In November, the Pell Center at Salve Regina University released a report - State of the States on Cyber Security - on cyber security efforts in eight state governments across the US. (The chart on page 8 provides a nice snapshot) This is an important topic, and one that has been wildly under-examined. Additional information on state cyber efforts is available in papers and studies by organizations like the National Association of State Chief Information Officers (NASCIO), the Multi-State Information Sharing and Analysis Center (MS-ISAC) and the National Governors Association (NGA), and commentary – like some that has appeared here on New Jersey’s efforts – are among the few good sources available on these major undertakings. However many of these sources are either very anecdotal or stripped of identifying information (like which states have adopted which practices), and as such don’t necessarily serve as a great data source for comparative analysis.
As such – it is worth taking notice when states are engaged in interesting practices, documenting those practices, and examining what they offer to other states and jurisdictions.
Michigan and "Cyber Disruption Response"
In October 2015, Michigan released a very interesting document, its Cyber Disruption Response Plan (CDRP). This document is the result of a multi year process that included a 2013 Cyber Disruption Response Strategy, and this process was part of a broader statewide focus on cyber security including the creation of the Michigan cyber range, the Michigan Information Sharing and Analysis Center (MI-ISAC) and the Michigan Civilian Cyber Corps among many other efforts. While each of these efforts is worthy of note and discussion – the Cyber Disruption Response Plan is particularly noteworthy.
The CDRP is remarkable on several fronts. It has garnered attention and accolades from federal partners, other state government executives, researchers, and information technology professionals. But more so than the good press and accolades, the importance of the CDRP, and the broader Cyber Disruption Response process that it is part of, are indicative of some of the reasons that Michigan’s approach to cyber security seems more mature than some other states and localities.
Michigan has been engaging in a thoughtful process of building its cyber security functions, and - more so than many states - doing it in a systematic and cross-cutting way. Systematic and cross-cutting may seem like characteristics to be expected in tackling an issue as important as cyber security – but alas, many state and local government efforts in this area have been haphazard, rushed, poorly coordinated, and plagued by disciplinary silos.
Crossing Disciplines and Crossing Lanes
By framing the statewide process as focusing on responding to “cyber disruption” the Michigan approach started with the understanding that many disciplines – information technology, emergency management, law enforcement, the military, infrastructure operators, etc. – would likely be involved in many of the kinds of incidents that Michigan would face moving forward. While this insight seems obvious, this is a decidedly uncommon perspective in the state and local government space. Many jurisdictions claim to be working across disciplines, though silos seem to continue to exist – particularly in information technology, law enforcement, and the military agencies - perhaps for cultural reasons.
The Cyber Disruption Response Plan Roles and Responsibilities annex outlines specific roles for the C-Suite executives you would expect (CIO, CTO, CSO), the technical components that would be required (the state data center, state agency Information Security Officers or ISOs, service providers and vendors) and the Michigan public safety agencies (Michigan State Police Emergency Management and Homeland Security Division, the state fusion center, the MI-ISAC, and Michigan Cyber Command Center); but perhaps more importantly – and uniquely – the document has preplanned roles for military partners (the Michigan National Guard Cyber Teams), federal partners (DHS, FEMA, US-CERT), and non-profit partners (the MS-ISAC, and Michigan Civilian Cyber Corps).
Additionally, from the 2013 strategy document through the 2015 plan, woven throughout the Michigan Cyber Disruption Response process is the idea that information technology and cyber security will be among the key drivers of emergency management and response moving forward. While cyber security may not be the only major change coming down the pike for emergency management (climate change, and aging or neglected infrastructure seem like contenders as well), but with the increasing informatization of more and more infrastructure, it seems impossible that cyber security won’t play a major role in the field moving forward.
“Good. Fast. Cheap. Pick Two.”
Any engineer or project manager can tell you that you cannot simultaneously optimize for everything. A device, program or project that tries to do everything for every client in every situation is bound to make major compromises in terms of usability or capability. The same is true with optimizing all elements of a public policy or other complex undertakings like improving cyber security in a large and multifaceted jurisdiction - thus the applicability of the common refrain “Good. Fast. Cheap. Pick two.”
Unlike many jurisdictions that have rushed to push programs out the door quickly, and without thoughtful deliberation and analysis, Michigan chose to begin with a Cyber Disruption Response Strategy (2013) that laid out a careful and inclusive process to develop a Cyber Disruption Response capability across a host of Michigan state agencies, in conjunction with local and federal partners, and in consultation with private sector and non-profit entities. Michigan devoted both resources (thus not “Cheap”) and time (thus not “Fast”) to its process, and as a result it ended up with a substantially better final product than many of the jurisdictions that either rushed programs out the door, or tried to repurpose existing resources without thoughtful investment in a field of growing importance.
The desire for quick and low cost answers to tough problems is not unique to cyber security, but like most other areas, such silver bullets are pretty unusual. Thus when states or localities are doing interesting things – like Michigan, but also like New Jersey and others – it is worth taking note, giving recognition, and hoping that other jurisdictions can learn from their experience.