Think Global, Act (with and for) Local
In the last couple of days, I had a chance to talk with a cybersecurity working group of local government IT managers from Texas and with a group from StateRAMP, an “independent not-for-profit organization providing an efficient and cost-effective solution for verifying the cybersecurity of cloud service providers for state and local governments” (www.stateramp.org).
Having spent most of my career in a large Federal agency, I always appreciate a reminder of how challenging cybersecurity can be for state and local governments. Modern cybersecurity has taken the fight from "over there" to the virtual doorstep of every business, government, and individual in our economy - from a national fight to a local fight.
I’ve met many wonderful people in my years of work with state and local governments – people who could be doing other things, but choose to spend at least a portion of their careers in public service. As a citizen, I am grateful that good people make this choice. And in my second career, I am grateful to have more opportunities to help that community.
In that spirit, here's an older (2009) entry from my internal NSA blog , previously approved for public release, but never published.
The State of State Cybersecurity 2009.04.07 - 10:14 am
Last week, I travelled to Phoenix to speak at the MS-ISAC (the Multi-State Information Sharing and Analysis Center) Annual Conference. The audience included Chief Information Security Officers (CISOs) and Computer Emergency Response Teams from (I think) 49 states, and a few others (e.g. Guam), as well as a sprinkling of folks from Law Enforcement, DHS, etc. The MS-ISAC is very active, with teams working on everything from operations to procurement and standards. They have made great progress by sharing ideas, standard wording for procurements in order to improve security, etc.
Whenever I work with our peers in State or Local government, I am always impressed and humbled. They do a lot of good things with very few resources. Need an example? I spoke with the leader of a CERT team from a mid-sized state. Their *entire* training budget for a year is $3000. Frankly, not many NSA managers could recruit, develop, or retain people under such circumstances.
Here's a couple of lessons that I have drawn from several years of talking with cybersecurity people at the State and Local level:
+ We need to remember that people who don’t have lots of resources cannot make use of expensive and complex tools, or solutions that take armies of trained people, yet they are fighting the same fight.
+ We (the folks who live in Big National Agencies) have a responsibility to "spin off" technology, ideas, standards, and tools to our friends in State and Local governments. They have very few other resources. And we're trying to solve the same problem anyway. Bonus: they are incredibly grateful for the help, and they add to the critical mass needed to push the vendors in the right direction.
+ We lead a sheltered life here at NSA. When we're trying to solve a mission problem, too often the answer is, "we just need another Big Bag of Money". If that's your first answer, I usually read this as a failure of both imagination and leadership.
By the way, the title of my speech to this Information-sharing forum was "Information Sharing Is Over-Rated". I'll explain later.