As U.S. States Join Forces to Boost Cybersecurity, Federal Government Slashes U.S. Leadership in Cyberspace
“38 Governors Sign ‘a Compact to Improve State Cybersecurity’” | Government Technology
“Tillerson to Shut Cyber Office in State Department Reorganization” | Bloomberg
“Top State Cyber Official to Exit, Leaving a Myriad Questions” | Politico
Rhode Island recently hosted the National Governors Association (NGA) meeting, during which 38 state governors pledged to make cybersecurity a top priority and agreed to further develop statewide plans to enhance cybersecurity governance, prepare and defend their states from cyber incidents, and grow the nation’s cyber workforce.
The NGA meeting, which drew high-profile speakers such as Vice President Mike Pence and Canadian Prime Minister Justin Trudeau, kicked off with a panel discussion on cybersecurity and concluded with the announcement of a “Compact to Improve State Cybersecurity.” The joint declaration emerged after a year-long initiative spearheaded by Virginia Governor Terry McAuliffe—who is also the NGA’s Chairman—called Meet the Threat, which sought to create guidelines that could be applied across states to promote cybersecurity. Governor McAuliffe had previously argued that instead of waiting for the federal government to act, states should assume a larger role in promoting cybersecurity, and suggested that his colleagues think of their IT defense as “a health issue, an educational issue, a public safety issue and an economic issue, as well as a democracy issue.” This is similar to what I have written about before—states cannot wait for the federal government to provide responses and solutions before taking action, and they must start developing comprehensive strategies to strengthen their cybersecurity posture, improve their cyber resilience, and ensure that their citizens can rely on safe and secure Internet connectivity.
Rhode Island Governor Gina Raimondo joined 37 other governors in signing the compact and reaffirmed her commitment to combat cyber and homeland security threats. “Much of the work this compact talks about is already under way here in Rhode Island,” said Mike Steinmetz, Rhode Island’s first cybersecurity officer and principal advisor for homeland security. “It is critical that we work together with our state partners and with national resources in the intelligence, public safety and information technology communities to enhance our resiliency.”
The governors’ agreement, which drew bipartisan support, included provisions to: boost cybersecurity employment by working with colleges to increase the number of related degree programs; place veterans into cybersecurity training programs or cyber-related jobs; encourage colleges and universities to seek the designation as NSA-DHS National Centers of Academic Excellence in Information Assurance and/or Cyber Operations; organize a framework for information sharing by partnering state homeland security and information technology representatives with critical infrastructure and key resources operators; incorporate the National Guard into states’ “cyber response plans” and work with state lawmakers to determine when the Guard should be activated in the event of a cyberattack. As evidence of its strong cybersecurity posture, Rhode Island has already begun to address all of such efforts.
Unfortunately, the commitment by these states to work collaboratively with their local and federal partners to enhance their defenses against cyber threats was overshadowed by news that the federal government was potentially downgrading the role of U.S. leadership in cyberspace and its commitment to international cyber-related issues. Shortly after the NGA meeting, Christopher Painter—the State Department’s coordinator for cyber issues and top cyber diplomat—announced that he would leave his job at the end of the month. Painter had been leading American delegations to international cybersecurity meetings for several years, negotiating joint agreements with other countries on issues ranging from protecting critical infrastructure to developing international norms of state behavior in cyberspace. In addition, Secretary of State Rex Tillerson is considering closing the State cyber office, merging it with another office, or downgrading the cyber coordinator’s rank. As Jason Healey, visiting scholar at The Hoover Institution at Stanford University pointed out, eliminating or downgrading the State Department’s dedicated cyber mission “would mean the United States would be the only major country without a lead diplomat to discuss cyber norms and trying to reduce the ever-escalating cyberattacks we see around the world.” The U.S. was the first country to create a high-level diplomat role addressing cybersecurity issues, and dozens of other countries have since followed suit. “It is not just a shame if the U.S. were to surrender that leadership, but would mean the future internet will have more Russian and Chinese characteristics,” Healey added.
While the cybersecurity environment continues to deteriorate with cyber threats growing in scope, volume, and sophistication, and as geopolitical tensions remain high with slow progress on the diplomatic front, it remains unclear how the Trump Administration—which has yet to fill many of the vacant roles with major cybersecurity responsibilities—plans to approach all these important cyber challenges both domestically and internationally. President Trump’s Executive Order on Cybersecurity, for example, directed government agencies to further study the problem and requested those agencies to produce several related reports in the coming months, but did not clarify how the Administration will prioritize competing interests. These reports will require agencies to dedicate limited and shrinking resources to drafting those reports, which may distract from their current cybersecurity activities and operations. Painter’s departure, moreover, will likely complicate the State Department’s task of delivering an international cyber strategy to the President by late September as part of the executive order.
While the President began his tenure at a time of considerable cyber insecurity facing both state and federal agencies, public and private organizations—and an associated growing public awareness of these issues—he has yet to demonstrate an understanding of what is at stake and a willingness to take a leadership role in addressing these challenges. – Senior Fellow for Cyber Leadership Francesca Spidalieri