Cybersecurity for the States: Lessons from Across America

This study examines states’ efforts to advance cybersecurity efforts, enumerating lessons learned from an in-depth focus on three case studies of states that have seen demonstrable successes.

State programs are all unique and heavily dependent on the organization of local government, but across all structures, the key lesson is that effective and lasting programs institutionalize cybersecurity efforts in several areas:

• Formalization of a trust-based relationship with the private sector. Leadership, interest, and involvement from partners can enable timely and actionable information sharing and mitigate risk across the ecosystem.
• Codified roles, responsibilities, and authorities in law and/or executive order. Such action is a clear indication of leadership support for cybersecurity efforts and helps to reduce friction and confusion.
• Cross-bureaucratic agreements or structures. Cybersecurity is a topic that crosses the responsibilities of multiple existing institutions, which should all be involved as stakeholders. Bureaucratic superstructures or supra-bureaucratic coordinators help to break down stovepiping and align all of state initiatives.

While this report focuses on state efforts, the federal government has a role to play in helping states develop their programs. Priority efforts should include:

• Designating specific cybersecurity funding that is linked to national priorities. Such funding mechanisms could provide guidance to state and local policymakers and help streamline the national ecosystem. While cybersecurity remains a line item in other funding mechanisms, it necessarily remains more generic and less supportive of current policy and strategic initiatives.
• Deconflicting and streamlining federal incident response, guidance, and assistance programs. Current stovepiped structures create conflicting guidelines in many areas such as incident reporting and regulatory requirements.
• Prioritizing and institutionalizing the expansion of formal localized assistance programs, particularly from DHS and DoD. State, Local, Tribal, and Territorial (SLTT) efforts rely heavily on personal connections, for which the existing programs are currently underresourced and/or immature nationally.