Sanjeev 'Sonny' Bhagowalia: Information that no one acts on is just 'proud words on a dusty shelf.' (Colin Kelly/Staff)
Say you’re a public utility and you’re under cyber attack. Who do you call? Local authorities? State government offices? The feds? The best option isn’t always clear, but it become moreso soon.
State and federal policies in theory should complement each other, but that’s not always the case. It gets even trickier when the subject of the policies—and the policies themselves—have yet to be fully defined, as is the case in cybersecurity. Even as those policies are still being established, authorities on both the state and federal sides are taking steps of their own to shore up their networks and IT systems.
Authorities and security clearances, chains of command, network visibility—these are some of the issue officials currently are juggling as they hammer out government cybersecurity. Progress is being made in the form of established communications centers and mutual understanding of capabilities and responsibilities, but there is still a ways to go in improving operations.
“The issue we have operationally [is], having come from the fed side we know a lot more, and I can’t talk about it because it comes from the classified side—and over here most of the folks don’t have the security clearances,” said Sonny Bhagowalia, a former federal official who is now chief advisor on technology and cybersecurity to the governor of Hawaii. “Because the FBI has information, the intelligence community has information, [the Homeland Security Department] has information, they’re very good at sending information but then it comes to certain people in state government who then keep the information. It doesn’t really help to have what I call proud words on a dusty shelf. If you have all this information you’re sitting with it needs to be actionable.”
Bhagowalia praised federal efforts such as the Homeland Security Department’s cyber hygiene assessments and vulnerability assessments, as well as resources such as Hawaii’s own security operations center. But he said those initiatives need to be taken to the next level, integrated with federal resources and programs.
That’s exactly what agencies including DHS are working to do, according to Larry Zelvin, director of DHS’ National Cybersecurity and Communications Integration Center.
Case in point: the multi-state information sharing and analysis center, or MSISAC, in Albany, New York, which includes among its services state intrusion detection and near real-time monitoring services that are integrated with DHS, the FBI and the intelligence community. Using a color-coding system to monitor state networks, it’s so far proving efficient: Montana right now is at a heightened level of alert because of an intrusion they had on their health care system, Zelvin said.
The plans and programs already under way provide a promising start for an effective state-federal cybersecurity tag team, but there remains work to be done, especially when it comes to determining and allocating available resources, whether that’s funding, network capabilities or response tools such as civilian or National Guard sources.
“From a federal government point of view, what I want to know if I’m the states is what capabilities do you have, and when you start to either expire or come close, what are you going to come to us for, how much do you need it and how fast?” Zelvin said. “We don’t want to get into a situation where a state governor comes to the president and says, ‘Mr. President, I need these things.’ I’d really like to plan that out now, and I know the states would like to plan that out now, so we’re really trying to figure that out. But it requires an inventory…it’s one of those areas where we’re not going as fast as I’d like, but we’re not waiting for a major incident.”