The incredibly complex challenges inherent to cybersecurity require a whole- of-state approach guided by multiple agencies. The state chief information officer may lack authority to enact cybersecurity measures across the executive branch, and a major cyberattack will demand close coordination between National Guard cyber units, state police and private companies. Formalizing communication pathways between critical stakeholders and ensuring they do not break down is indispensable for a truly strategic approach to state cybersecurity.
A risk assessment will provide direction by establishing the baseline risk to state operations, organizations and individuals resulting from cyber threats. It identifies vulnerabilities to state information assets, internal and external threats to those assets, consequences if the threats exploit the vulnerabilities, and resources available to mitigate those vulnerabilities. The findings will determine the composition of the governance body based on members’ abilities to mitigate risks and vulnerabilities.
Consider the legal and policy implications when establishing the body through an executive order, legislation, or a simple convening, and when naming the body (e.g., commission, task force, council). Accounting for political realities, sunset rules, freedom of information statutes, and budgetary requirements will result in more realistic timelines and encourage sensitive discussions among task force members.
Will the body focus on state networks alone, or will it study the private sector? Will it simply offer recommendations, or craft and operationalize a strategy? In the latter case, an executive order or legislation should explicitly authorize the body or its individual members to mandate specific actions by government agencies. Governors should avoid duplicating existing roles and responsibilities that already exist within agencies. The governance body should complement existing functions and leverage them to fulfill its own unique mission. Lastly, the body should also include a legislator who is familiar with relevant issues, and who can champion potential legislative action.