The State of Washington has undertaken a series of efforts around cyber security that are unique, noteworthy, and potentially of interest to other state and local governments. First and foremost, Washington has made an important conceptual choice, centering its efforts within the broader discipline of emergency management. (As opposed to having it within information technology or in law enforcement) Secondly, the state has adopted cross-jurisdictional and innovative information sharing mechanisms that may well be adoptable or adaptable by others. Finally, Washington has taken a thoughtful approach to being transparent and public about their cyber choices, and maturing their efforts through the clear communication of goals and metrics.
Cyber Security as Part of Preparedness and Emergency Management
The first approach that is worthy of examination in Washington is that the state’s cyber security efforts are largely focused in the vein of emergency management rather than information technology or law enforcement. This is innovative because the other two disciplines create challenges, not insurmountable ones but real ones, to effective cyber security programs. Numerous people and experts have suggested that cyber security needs to be viewed less as an IT problem and more as a business risk, and thus that “A convergence is happening in that cybersecurity cannot be relegated to the IT department.” Law enforcement, while crucial for investigating and prosecuting cyber crime, often emphasizes post-crime or post-event response rather than information sharing and prevention, and there is evidence of continuing challenges to information sharing with non-law enforcement partners. Organizational placement matters for cyber security, and so thinking about these issues is important.
Washington has situated their cyber security initiative within the state Emergency Management Division, part of the Washington State Military Department, and the organization that runs state preparedness and state response efforts. According to work by Francesca Spidalieri, the head of the cyber security program reports directly to the head of the Emergency Management Division, who subsequently reports to the Adjutant General (TAG) who is also the state Homeland Security Advisor (HSA). This structure is the result of a “bottom up” cyber planning process that was begun in 2012. Washington is not the only state to try and bring cyber security and emergency management together, for example Michigan has made such efforts as well, however it is certainly one of the more mature versions of the phenomena.
Like Michigan’s approach – thinking about cyber as a potential cause of serious incidents or disruption – Washington's approach has lead to a focus on the impact of cyber security on critical infrastructure in the state. The state actually issued a “Cybersecurity Guide for Critical Infrastructure for the State of Washington.” This guide was “…produced by the Energy Sector Cybersecurity Working Group, a collaborative effort composed of staff of the Washington State Utilities and Transportation Commission, Washington State National Guard, Washington State Emergency Management Division, State of Washington Office of the Chief information Officer, Pacific Northwest National Laboratory (PNNL) and Snohomish County Public Utility District (PUD).” It provides a high level overview of cyber risk, the NIST cyber security framework, related state resources, federal or other national resources, as well as a series of steps tailored for utilities to take to improve their security posture.
Crossing Lines and Sharing Information Across Jurisdictions
Another progressive element of Washington State's efforts is the extent to which it is less beholden to agency, jurisdiction, and sector (public, private, non-profit) boundaries than many other state approaches. The recognition that cyber adversaries and threats cross such lines with abandon, and that rigid adherence to those structural lines will make prevention and response harder, is a widespread one; but taking proactive steps to mitigate that challenge is less so.
The cyber information sharing efforts the state has undertaken are examples of this kind of cross-agency and cross-jurisdiction orientation. Perhaps the most pronounced example of this is Public Regional Information Security Event Management (PRISEM) system. PRISEM is a “…shared regional cyber security monitoring system, which aggregates and processes cyber event data, provides correlated alerts on threat conditions, and extends situational awareness for public-sector organizations across the Puget Sound area.” It also coordinates jurisdictions with infrastructure owner operators because it “… serves 7 cities and counties, six maritime ports, a hospital and two energy utilities with expansion underway.”
The idea of a regional Security Information and Event Management (SIEM) analyzing logs from a multiple member jurisdictions is an interesting one, and one that might help local governments or infrastructure operators who could otherwise struggle to access such technology. As such, it has been noted as a best practice or pointed to for its unique model in press coverage, and by analysts in the private sector and those focused on the public sector.
PRISEM is also “Integrated with analysts at the Washington State Fusion Center…” This connection appears to have borne fruit. In 2013, according to press coverage, the state “…passed intelligence from the FBI on the Chinese APT1 military hacker group to the Fusion center, the analyst there scanned for devices communicating with the rogue Chinese IP addresses. He found that some universities and corporations were compromised, as were maritime ports, which made up about half of the "hits" communicating with the APT1 addresses.”
Transparency and Maturity
Two other areas where Washington seems relatively unusual are the transparency and maturity of their cyber programs. In terms of transparency, there are numerous states – like New Jersey and Virginia – that have been fairly public about their cyber security efforts, so Washington state is not alone in trying to be public facing. That said, the scale and scope of the documents that Washington has produced and released is impressive. Particularly given that much of what comes out of many states publicly are things like warnings, threat indicators, and other sorts of informational products, rather than strategic or operational documents that outline state decision-making and resourcing choices. For example, Washington has published, but also publicized, both a state cyber “Hazard Profile” as well as the “Significant Cyber Incident Annex” to its Comprehensive Emergency Management Plan (CEMP).
In a related vein, while there are some strategic and operational documents that Washington makes available, they have also demonstrated maturity in terms of having not just thought through, but even made public, some of the sorts of goals they see for the state, as well as some of the sorts of metrics they would use to assess progress on those goals. Public documents lay out clear goals like “Conduct quarterly response exercises with state agencies, local and/or private partners that include a cyber objective” and “Identify and document key cybersecurity experts for each of the 16 Critical Infrastructure/Key Resource (CI/KR) sectors.” Additionally they provide metrics for such goals like “# events, exercises/Qtr” and “% complete – CI/KR experts list” and providing assignments of agencies or units to be the lead for such goals. Additional documents feature longer term goals like “Develop charter that transforms the CEMP cybersecurity annex Integrated Planning Team (IPT) into an enduring cybersecurity working group.” Very few states have released anything like the detailed thinking that Washington has on issues of cyber preparedness and response.
Several of Washington’s documents and approaches also incorporate the NIST framework for thinking about cyber security, which may or may not be a sign of maturity per se, but certainly suggests systematic thinking and the embrace of standards and practices that are widely seen as being of high quality or utility. It is with this in mind that Washington’s work seems to be relatively mature and developed compared with many other states.