Cyber-hardening the states
Raytheon CEO, Arkansas gov call for stronger state cybersecurity
Governors should give their top IT and cybersecurity officials a more prominent seat at the table to help combat cyberattacks, Raytheon Chairman and CEO Tom Kennedy told more than 300 state-level cyber and homeland security leaders at an event held by the National Governor Association.
States guard highly sensitive data troves and critical infrastructure that includes power grids, water treatment plants and transportation networks, so cybersecurity needs to be top of mind, Kennedy said.
"Don’t have that person buried five layers down in your organization to the point that person doesn't have any authority to go drive solutions," Kennedy said. "A business-friendly state is a cybersecure state."
Kennedy spoke during a "fireside chat" with Arkansas Governor Asa Hutchinson at the National Governor Association’s Summit on State Cybersecurity, held in Shreveport, Louisiana. Hutchinson, along with Louisiana Governor John Bell Edwards, is co-chair of the association’s Cyber Resource Center, which provides governors with tools and recommendations to strengthen their state cyber policies and practices.
The two-day summit brought together gubernatorial office staff, chief information officers, homeland security officials and National Guard adjutants general from across the country to discuss the growing cyber threat.
Hutchinson discussed ways his state's cyber efforts, including developing an educational cyber range for students, incentivizing traditional and non-traditional students to study cybersecurity, and creating a new cyber alliance that encourages partnerships between the state's universities, government agencies and private businesses.
"We're going to lead in that effort by recognizing [cybersecurity] is an economic development issue for our state as well," he said.
States, and even cities, are increasingly under attack by hackers. Cyber criminals target states because their networks contain large pools of sensitive information such as vital records, voter data, tax filings, public health information, building blueprints and emergency response plans. State networks may also be connected to industrial controls that manage electrical grids, dams, building HVAC systems and other infrastructure.
Recently, a majority of the City of Baltimore' s servers fell victim to ransomware, forcing the city to temporarily close many municipal departments.
Recognizing that most states don’t have the funds available to pay for defense-grade cybersecurity like some large private institutions do, Kennedy suggested that governors look at cost-sharing partnerships, either between states and their municipalities, or even among states themselves. Doing so will not only increase purchasing power, but also encourage needed collaboration, he said.
"There is a benefit to scale in the marketplace," said Kennedy. "If multiple states can get together and come up with a joint cybersecurity solution, you can potentially save quite a bit of money, and may be able to extend that solution across every element of the state."
In response to a question from moderator Jeff McLeod, the National Governors Association’s Director of Homeland Security & Public Safety Division, Kennedy said the cybersecurity industry is trending away from simply building better firewalls, and moving more towards behavioral analytics, because of the threat posed by insiders acting either maliciously or carelessly.
"Your employees are both your strongest defense, but they're also your weakest link," he said. "The human-centric approach is about understanding the behavior of your network and the people working on that network. And anytime you find an anomalous behavior, you can set up an alert."