That was just one of the questions addressed during roundtable discussions this past week at the inaugural Billington State and Local Cybersecurity Summit held on March 19-20 at the National Press Club in Washington, D.C. The event included nationwide experts from local, state and federal government agencies, as well as private-sector companies and nonprofit groups.
Some of the topics on the agenda included:
- Behind the scenes details on ransomware attacks against governments
- Various aspects of election security — including threats from foreign nation-states
- The role of the National Guard in state and local cybersecurity
- Advancements in AI — in both good and bad directions
- Resources available from federal agencies to state/local governments — including updates on cyber grants
- White House cybersecurity policy implications for states and locals
- Regional approaches to cybersecurity collaboration
- Fireside chats (without the actual fire) that discussed state and local CISO priorities and future plans
I was able to attend the entire event and moderate two sessions — one on elections and one on ransomware. I found this event to be different than any other recent cybersecurity events due to the many discussions that were not shared openly with the press and the federal government involvement, including several three-letter agencies (think NSA, CIA, FBI and DHS).
My favorite session was entitled “China in Your Digital Backyard” with T.J. Sayers, director of intelligence and incident response with the Center for Internet Security; Dave Frederick, assistant deputy director for China with the National Security Agency; and Andrew Scott, associate director for China operations with the Cybersecurity and Infrastructure Security Agency. The session was moderated by Katherine Gronberg, head of government services at NightDragon.
What frankly shocked me from that session was the level of concern from the intelligence community over current attacks that are coming from China.
“They have the access that they need, and if the order was given, they could disrupt some services in this country right now,” he added.
On a related note, on March 18, the Biden administration and the Environmental Protection Agency sent out a letter to all governors describing cyber threats to water systems across the U.S. The letter begins:
“Disabling cyberattacks are striking water and wastewater systems throughout the United States. These attacks have the potential to disrupt the critical lifeline of clean and safe drinking water, as well as impose significant costs on affected communities. We are writing to describe the nature of these threats and request your partnership on important actions to secure water systems against the increasing risks from and consequences of these attacks.”
An article from The Verge describes the cyber threats against water systems in more detail:
“Hackers believed to be affiliated with the Iranian government conducted attacks against US water facilities in November that hadn’t changed the default manufacturing password on common operational technology they were using. White House national security official Anne Neuberger said the incident was a call to tighten security around utilities, with the US Treasury sanctioning six Iranian Armed Forces officials responsible for the attacks in February.
“The letter also referenced threats posed by Volt Typhoon, a Chinese state-sponsored group that was revealed in February to have compromised information about US drinking water systems.”
More than 30 cyber leaders spoke at the cybersecurity event this week, including the following state and local government cybersecurity leaders:
- Vitaliy Panych, CISO, California
- Nancy Rainosek, Chief Information Security Officer, Texas Department of Information Resources
- Colin Ahern, Chief Cyber Officer, New York state
- Katie Savage, Secretary, Maryland Department of IT
- William Zielinksi, CIO, Dallas
- Brian Gardner, CISO, Dallas
- Nishant Shah, Senior Advisor for Responsible AI, Maryland
- Josiah Raiche, Director of Artificial Intelligence, Vermont
- Michael Geraghty, Director, NJCCIC (New Jersey) and New Jersey CISO
- Michael Gregg, CISO, North Dakota
- Netta Squires, Director of Local Cybersecurity, Office of Security Management, Maryland
- Bruce Coffing, CISO, Chicago
- Ryan Murray, CISO, Arizona
- Ralph Johnson, CISO, Washington state
You can see the full agenda on the event website, but many of the sessions were conducted in a format that cannot be shared in this blog due to confidentiality.
Nevertheless, the open sessions will be made available in a few weeks online, and I urge you to watch as many of them as possible. (If you can only pick one, watch the closing session from Tuesday on the China cyber threat.)