Speaking at RSA Conference 2017 Governor Terry McAuliffe, 72nd Governor of Virginia, chair of national governors association, said that US State governors need to take the leadership role in cyber protection since the Federal government has not. McAuliffe is driving his state to “lean in” to cybersecurity, to both protect the state’s considerable data assets and to reap the economic benefits of a thriving cyber industry.
McAuliffe claimed that states hold vast amounts of data – far more than the Federal government – and have a lot at stake politically and economically in protecting it.
Virginia got started by doing a threat assessment across state agencies, many of whom had no concept of their cyber vulnerabilities. Formal data protection protocols were put in place. Through Executive Order, Virginia agencies now have coordinated sharing of information, which previously didn’t occur. In fact, McAuliffe argued that information sharing is “the thorniest issue” to deal with, at any government level.
He noted that “My whole initiative as chairman of the Governor’s Association is cybersecurity. It doesn’t matter if one state has great cyber protocols, but then uses systems from a provider in another state that doesn’t—hackers will come in through the back door. States have to get active on this issue.”
With an expected 200 billion networked devices online in the next three years, 1.5 million security-skilled workers will be needed. Given the current talent shortage, education is critical. Virginia has responded with creating cyber camps for students K-12, sponsoring a Veterans cyber training program, and paying college tuition to students who come to work for the state. The Mach 37 incubator is also a point of Virginia pride, turning out two cyber cohorts annually.
Public-private partnership is critical, with states depending on private sector guidance around how to protect themselves and how to assess the next threat. McAuliffe noted that the Federal government needs to “get in the game” but given DC’s political dysfunction, near term action is unlikely.
How would he advise new governors? Through the National Governors Association, he explained that “all new governors get a checklist of cybersecurity issues their states should address, such as the laws and the basic protections to put in place.” They must also help get county and city localities up to speed. This expensive undertaking can be easily put aside in states with particularly strained budgets. As McAuliffe noted, “We’re trying to just get them in the game.”