State governments are increasingly vulnerable to cyberattacks, and now some are fighting back by naming a chief cyber officer to coordinate preparation and response.
New York and Louisiana are among the first to adopt those roles, which look to encourage collaboration across all departments and with local governments, promote cybersecurity best practices, advocate for regulation and respond to new threats, all while keeping their governors and legislatures informed on the cyber landscape.
Other states have similar roles with different titles: Ohio Gov. Mike DeWine recently appointed Kirk Herath as his first cybersecurity strategic advisor, while New Mexico Gov. Michelle Lujan Grisham in March appointed Annie Winterfield Manriquez as her senior advisor for cybersecurity and critical infrastructure.
The appointments represent a major ramping-up in what Casey Dolen, senior policy analyst for cybersecurity at the National Governors Association, called a “whole of state approach” to cybersecurity. And they come on the heels of a warning from the White House for states to bolster their cybersecurity, especially after several high-profile breaches by a Chinese state-sponsored espionage group.
“A lot of times you have so many different parties who have a stake in cybersecurity, and by creating a funnel where information and intelligence can be shared to, and then share it up to the governor so that they are aware of the threat, is a very smart move,” Dolen said.
New York Gov. Kathy Hochul appointed Colin Ahern as the state’s first chief cyber officer after investing $62 million in the state’s cybersecurity infrastructure through the FY2023 budget. Ahern, who was previously first deputy director of New York City Cyber Command and the city’s acting chief information security officer, now oversees the state’s Joint Security Operations Center, a hub for cyber threat detection and response in New York.
State officials said previously that New York is especially a target for cyberattacks given its leadership in a variety of areas, including financial services, trade and critical infrastructure.
“We know the issue is getting worse,” Ahern said. “We know what we would do if the worst were to happen, and we’re going to spend as much energy as we can on making it not happen. But that also means that we need to be clear-eyed about our preventative and response capabilities and make sure that they’re alive for the threat landscape.”
A major responsibility of the chief cyber officer role will be encouraging collaboration between the state and the local governments beneath it, while also advocating for cybersecurity legislation and regulation.
While there may have been discord in the past between the various levels of government about whose responsibility cybersecurity is, Ahern and Dolen said that is changing. If governments at all levels “start from a position of respect,” with a focus on training and preparedness and working to their strengths, collaboration can be smooth, Ahern said “no one’s trying to eat anybody’s lunch.”
“The federal government has authorities and capabilities that the state doesn’t possess, the state has authorities and capabilities that counties and local governments don’t possess, and local governments and counties have authorities and capabilities that the state doesn’t possess and provide services that the state and federal governments don’t provide,” he said.
On his LinkedIn profile, Louisiana Chief Cyber Officer Dustin Glover said he works directly with state civilian agencies and local governments as well as the Louisiana State Police’s Cyber Crime Unit and the Louisiana Army/Air National Guard to “identify and address cybersecurity risk” and provide “advisory and support services” for government entities and critical infrastructure.
Glover and officials with the Louisiana Office of Technology Services did not respond to requests for further comment.
State governments already have various other positions that focus on securing technology and cyberspace, including CISOs and chief information officers. But Ahern said a chief cyber officer helps maintain that “whole of state” view of cybersecurity to keep services resilient in the face of attacks while performing a crucial advisory role.
As for other states considering a similar role, Ahern said instituting a chief cyber officer position requires an institutional culture that cares about cybersecurity, is willing to collaborate and is constantly vigilant about new threats that emerge, even as anti-hacking technology continues to evolve.
It’s like good dental hygiene, he said. Even with electric flossers and water picks, “it’s about brushing your teeth every day. Some days you want to do it and some days, you don’t. But you’ve still got to do it.”