Ello Guv'nor! States Take the Cybersecurity Helm

As partisanship muddles federal efforts, governors are uniting to establish cyberlaw and order in both public and private enterprises

Governor Terry McAuliffe or Virginia, one of the most vocal proponents of proactive cybersecurity, stepped up his game at the National Governors Association (NGA) meeting on February 25. Amid speculation (and impatience) over how pressing data breaches seem to be the White House, he’s corralling state leaders together into remedy security shortcomings that D.C. seemingly cannot.

The NGA’s focus on the government is merely one step in McAuliffe’s cybersecurity vision. The NGA conference last year was aimed at private-enterprise executives: aligning state governments with healthcare CEOs to confront their challenges. “Cybersecurity is an issue that threatens all industries,” he said at the time. He also created the Virginia Cyber Security Commission, which unites public and private industry leaders to work holistically with his administration.

At this year’s RSA conference, McAuliffe remarked: “I wish the federal government could do this, but it’s very hard, unfortunately, due to partisan politics. They haven’t been able to take the lead on this issue, as they should have.”

Meaningful change, he reiterated again at the NGA talk, must start at the state level. He has a  good point. Governors are better equipped, as The Mercury News points out, in “finding innovative solutions to public-policy challenges.” They can also forge legislation quicker than national leaders.

Then he reasoned that state-security reform may be the more pressing concern anyhow. McAuliffe claimed to NGA members that last year alone, Virginia suffered more than 86 million cyberattacks, including attempts at hacking into his own email account. “The governors of our nation actually have more data than the federal government,” he said. “When you think of all the data we have, through our state tax returns through the Medicaid and health-care programs we provide, department of motor vehicles, we have a wealth of information that every single day people are trying to get.”

“We are not where we need to be,” agreed John Carlin, former assistant attorney general for the Justice Department’s national security division. Arkansas’ governor, Asa Hutchinson, mentioned his plans to fold data centers and enterprise architecture into a new Department of Information Services. Meanwhile Gov. Kate Brown of Oregon expressed her imperative to tighten security after a 2014 attack on the state’s campaign finance and business-registry sites.

Determining governmental protocols will prime states for more sweeping legislature. Companies can expect updated laws detailing due diligence in data protection, coordinated response plans, and timely breach disclosure. Those banking on solely on imprecise SIEMs, rather than investing in a more advanced platform to optimize them, may find themselves in a tough spot.

Enterprises won’t only need to appease the law by willfully implementing an accurate detection platform. They’ll also need software that yields data which translates into both intelligence for security-operations teams and proof-of-compliance for lawmakers. To paraphrase NGA featured speaker/Internet pioneer Vinton Cerf when addressing the futility of security patches, “The root of all of this problem: It’s the software, stupid.”