Slowly but surely, more state governments are sensing the urgency to build and put in place strong cybersecurity plans. Last week, Minnesota stepped up and now Connecticut has followed suit, crafting a new Cybersecurity Action Plan calling for better security, deeper collaboration and more security pros on the job.
Those aren’t new ideas but when interwoven in a 41-page document containing requirements and recommendations to fortify cybersecurity planning and policy, they take on heightened meaning.
The current blueprint builds on a cybersecurity strategy proposed last year by Governor Dannel Malloy, in which he advocated for a raft of new cybersecurity programs and policies. It’s authored by Arthur House, the state’s cybersecurity risk officer (CRO), and CIO Mark Raymond, and positioned as a “call to arms to prepare for, prevent, respond to and recover from threats to our cybersecurity infrastructure at the state, local and private sector levels.”
Seven Cybersecurity Principles
In the earlier strategy report, the state identified seven principles -- executive awareness and leadership, cyber literacy, preparation, response, recovery, communication and verification -- that are now applied in the plan to Connecticut’s five critical sectors: State government, municipalities, business, higher education and law enforcement.
“Connecticut needs to approach its action steps recognizing that cybersecurity is a relatively new threat, a potentially dangerous one that has already damaged Connecticut businesses, that all enterprises including small businesses are vulnerable, and that the business community is only in the initial stages of understanding and constructing its defenses,” the authors wrote.
Raymond told StateScoop that while everything in the document is on the state’s to-do list, separating required measures from suggestions is a “complicated question.” Budget is almost always a problem in these types of state initiatives and this one appears no different. "That there's no additional dedicated funds for it makes that a complex endeavor," Raymond said. "We're pulling funding to do some of these things from existing sources, so our ability to make large progress on it will be dependent on our ability to make those funds available."
Protecting Five Public and Private Sectors
The study details specific steps for each of Connecticut’s five public and private sectors, segmented by the seven principles and dotted with rationale along the way. For example, it points to recent surveys in which one-third of Connecticut businesses reported that the risk of cyber attacks is increasing but still many take no defensive action, blaming insufficient resources and limited expertise. Similarly, only a handful of Connecticut businesses report conducting cyber risk analysis, vulnerability testing and penetration. And, less than 50 percent provide cybersecurity training. Many have no budget line item for cyber defense.
“The coming years will answer questions as to how effective cooperation and collaboration between business, the public and government will be,” House and Raymond wrote. “Connecticut is receiving mixed signals. Some companies readily discuss cybersecurity initiatives while others bristle at the suggestion that the subject is appropriate for public discussion or legislative attention.”
While the report allows that the business community may yet find “productive ways to collaborate” and respond to increasing cyber threats, “if defensive posture and resistance to engage in dialogue continue, the future may include more mandatory annual cybersecurity audits conducted by licensed auditors chosen by each company and managed according to generally accepted cyber assessment practices.”
Nine Steps for Statewide Cybersecurity
As for state government, the cybersecurity plan outlines nine steps Connecticut should take to ready itself for a cyber attack, including completing a cyber disruption response plan by the state's Division of Emergency Management and Homeland Security and distributing it to all agencies. Additionally, all current and new state employees will be required to receive education in cybersecurity awareness, including using multi-factor authentication for critical or sensitive systems, based on their roles and responsibilities.
A year ago, the Governor created the CRO position, named House to fill the slot and tasked him with making the state’s cybersecurity strategy his first priority. The idea is to have a “common effort to create a culture of cyber security awareness,” House subsequently said. Four years ago, Malloy called for a cybersecurity strategy to cover Connecticut’s vital public utilities.