CISA aims to fill all 50 statewide cyber coordinator posts by year’s end

The Cybersecurity and Infrastructure Security Agency is on track to have 50 statewide coordinators in place across the U.S. by the end of the calendar year, according to a senior official, potentially adding another level of protection against digital threats like ransomware and foreign election interference.

Last year’s defense policy bill required the agency to create the posts as a way to tighten relationships between federal authorities and state and local government officials — a push that has grown in importance since the massive SolarWinds hack exposed gaps in the nation’s cyber defenses.

CISA has 35 state coordinators on board and expects to have all 50 “up and running as we enter calendar year [2022],” Matt Hartman, the agency’s deputy executive assistant director for cybersecurity, told The Record last week.

The coordinators are meant to serve as the go-to point of contact in all state capitals, counseling officials such as chief information officers and secretaries of state about online risks and how to harden their systems against cyberattacks. They are also tasked with raising awareness about the federal cybersecurity resources states can tap before, during and after a digital assault.

States have come under tremendous stress in recent years. The pandemic forced personnel to work remotely and moved both critical and run-of-the-mill services online, exposing sometimes outdated networks to increased hacks and phishing attempts. The ransomware epidemic has also hit a broad range of domestic U.S. targets, including local governments, school districts and even hospitals — which in some instances have only been resolved with federal assistance.

Hartman said the coordinators would help combat malware by advising states to appraise their systems and prioritize what steps can be taken to better safeguard themselves, like implementing multi-factor authentication. 

The advisers will help organizations should they be victimized by ransomware “by ensuring that they have offline backups, ensuring that they have incident response plans. That they've tested those plans and that they have business continuity plans, so they can operate in an IT-constrained environment,” he said.

The coordinators will also be a “huge piece” in resolving some of the issues laid bare by the sweeping SolarWinds breach, according to Hartman. 

In that instance, hackers for a Russian intelligence agency rented U.S.-based servers to launch an attack that broke into nine federal agencies and around 100 private entities. The episode caused national security leaders and congressional lawmakers to lament blind spots between agencies with foreign and domestic security missions.

​​“It’s not that we can’t connect the dots. We can’t see all the dots,” National Security Agency Director Gen. Paul Nakasone told the Senate Armed Services Committee in March.

Hartman said coordinators will be able to gather and share information from both the public and private sectors thanks to their presence “on the ground.”

“The first step to connecting dots is to gain better operational visibility. And to gain better operational visibility as the federal government is through a partnership model and through a relationship model,” he told The Record, adding all interactions are strictly voluntary because CISA has no regulatory powers.

Hartman said he wasn’t sure how much the hiring spree would cost the Homeland Security Department’s cyber wing. However, an estimate by the nonpartisan Congressional Budget Office put the price tag of the original legislation creating the state posts — which was later tucked into the sprawling defense policy roadmap — at $37 million over five years.

Filling the posts

Matt Hayden, a former assistant secretary of homeland security for cyber, infrastructure, risk and resilience policy, said “there's so many benefits from having individuals in the state office that saying it's long overdue is easy.”

“The hard part is these types of professionals don't grow on trees.”

A sampling shows the kind of cyber chops needed to fill the posts. For example, South Dakota’s longtime CISO left the state government to take the role. In Rhode Island, the advisor has served as the CISO for the Ocean State’s National Guard. While in Texas, the coordinator previously held several digital security positions.

Hayden noted that CISA has built some “street cred” with statehouses after the agency’s work to help secure the last two national elections against potential foreign interference.

“They don't have a terrible relationship right now because there was blood, sweat, tears and equity put in in the last four to five years to make sure that if something was going on they had a connection and vice versa, that CISA had the ability to to push information into the hands of staff in every state capital no matter what,” according to Hayden, now vice president at regulatory and compliance company Exiger.

Hartman said that once all 50 coordinators are aboard CISA leaders will work to ensure they have the “appropriate connective tissue” within the rapidly expanding agency — reporting to regional directors and other staff who in turn can pass insights along to headquarters so that “we are all operating on a similar sheet of music.”