The CISO's Desk (September 2023)

Whole of State Cybersecurity

Ralph Johnson
State CISO Ralph Johnson

Many of you may have heard the term "Whole of State" in relation to cybersecurity and wondered what that means. I hope to clear that up for you today.

Tanium, a private cybersecurity company, defines "Whole of State Cybersecurity" as: "- an approach that emphasizes partnership among different levels of government, educational institutions, tribal entities, and other organizations in the public and private sectors to mitigate cybersecurity threats. By breaking down governmental silos, this methodology enables entities across an entire state to share cybersecurity resources and information to improve their collective security posture."

A Whole-of-state cybersecurity approach enables state and local governments and their partners to pool resources to defend against ransomware, supply chain attacks, and other cybersecurity threats.

Why is whole-of-state cybersecurity important?

State and Local governments have faced unprecedented cybercrime in recent years. For example, in 2020, local governments experienced a 485% increase in ransomware attacks striking no less than 2,354 governments, healthcare facilities, and schools.

According to the FBI, local governments suffer a particularly brutal price - they're the second highest victimized group behind academic institutions in 2021. Roughly 44% of ransomware attacks worldwide are now targeting municipalities. The cybersecurity company Emsisoft, for example, observed 77 ransomware attacks involving local governments between January and December 2021. Emsisoft estimates the total cost of these attacks to taxpayers at $623 million. The cost of rectifying a ransomware attack, including the costs of resources, downtime, lost opportunity, and ransoms paid, averaged $1.64 million in 2021.

These facts show that many SLTTs can stand to improve their defenses against ransomware and other threats like supply chain security incidents. Too often, these attacks succeed because municipal governments, K-12 schools, and other small government agencies need more staffing, tools, and expertise to defend themselves adequately. Many lack the contract purchasing power to achieve economies of scale to gain visibility of their interconnected systems.

What is a whole-of-state cybersecurity strategy?

In a Whole-of-State strategy, the state government collaborates with smaller local governmental organizations to ensure everyone is protected from threats. As part of this collaboration, state governments share training, threat intelligence, tooling, and other resources with municipalities and other local organizations to strengthen cyber defenses.

Many states are going even further, using this approach to consolidate security services under a state CISO's leadership. Such a strategy enables local government entities, school districts, state agencies, public colleges and universities, and even the private sector to leverage the same security tools, systems, teams, and strategy.

Understanding the rise of whole-of-state cybersecurity.

Whole-of-state cybersecurity is gaining in popularity for a few reasons. One factor in this methodology acknowledges shared cyber risks between organizations in the same industry (malicious actors don't discriminate between different levels of government). Municipalities of all sizes and types share these risks, so by sharing their resources, they can increase their level of defense individually and as a community.

Another factor is reduced duplication of work and effort. State, local, tribal, and territorial entities can't go it alone when it comes to managing shared cyber risks. They don't have the resources or expertise to make it work. And the increasing interconnectivity of systems only makes the challenges more complex and difficult to contain.

Benefits of whole-of-state security include centralized budgeting and resources, reduced duplicative work and tools, and more robust security and incident response.

10 reasons why "Whole of State Cybersecurity" may be the way of the future.

  1. Shared Cyber Risks: Cyber threat actors have proven they do not discriminate between state agencies or small municipalities. All share similar cyber risks.
  2. Economies of Scale: By applying cybersecurity solutions across multiple organizations, states can support state agencies and less-resourced municipalities together, helping to mitigate shared cyber risk.
  3. Reduced Duplication of Work and Effort: There is a tremendous amount of duplication of services, work, and effort from the state to county to municipal levels to defend against persistent and sophisticated cyber threats.
  4. Reduced Cost: Shared services and tools can reduce incremental licensing costs.
  5. Consistency of Service: Shared cybersecurity services or tools create a common culture and language across the state, creating a consistency of service that can benefit users.
  6. Knowledge Sharing and Collaboration: Ease of communication and collaboration between state, county, and municipal personnel regarding challenges or insights.
  7. Standardized Processes, Methodologies, and Technologies: Alignment of processes, methodologies, and technologies across all levels of government and public organizations, allowing for collaboration.
  8. Greater Efficiencies in Training and Human Resources: Less-resourced organizations succeed as services and needed training are available at all levels, regardless of the size of the assigned IT staff.
  9. Streamlined Visibility: IT leaders will have better visibility of service data because the services are applied across a broader range of organizations within the state.
  10. Improved Measurement: With access to more service data, leaders within the state can make more informed decisions on what services are working and where to spend future funds to continue to improve cybersecurity collectively.

Washington State's whole of state cybersecurity strategy.

The Washington State Legislature introduced the concept when SB 5432 (codified into RCW 43.105.450) was enacted into law in 2021. Section 3(g) assigns OCS the following responsibility:

"To serve as a resource for local and municipal governments in Washington in the area of cybersecurity."

As part of this responsibility, OCS engages in various activities, including aiding local and municipal governments in incident response.

Washington State has just begun to embrace the idea of the "Whole of the State." This strategy is still in development, but watch for future iterations of this newsletter for further developments.