With a March presidential executive order putting some breathing room between the Federal government and states on cybersecurity protections – and state and local governments hoping for a second go-round of funding from Congress under the 2021 State and Local Cybersecurity Grant Program (SLCGP) – we checked in with Gary Barlet, Illumio’s public sector chief technology officer, for his read on the new landscape.
Barlet discussed the latest look-ahead on state and local cybersecurity, the changing shape of Federal assistance in that effort, and some of the challenges ahead in redistributing responsibilities for cybersecurity protection.
The short version of Barlet’s outlook is that the White House order is moving forward with good intentions, but as of yet there is a troubling lack of follow-through on second-level policymaking needed to put the new order to work.
The Illumio official also points to lingering question marks about the practical ability of states to assume more cybersecurity responsibilities and continuing levels of support from Federal government agencies including the Cybersecurity and Infrastructure Security Agency (CISA).
Here’s what Barlet had to tell us in-depth…
MeriTalk: The March 18 White House executive order (EO) titled “Achieving Efficiency Through State and Local Preparedness” doesn’t require the Federal government to do anything new to help state and local governments on cybersecurity, but it does bump up the importance of states and locals taking a more active role in all kinds of disaster response – including those related to cybersecurity. The order also talks about some follow-on policy decisions that have not yet seen the light of day. How are you viewing that order now that we’ve had time to digest it?
Barlet: When you talk about the current lack of required follow-on policies, that leaves a lot up in the air.
The EO says a lot about traditional disaster preparedness and response – storm damage and those kinds of things – and one could argue it makes sense for the state and locals to have more input and control over response to those things where they better understand the environment.
But when you get into the cybersecurity element, the coin flips the other way because you’ve got to wonder do the state and locals have the expertise, the resources, the understanding, the interaction, the interconnectivity, and the big picture needed to figure out how to respond to cyber incidents?
I’m a little concerned about this concept, from a cyber perspective, of pushing down that response to the state and local levels. I worry about if that’s the wisest path to take.
MeriTalk: Looking at the state level, we would assume that the larger and more populous states have more resources to devote to cyber defense and resilience, where some of the smaller states – there are six states with populations of less than one million people each – don’t have that kind of capability. Is that worrisome?
Barlet: Absolutely. Not only do those larger states have more resources, they also have much larger pools of qualified people to pull from. Some, for instance, have universities with large cyber programs that are in those states that they could tap into, and large companies operating in those states have people with lots of expertise to potentially lean on. Some of the smaller states just don’t have those same benefits and resources.
My concern is that when the order talks about creating something like a national critical infrastructure registry you may find that some very critical – nationally critical – infrastructure may be in those very states that are at more of a disadvantage. It could be large pumping stations, railways, and other things that could impact the entire nation, but they don’t have the same resources to tap into that some of the larger states may.
That’s what worries me about pushing some aspects of cybersecurity down to the state level, because there is such a huge disparity in necessary resources. But at the same time, the threats, attacks, and sophistication remain the same, but the ability for the states to respond is very disparate.
MeriTalk: The White House order points to things like a critical infrastructure registry, but the Department of Homeland Security (DHS) and its CISA component have been working on designating and helping critical infrastructure sectors for many years. Hasn’t work like that already been done?
Barlet: Let’s hope! I’d like to think that work has been done but maybe not as centralized – or available – as the White House is envisioning. In various positions I have been in, I have seen iterations of critical infrastructure registries – the military certainly has those kinds of things.
But part of my concern is that there may be things that the states may not even necessarily be aware of. You could pick something that’s not top of the radar, like undersea fiber termination points. Are the states really understanding that that’s in their purview, and do they have the resources to protect that, as opposed to the Federal government understanding the impact of that? That’s just one example.
MeriTalk: Any thoughts on the difference between what the Federal government may regard broadly as critical infrastructure and to prioritize for protection, versus how states may prioritize that list of infrastructure to reflect their more local concerns?
Barlet: That’s definitely a concern. From my time in the military, we learned that sometimes where you stood on something depended on where you actually sat – if you were at one level of the military you had a very different perspective than if you were at a different level. And the states have the same issue. Their perception of what’s critical is going to be based on the impact to their state and their own internal commerce and population as opposed to the Federal government looking at it more strategically and having a completely different perception.
I’m not faulting the states, don’t get me wrong. But a governor’s focus may be very different than a national leader’s focus, and very properly on protecting the local citizens, and maybe less worried about the downstream effects on other states or regions of critical infrastructure disruptions.
