On cybersecurity, Nevada has the will but will it find a way?

Say the word “hacked” in the same sentence as “government” and public and private panic ensues. So then, what to do about it?

Less than a month after news broke that Nevada’s medical marijuana registry website was vulnerable, and that this vulnerability had been exploited, Governor Sandoval announced the creation of a new Cyber Defense Center, the most recent in a series of moves to shore up our state's cyber-defense and resilience capabilities that I have previously explained are not yet up to snuff.

He proposes to allocate $876,000 specifically to a cyber security defense center which Caleb Cage, Nevada Division of Emergency Management Chief Homeland Security Advisor, says can act as an “emergency fusion center” and convene multiple stakeholders when necessary. Another $2.6 million will go to information technology (IT) upgrades for enterprise IT services and, according to Mari N. St. Martin, the governor’s communications director, another $800,000 will be invested for new hardware associated with improved security protocols.

We can expect the bill to be dropped in the near future, according to those close to the process, and this should give us more clarity on the nature of the investment and expected returns in strengthening our state’s cybersecurity posture.

In anticipation, it is worth reviewing the facts surrounding our efforts, national norms, and other models.

Nevada’s new Cyber Defense Center is the third notable step the state has taken toward improving the state’s cybersecurity. The first was the creation of the Nevada Homeland Security Working Group (NHSWG), which housed deliberations on cybersecurity for Nevada from at least March 2011 to the present. Cybersecurity has traditionally been viewed as a homeland security issue, although this view is rapidly changing as the private sector, households, and government are all increasingly intertwined electronically and thus assume a shared risk in today's cyber world.

NHSWG is the group that has in the past parsed out the federal funding for cybersecurity from the Department of Homeland Security (DHS), determining which projects are the greatest priority and how much money should be allocated for each.

One of the concerns that has been raised at the federal level most recently as part of the deliberations of the White House Commission on Enhancing National Cybersecurity is how best to assure that earmarked federal funds are actually used for a state’s cybersecurity improvements and not on filling gaps in basic IT budgets, either for upgrades or projects that are politically popular but have little to do with cybersecurity. For example, one of the proposed and questionable projects that was put put forward was adding surveillance cameras to the UNR stadium, which would be a physical security (not a cybersecurity) enhancement.

The second notable step was the creation of a standing committee, the Nevada Cyber Security Committee, on March 8, 2016. Its mere existence is noteworthy in comparison to our nearest western neighbors:  Utah, Arizona and New Mexico have yet to create a similar body.

The Nevada Cyber Security Committee, chaired by Lt. Gov. Mark Hutchison and made up of members of the public sector, private sector, and university community, may have its recommendations rejected or modified by the Homeland Security Working Group, including ranking which cybersecurity projects get priority funding. This multi-disciplinary approach reflects the public-private collaborate ethos that infuses all of the more advanced cyber efforts at a state level.

These advanced teams are often created by industry groups such as critical infrastructure or financial companies that were some of the first movers in threat information sharing and implementing standards for cyber best practices. These types of multi-stakeholder bodies have blazed the cybersecurity trail for states like Virginia and Michigan, which have made significant strides.

Uncharted territory

A number of U.S. states are in various stages of creating cyber defense centers, working groups, collaborative committees, and interdisciplinary efforts to mitigate existing threats and to get ahead of emerging threats as they develop. Even so, most states spend only a fraction of one percent of their budgets on cybersecurity. Often these numbers are hard to discern because cybersecurity services may be outsourced or embedded in more global contracts.

According to the state of Virginia's Secretary of Technology, Karen Jackson, good numbers are hard to pin down, but a rule-of-thumb is that private companies spend in the nine to 15 percent range of their IT budget on cybersecurity. The National Governor's Association (NGA) believes no state is yet spending anywhere near this amount.

While state and local governments work to achieve alacrity in addressing one of our most vexing modern challenges, the federal government is a largely absentee partner. Many experts believe that the federal government needs to establish standards for cybersecurity and enforce compliance in order to properly harden our national defense, as we are only as strong as our weakest link.

