States have reacted to increased concern about cyber threats and cyber security in numerous ways. They've created new security organizations to do analysis and outreach. They've created plans and procedures to respond to cyber incidents. They've conducted exercises and related simulations to ensure readiness. They've even created separate grant programs that target cyber security or cyber vulnerabilities.
One other approach that numerous states have adopted is one that should be familiar to those who've watched national security policy, and how the federal government has attempted to approach emerging security issues - the use of commissions, boards, task forces, working groups, and related multi-agency and multi-disciplinary structures. The Hart Rudman Commission (1998) looked at homeland security threats, the Gilmore Commission (1999) examined the threats from weapons of mass destruction, the Bremer Commission (2000) looked at terrorism threats, there have been more recent suggestions and calls for a commission related to countering violent extremism (CVE), and recently the White House announced a new commission on Enhancing National Cyber Security.
States too have begun to adopt the commission format to think and plan for security challenges, particularly cyber security. At least 9 states (i.e. about 20% of states) have created a state level organization - a commission, a task force, a working group, or a board - that is tasked with strategic thinking about cyber security across state agencies and departments, and often to include the private and not-for-profit sectors.
Some prominent examples include:
In 2013, New York State created the Governors Cyber Security Advisory Board. The board is tasked to "...advise the administration on developments in cyber security and make recommendations for protecting the states critical infrastructure and information systems."
Also in 2013, California launched its California Cybersecurity Task Force. The task force "...serves as an advisory body to the State of California Senior Administration Officials in matters related to Cybersecurity. By fostering a culture of cybersecurity through education, information sharing, workforce development and economic growth, the Task Force hopes to advance the State's cybersecurity and position California as a national leader and preferred location for cyber business, education, and research."
In 2014, Virginia created the Virginia Cyber Security Commission. The Commission offered recommendations on areas including:
- Education and Workforce
- Economic Development
- Cyber Crime
- Cyber Infrastructure and Commonwealth Network Protection
- Public Awareness
In 2014, Iowa created a state cyber working group. The working group was "...comprised of state agencies and key federal and private partners, looked at ways to prevent, detect, respond to and recover from cyber threats in Iowa. State of Iowa agencies involved in the group were the Office of the Chief Information Officer, Iowa National Guard, Iowa Department of Public Safety, Iowa Department of Homeland Security and Emergency Management, and the Iowa Communications Network. In addition, the FBI, U.S. Department of Homeland Security, private industry and the Multi-State Information Sharing and Analysis Center participated in the group."
- State Information Technology Systems Security Review Working Group;
- Rhode Island National Guard Development Working Group;
- State Police and Forensic Development Working Group;
- Information Sharing and Integration Center Development Working Group; and
- Workforce Development and Skills Training Working Group.
Nevada has created a committee within its Nevada Commission on Homeland Security that focuses specifically on cyber issues. While it may not seem on par with the others, it's description makes it sound quite similar. It is "...responsible for providing advice and recommendations to the Commission on Homeland Security on Nevada’s cyber security risk, cyber threat preparedness posture, statewide cyber security plans, cyber related training and exercises, and enhancement of security awareness through education, public awareness, and engagement with public and private sector partners."
In 2015, North Dakota formed a Cybersecurity Task Force. The task force, "facilitated by Lt. Gov Drew Wrigley" is tasked to "...complement and build on policies and practices already established by the North Dakota Information Technology Department. This includes an expanded governance structure for cybersecurity among the state’s executive branch of government to share best practices and recommend new policies for mitigating future cyber-attacks. The team will also identify ways to enhance the use of network defense and monitoring tools, implement training and awareness programs for state employees and develop a cyber-incident response strategy."
Also in 2015, Idaho created the Idaho Cybersecurity Cabinet Task Force. The task force will be "...charged with developing policies, programs and strategies to detect vulnerabilities and prevent attacks. The Task Force will also be charged with promoting a culture of cybersecurity awareness in which all Idahoans are vigilant and aware of vulnerabilities and cyber risks."
Maine created the State of Maine Information Protection Working Group. According to the establishing executive order, the group has representation from numerous agencies and stakeholders (notably including the University of Maine system):
- the Department of Administrative and Financial Services
- the Department of Defense, Veterans, and Emergency Management
- the Department of Public Safety
- the University of Maine System (including the Maine Cyber Security Cluster)
- the Cyber Security Incident Response Team
- other relevant federal, state and local government entities.
At least several of these organizations have issued reports or findings - including Rhode Island and Virginia. Other states, including Minnesota, have seen recommendations for the establishment of such organizations.
There are also many more narrowly focused state level boards, working groups, commissions and task forces:
From 2011-2014, Maryland had a Maryland Commission on Cybersecurity Innovation and Excellence.
Kentucky has a Financial Cybercrime Task Force.
Clearly this is an area experiencing growth, and where policy entrepreneurship is alive and well. Innovation is key to responding to a changing threat landscape. Hopefully, in addition to a lot of parallel experimentation and innovation, we can also get rigorous comparison of outcomes and collective learning about what works and what doesn't. We currently have a lively and dynamic set of approaches being tried - the next step is understanding best practices, lessons learned, and areas for improvement.