One of the key challenges and apparent contradictions of effective cybersecurity solutions is that while cyber attacks often can target specific vulnerabilities existing within a singular organization, we need a comprehensive connection of multiple organizations and partnerships to defend our systems successfully. As we’ve learned, it takes a network to protect a network. And in Wisconsin, we understand that network has to be much bigger than just state government. It has to enable statewide collaboration among public-sector and private-sector partners to protect Wisconsin’s critical systems. Therefore we have established teams of state and local government representatives, as well as private-sector critical infrastructure owners and operators, to provide strategic and planning direction for cyber resources across the state.These teams have produced an overarching cyber disruption response strategy and helped to organize statewide cybersecurity summits. They’re now guiding efforts to design and implement specific operational plans to respond to cyber disruptions while ensuring timely and actionable communications between the various partners. This is not easy work–it requires a level of cooperation and flexibility that most organizations, public or private, aren’t used to. But in Wisconsin, we have concluded this widely collaborative approach is the only kind that can safeguard our systems and maintain critical services to our residents.
"We have to ensure our state data center delivers an environment where agency applications can process securely and reliably"
While it takes a network to protect a network, as the State CIO and Chief Information Security Officer, we realize that first of all we have important cybersecurity business to take care of here at the state’s Division of Enterprise Technology (DET). We have to ensure our state data center delivers an environment where agency applications can process securely and reliably. Then we must also provide the cybersecurity tools and architecture that are sustainable and repeatable to implement in other state agencies. Although most agencies had their own versions of security plans, Wisconsin’s recent transition to shared infrastructure services required the development of an enterprise approach to security. Incorporating the results of independent audits and feedback from multijurisdictional partners, DET completed an enterprise security roadmap in mid 2013. The roadmap breaks down the state’s security strategy into 12 security service categories and approximately 100 sub-projects and tasks, along with timelines, based on business needs, risks, and opportunities. The roadmap gets updated annually based on the input and approval of interagency governance groups, to make sure the policies, controls, projects, and technologies are meeting business customers’ needs.
Our progress has been encouraging. DET implemented an advanced firewall platform and a Network Access Control (NAC) solution at the state data center. Depending on the security profile of a user’s device, NAC can restrict the data and systems available to the user, as well as employ anti-threat applications such as firewalls, antivirus software and spyware-detection programs. We’re using the NAC effort to develop an enterprise-level implementation strategy for network protection, which will identify and control who and what connects to state networks. We’re also engaging in a multifactor authentication strategy that combines two or more credentials to create a layered defense, which prevents unauthorized persons from accessing State Of Wisconsin IT systems.
On top of those initiatives, we’re implementing a Vulnerability Management Program that utilizes consistent assessment and reporting tools for the enterprise. This effort involves using the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities, especially in software and firmware, to diminish the risk of compromise associated with known vulnerabilities. The program also includes deploying specifically designed software tools that collect system configuration data and assess the information collected to identify and remediate vulnerabilities.
It would be a relief if we could limit our cybersecurity scope to what state agencies and DET have on their plates. But that’s not the world we live in. State agencies are just one important component in the network that protects our networks. Beginning in mid 2014, representatives from 16 critical infrastructure sector owners in the state (e.g., banking, energy, transportation, food and agriculture, water systems, to name a few) began meeting with the goal of producing a Cyber Disruption Response Strategy – a framework to help critical infrastructure owners and operators function in a collaborative, public and private partnership to respond to cyber disruption events. The strategy was published in October 2015.
The teams that guided the strategy development then evolved into the Wisconsin Cyber Strategic and Planning Working Group (WCSPWG), which has an ongoing mission of providing strategic and planning direction for cyber resources in efforts to identify, protect, detect, respond and recover assets in collaboration with public and private partnerships. The Working Group establishes cyber strategies and plans with accountability to the Wisconsin Homeland Security Council. In 2016 the WCSPWG, among its many activities, conducted a joint tabletop exercise (with both public- and private-sector participation), completed a public/private joint training exercise, and continued development of cyber disruption plans for its sub-teams. The WCSPWG, DET and the state Department of Military Affairs also worked together to organize the 2015 and 2016 Governor’s Cyber Summits at UW-Madison, which brought together statewide and national cybersecurity experts to share their expertise and discuss how the public and private sectors can partner to combat cyber attacks.
DET has had to take a major role in organizing meetings, planning cybersecurity summits, and producing deliverables, but that’s as it should be, and is a justifiable use of our resources.When the State CIO and CISO demonstrate that collaborative, multijurisdictional cybersecurity planning is a priority, it energizes all the players and leads to tangible results.
As we look back on the growth of our multi-partner cybersecurity efforts since 2013, we recognize that putting advanced technologies to work is an essential piece. But so are the more mundane activities of going to a lot of meetings, making the extra phone calls, tapping on many shoulders, and slogging through considerable documentation. All of that is also a big part of the cybersecurity solution. We wish we could make it sound more glamorous, but the outreach and the collaboration really do pay dividends. And knowing we are helping to protect the critical systems, our residents rely on every day provides—the ultimate motivation.