The NGA has stepped up and made cybersecurity its number one priority in this most recent year, including pressing to establish a guide of best practices for all states. It is a work in progress, but the NGA is posting the segments on its website as they are finished. The final document is due to be complete sometime in July, although Tim Blute, Program Director, Homeland Security and Public Safety for the NGA Center for Best Practices, believes it will remain a priority moving forward. Sandoval will become chairman of the NGA in July.

In addition, the NGA offers hands-on workshops for states that wish to get a jump-start without delay. Nevada has a team working with the NGA on developing their protocols, and Caleb Cage, Nevada's Chief Information Security Officer and a member of the Department of Public Safety, Emergency Management and Homeland Security, emphasizes that this progress is a direct result of Governor Sandoval's prioritization of this issue.

Other states

It is common practice for states to embed cybersecurity spending within the IT budget. Nevada is forward thinking in this recent move to call out cybersecurity as a separate budget item, given its unique importance. Overall, though, when compared to western states of a comparable population and budget profile, Nevada has a similar IT budget, which may prove to be low if the threat levels increase, or if an audit of state cybersecurity needs uncovers unexpected gaps.

Nevada has a state budget of $10.475 billion, while the IT budget is around $69.598 million (0.66%). For Fiscal Year 2017, Utah has a state budget of $15.1 billion, while their Department of Technology Services budget is $5,366,100 (0.035 percent). New Mexico has a state budget of $6.462 billion, and an IT budget of $68,581,000 (1 percent).

Notably, Idaho’s budget cannot be accessed as its website is incomplete, and only a broad summary of Arizona’s budget is available on its site.

The spirit is willing but the workforce is weak

Virginia has shown itself as a leader among states in cybersecurity, in part because it has the expert workforce to design and support strong cyber initiatives. It was the first state to adopt the National Institute of Standards and Technology Cybersecurity Framework. Virginia also made cybersecurity workforce development a focus, including investing more in their public universities so they could become NSA-certified Centers of Academic Excellence.

UNLV is certified by the NSA in information assurance but not in other subjects. UNR and CSN have recently made efforts to improve their cyber programs, announcing expanded coursework for students pursuing cybersecurity minors or courses of study.

When comparing workforce and education in Virginia and Nevada, the data shows that technology workers as a percent of private workers in 2015 was 9.5 percent in Virginia versus just 2.8 percent in Nevada. The ratio of those with a bachelor's degree or higher were 37 percent in Virginia versus 23.6 percent in Nevada. In addition, Virginia has emphasized cybersecurity public-private partnerships in order to spur collaboration on cyber issues, and also to provide workforce development opportunities.

Virginia in 2014 created a cyber commission to evaluate the state’s needs and vulnerabilities and create a report, but they also aggressively implemented changes through executive order – as well as pursuing legislative and regulatory changes – as soon as solutions were identified and agreed upon. For example, Virginia realized that its agency heads did not feel directly responsible for information security for their organization because it wasn't included in their job descriptions. Virginia immediately took action and rewrote its agency head job descriptions. Compliance with information security audits and best practices has since “measurably improved,” notes Ms. Jackson. Virginia, too, is spending less that 1 percent of its budget on cybersecurity. (It has a state budget of $51.8 billion dollars.)

The Nevada Cyber Security Committee has talked about creating an 18-month study, by funding work at UNR. Details are still pending. While a study may be needed, speed and decisiveness are integral to success. Nevada needs to step up its cybersecurity game, and fast. Audits and evaluation will need to take place simultaneously, along with quick action in order to address this rapidly evolving threat.

Anticipation, collaboration, and agility are the answer.

Researcher David Serabian contributed to this piece.

Heather Murren served as a Commissioner on the White House Commission for Enhancing National Cybersecurity, a 12-member commission charged with identifying the steps our nation must take to ensure our cybersecurity in an increasingly digital world. The commission report was submitted December 2, 2016 and made recommendations relating to consumer rights and responsibilities in the digital age, the internet of things, building cyber workforce capabilities, and better equipping the government to function securely and effectively in the digital age, among others.

Disclosure: Murren will be volunteering her time and expertise to The Nevada Independent as an analyst and special correspondent. You can read more about her in this welcome post by our editor, Jon Ralston. Murren is married to Jim Murren, Chairman and CEO of MGM Resorts International, a significant donor to The Nevada Independent.