And I worry about that. The cybersecurity threat is a strategic threat and needs to be addressed at a strategic level. It’s hard to delegate a strategic responsibility down to a state and local level.
MeriTalk: At a minimum level, we might need states cooperating with each other?
Barlet: Right – infrastructure may continue across state borders, but if you are a governor of one state you have no legal authority in the neighboring state. Think about all the different arrangements that have to be put in place. States right now have protocols for things like local police chasing a criminal into the next state over, but imagine doing that in a cyber realm where there’s not really well-defined borders. How do you delineate who’s got responsibility for what? There are going to be a lot of complexities that make this strategic issue hard to deal with at the tactical level.
MeriTalk: How about in the cyberattacker’s mindset, are they caring about things like state borders, or Federal authority versus state authority?
Barlet: Some of that will depend on the attacker. If you’re looking to implement a ransomware attack and get paid, then your efforts are going to be a little more focused, because you want to make sure that you’re going after the resources of the person you want to get a check from. But once you get to an attack that is more strategically significant, you’re not going to care about state borders and state defenses.
I just hope that as we’re waiting on this new policy to be fleshed out that there is going to be clear delineation of who is worrying about attacks, and that it’s not going to be a complete abdication of responsibility at the Federal level, and everything’s not just going to get turned over the state and local levels. Because this is a national issue, and it’s a strategic threat, and it can’t just be dealt with by a collective of 50 states.
MeriTalk: We know that more policy will flow from this order, but are you sensing that the Federal government will preserve for itself a set of Federal-level capabilities, assistance, and responses, even in addition to what it wants to hand down further to the states? How big will the ongoing Federal role be?
Barlet: There are some indicators there. The government is looking to make some cuts at CISA, but more around the edges on overseas or educational functions because they want to get back to the core mission of cyber defense and dealing with cyber threats. That gives me some hope that they are going to retain those robust Federal abilities and roles. I don’t sense there is going to be abandonment on that front, but I do worry about how much is going to be delegated down, and how much is going to stay on a Federal level. That remains to be seen.
MeriTalk: Along with more responsibility for cybersecurity problems, do you see the states getting any more Federal money to help out with that?
Barlet: The State and Local Cybersecurity Grant Program needs to be reauthorized later this year in order to keep providing at least some cybersecurity funding for states. There are concerns – will it be reauthorized, and at what level?
And part of the challenge is that money doesn’t necessarily just solve this problem. You need to have access to resources, talent, and capabilities – especially at the state and local level, because they are going to want more local people to be helping in the effort.
I would like to see more money given to the states if they are going to be given more responsibilities for cyber defense, but it’s still not something that money can completely solve. We can’t buy our way out of this problem.
MeriTalk: Undoubtedly the grant funding to date for states has been very helpful, but it’s not an overnight cure for improving defenses…
Barlet: It’s important to remember that everyone has technical debt, and some states more than others. It’s not a level playing field – not just the size of the state, and the resources they have access to, but where are they currently in dealing with technical debt. That’s another issue that makes helping states on a consistent basis more difficult.
MeriTalk: What else falls under the heading of complications, maybe against the backdrop of state systems that may be operating with the benefit of good cloud service providers that are helping to provide security, versus some operations that may be relying on on-prem servers?
Barlet: That brings up an excellent point. If I’m going to be responsible for something at my local level but a lot of my infrastructure is hosted in a data center and in another state, do I still have responsibility and authority, or does the state where that data center resides have responsibility and authority?
MeriTalk: To wrap us up, can you assign a letter grade to this policy so far?
Barlet: For the order itself, I would give it an “A-minus” for intent. They have the belief that by pushing some authority outside of D.C., then maybe it will get executed better, so they have good intentions there. For the wording of the order, I will give that a “C” grade because there is a lot of ambiguity in the wording and a lot of uncertainty. And then for the overall effort, I think right now we are at an “incomplete” grade because they have promised follow-up policies that have yet to materialize.
MeriTalk: And finally, any thoughts on the role of CISA as a support to state and locals going forward?
Barlet: CISA still has a very critical role to play, and there is a need for CISA to get back to its grassroots a bit. CISA really grew as an organization and started to spread its aperture, maybe too wide. So, maybe it’s valuable to get CISA refocused on what’s truly critical and important and focus more resources on those critical things instead of getting pulled in too many directions.
I’m hoping that the new leadership at CISA is really going to take a hard internal look and determine what’s our true, core reason for being, what are the actions we should be taking, and, then let’s go forward and focus on those really critical things.