Something must change with federal information sharing and state and federal roles if states are to be most effective at responding to cyber criminals, according to expert commentary during the second week of the Cybersecurity and Infrastructure Security Agency’s (CISA) Annual National Cybersecurity Summit. National Cyber Director Chris Inglis kicked off Wednesday’s summit program by
Something must change with federal information sharing and state and federal roles if states are to be most effective at responding to cyber criminals, according to expert commentary during the second week of the Cybersecurity and Infrastructure Security Agency’s (CISA) Annual National Cybersecurity Summit.
National Cyber Director Chris Inglis kicked off Wednesday’s summit program by touting the Joint Cyber Defense Collaborative (JCDC). The entity, he said, would facilitate information sharing across sectors — creating a more complete picture of attackers’ efforts — and pool efforts to present a stronger front against malicious actors. The JCDC’s initial launch earlier this year focused on bringing together federal units and private-sector cybersecurity and tech firms, with plans also calling for consulting with state and local governments and other entities.
Alissa Starzak, global head of public policy at Cloudflare, said during a virtual panel that she expects JCDC participation to provide insights to help her firm shift to more proactive efforts against cyber attacks. The project would also create an ongoing relationship between government and companies, a switch from current practices that often only sees firms connect with agencies when an incident occurs, she said.
State officials have their own wish lists for federal agencies’ information-sharing approaches.
Illinois Emergency Management Agency Acting Director Alicia Tate-Nadeau, who spoke during a separate virtual panel, said federal threat sharing at present is often too vague to allow states to take meaningful action, leaving them dependent on federal partners to tackle problems.
“If you don’t want states to be solely reliant upon the federal piece, then we need more fidelity in things that come out [regarding incidents] within our geographic boundaries,” Tate-Nadeau said.
Broad-strokes explanations may be sufficient to describe incidents happening in other states, but fine-grained details are a must to empower state agencies to handle incidents on their own turf, she said.
Illinois has examined not only how it receives information but also how it, in turn, disseminates it. Tate-Nadeau said fusion centers play a key role in helping the state receive reports from individual counties and send out warnings to remaining counties as well as alerts to federal partners. Quick communication is essential.
“It’s never going to be one county or one location that gets hit,” she said. “More than likely, it’s just a beginning or an indicator to possibly something larger.”
When it comes to supporting counties, Illinois has found its cyber navigators program to be particularly helpful. The state launched the effort in response to election cybersecurity threats in 2016. Under this initiative, the state sends experts to different counties to help officials with cybersecurity challenges related to elections or other areas, Tate-Nadeau said.
Tate-Nadeau also homed in on the need to equip agencies with the powers and roles — not just information — to respond effectively.
For Illinois, part of that means striving to ensure it can react to cyber emergencies with the same tools it brings to bear against other disasters. In August, the state expanded its Illinois Emergency Management Agency Act so that the legislation includes cyber incidents among the disasters covered.
But when it comes to state and federal collaboration, Tate-Nadeau said some murkiness remains about roles.
Some existing legislation is limited: The Federal Emergency Management Agency (FEMA)’s Stafford Act outlines how the federal government can send disaster assistance to states, tribes and localities, but it doesn’t recognize cyber events, Tate-Nadeau said.
She also questioned whether all parties have the authorizations needed to take appropriate actions.
“Do we have the right authorities?” Tate-Nadeau asked. “And are they in the right areas? Then [we should be] trying to scope or understand what those gaps are between when the federal government gets involved in the response or recovery effort and when the state has.”
Helping states dial up their efforts to fill any gaps that are discovered will take more funding — something that Congress’ pending infrastructure bill would help address, she added.
“If you give us the dollars and the guidance, then we will work on coming up with the solutions,” Tate-Nadeau said.