through "Cyber Liaison Officers."
3) Centralized Responsibility - and Accountability - For Statewide Cyber Security Efforts, Exceeding State Network Defense
New Jersey has created a position that coordinates state level cyber security efforts - not just efforts at state network defense like a state Chief Information Security Officer (CISO) - but a broader position focused on statewide efforts to improve cyber security across the public and private sectors. Their New Jersey Office of Homeland Security and Preparedness (OHSP) has recently hired Dave Weinstein, formerly of the Defense Departments' Cyber Command, as Deputy Director and the states first Cybersecurity Advisor. Weinstein (aka @jerzcyber) provides a public face, contact person, and organizational lead for statewide cyber security efforts.
4) Partnering With Key State Infrastructure Sectors to Improve Coordination and Information Sharing
New Jersey has always had a large financial services industry, and this sector that grew drastically post-2001 when many companies began to keep both disaster recovery sites and expanded office space in New Jersey to diversify out of their lower Manhattan locations. The sector has more than 10,000 businesses in New Jersey, employs almost 200,000 people, and accounts for 6% of the jobs in the state. As such, financial services are crucial to the economic well being of the Garden State. The NJCCIC recognized this fact early, and has engaged in outreach to key industry partners like the Financial Services Information Sharing and Analysis Center or FS-ISAC. This has resulted in an innovative arrangement – “a partnership to share and analyze cyber threat information on behalf of New Jersey’s banking institutions. Under the terms of the agreement, the NJCCIC’s cyber threat analysts will correlate data from various global financial institutions to identify trends, adversary tactics, and vulnerabilities.”
These four changes are not the only innovations that New Jersey has engaged in, but they are some noteworthy ones that seem likely to provide models for other states and jurisdictions moving forward. In fact, at least one state – Delaware – has acknowledged this publicly.
Cyber security is an information technology issue, but not only an information technology issue. It is a law enforcement issue, but not only a law enforcement issue. It is a national and homeland security issue, but not only those things. New Jersey, by combining the three in its approach to dealing with cyber security seems to be offering up an important model – “the Garden State model” - of how the sad state of cyber security can begin to get better, and how states can contribute to that improvement.