Want to collaborate on cyber? Just ask, city officials say

Mid section close-up of diverse Business people shaking hands with each other in corridor at office. International diverse corporate business partnership concept

One of the biggest stumbling blocks local governments face in developing better cybersecurity collaborations with their states, panelists said during an online conference Thursday, may also be one of the simplest to overcome.

Speaking during an event hosted by the Computing Technology Industry Association’s Public Technology Institute, city and state IT officials said the first thing cities can, but don’t always, do is pick up the phone and ask for help, even if it takes a few tries.

“You’ve got to be persistent,” said Bernie Acre, the chief information officer for Bryan, Texas. “We all get locked into the resource conversation. Sooner or later, you’ve got to find someone that has the desire to help.”

Acre said when he started his job with the 76,000-resident city in 2013, cybersecurity was a back-burner issue. Nowadays, he said, it can often account for 80% of his workload, but support from the state government wasn’t always there.

“Our folks at Texas [Department of Information Resources] didn’t even think about us or know we were out there,” he said.

Yet in the last few years, Acre continued, DIR has stepped up the support it provides local governments, including mandatory cyber hygiene trainings for all state and local employees, leading responses to incidents — such as the August 2019 ransomware attack against a managed service provider that affected 23 communities — and forming a cybersecurity council, on which he currently sits.

“We’ve come really far,” he said. “It’s just persistence.”

Franklin County, Ohio, CIO Adam Frumkin, who moderated the discussion, said initiating these partnerships is also a matter of knowing who to call. He said when he started developing incident response plans, he reached out to the Ohio National Guard, which has a robust cybersecurity unit, and also roped in his county’s emergency management agency and other stakeholders.

But cities and counties should also seek out each other for assistance and guidance, the speakers said.

“You’ve got to share with your peer group around the state,” Acre said, with Frumkin adding that those communications are vital, “even if it’s reaching out to the next city or next county or next state.”

Andy Brush, who leads cybersecurity partnerships for the Michigan Department of Technology, Management and Budget, recalled living through that kind of experience in his previous role as the IT manager for Washtenaw County, Michigan, which was one of 13 local governments that collaborated on a “CISO-as-a-service” program that pooled cybersecurity management among its participants.

One of the biggest driving factors behind the program, Brush admitted, is that smaller local governments don’t necessarily have the best grasp on their own cyber risks.

“We actually sucked at assessing ourselves,” he said.

One area where cities and counties can get better, Brush said, is by adopting and sticking two a common framework, like the one offered by the Center for Internet Security, the nonprofit that runs the Multi-State Information Sharing and Analysis Center.

“Something we’re focusing on is strengthening CIS controls as a framework,” Brush said. “It’s a good place to start for local entities that haven’t gotten in the game. If you pick one and stick with it, you’re going to be speaking a common language.”