That first plan helped establish common cybersecurity definitions and background knowledge, which laid the groundwork for the 2021 plan to dig deeper with various best practices guides and toolkits, said Chetrice Mosley-Romero, state cybersecurity program director, in a recent Government Technology interview.
The 2021 strategy also revisits many of the initiatives of its predecessor to examine where they can be taken further. That includes examining ways to update the Cyber Incident Response Annex and incorporate lessons learned from exercises and tests done in the intervening years. After all, cybersecurity isn’t something that can be permanently achieved, but rather takes a continuous effort.
“As with everything in cyber and government, the important part of what the council was working on in the second round of the strategy is making sure we go back to those deliverables and not just hit one and done, but to really go back and say, ‘OK, is it time to provide updates? Is it a time for us to dig deeper into something?',” Mosley-Romero said.
COVID-19 and funding issues waylaid some of the goals of the 2018 plan, and the council completed 93 of its 120 objectives (77.5 percent) and 54 of its 69 planned deliverables (78 percent).
The 2021 strategy now sets forth 68 deliverables and 134 objectives, which address a range of goals, ranging from cybersecurity communication improvements to wastewater risk assessments and updates to the state’s cyber emergency resiliency and response guide.
Both strategies were created by the all-volunteer Indiana Executive Council on Cybersecurity (IECC), under the guidance of state officials, and with Mosley-Romero overseeing the council’s day-to-day operations. About 350 IECC members contributed to creating, enacting and assessing the first plan between 2017 and 2021, while the new strategy engaged 250 advisory members and 35 voting members.
Councilmembers were drawn from across the state and include representatives of government, private industry and academia. The broad membership has also helped different sectors better understand each other. For example, academic and private-sector members have become more aware of the unique needs of local government agencies, Mosley-Romero said.
“It's been really great to see even some of our members make changes to some of their programs or services, because they're hearing and they're listening to those [local government] needs and making adjustments,” Mosley-Romero said.
Among the new deliverables is an online privacy toolkit for public- and private-sector users. The 2018 plan established the foundation for this, by creating a personally identifiable information (PII) guide that clarified the kind of information organizations must protect. The forthcoming toolkit now aims to both help entities learn which privacy regulations apply to them and direct them to resources, Mosley-Romero said.
Supports can include best practices guides as well as boilerplate contract language that buyers can insert into vendor agreements to ensure a base level of privacy is accounted for. Other resources include explanations to help organizations considering hiring privacy officers understand what to look for in a resume and what responsibilities to expect the officers to handle.
Mosley-Romero said its especially important for supports to be designed with local governments and small businesses in mind. Unlike larger counterparts, smaller organizations are least likely to have the budgets and designated staff to dig into cyber issues on their own.
States working to upgrade their cyber postures remain at higher risk if they cannot bring everybody along with them — and doing so requires providing the supports. Tools need to be designed to work for those with limited resources, and guides need to be written in language that is easy for non-cyber experts to understand, too, the report emphasizes. The 2021 strategy also includes plans for a 15-episode cybersecurity podcast series aimed at local Indiana government listeners.
Municipal and county government representatives are included in the IECC to give an insider's perspective, and Indiana has also been participating in the National Governors Association (NGA) Policy Academy to further develop its local government engagement efforts.
Of course, making a plan isn’t the same as making it happen.
Council committees will meet monthly or bimonthly to push forward their initiatives, and regular check-ins and full-council meetings are intended to help bring accountability and turn attention to any obstacles that need to be addressed, Mosley-Romero said.
Still, the future can be unpredictable. Most, but not all, of the 2018 goals were achieved, as COVID-19 and funding issues got in the way. Many councilmembers held leadership or high-level positions in their organizations, and the pandemic outbreak significantly depleted how much time they could volunteer for council work.
Any significant changes in the pandemic and available budgets could impact how much the council is able to get done and which initiatives get priority, Mosley-Romero said.
“You have to be OK with changing things around,” Mosley-Romero said. “It’s not considered a failure. It's considered being smart, because we're not pushing something just for the sake of it. We're pushing something because it's the right time to do it, it’s resourced properly, and the people are more receptive because they're ready to receive it.”
Still, there could be surprise benefits, too. The 2021 strategy was not designed to rely on new federal funding, but anticipated grants could make a real difference in how quickly cybersecurity change happens, Mosley-Romero said.
She noted that even free toolkits and guides aren’t truly without cost to local governments because they may need to pull staff from other projects to implement the changes, but that grants could ease the strain.