The Need for a Federalist Approach to Cybersecurity

Washington has a new cybersecurity champion: the Cybersecurity and Infrastructure Security Agency. With 22 new governors entering office in 2019, agency leaders face a challenge and an opportunity. A mass departure of vital expertise and knowledge at the state level could stall critical initiatives to build a more resilient digital society. But new leadership across the country also creates an opportunity to invigorate federal engagement.

Because cybersecurity permeates every level of society, it must be addressed by every layer of government. This administration deserves credit for taking a swing at the white whale of cybersecurity. Its recently released National Cyber Strategy envisions a United States that finally turns the tide against the cyber criminals and foreign adversaries who attack our hospitals, steal our wealth, and undermine our institutions. Yet the strategy meant to guide a federal system of government makes only two passing references to states. Likewise, Executive Order 13800, the Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, pays little attention to the role of SLTT governments.

While these documents and others rightly commit the United States to a whole-of-government response, federal agencies can achieve only so much alone, and the scale of the problem demands something more: a whole-of-nation approach.

To do this properly, state, local, tribal, and territorial (SLTT) government capabilities and priorities must be integrated into federal planning and outreach to both public and private sectors. Integration will require guidance, support, and funding from federal authorities, and an increase in federal government cybersecurity presence around the country. The federal government has a huge local presence for counterterrorism, maritime security, and counterdrug operations, areas that require federal-state cooperation. The same is true for cybersecurity.

State and local governments are at the frontlines of this effort. They process untold volumes of private information and supply critical services, from water and Medicaid to public safety. New FEMA rules mandating some use of homeland security grants for cybersecurity underscore the federal role in helping states and localities protect themselves. But states and local agencies are responsible for much more: cyber disruption response and resilience, cyber crime, regulation, emerging technologies, and workforce development.

Protecting critical infrastructure consumes federal attention and resources, and the waiting list for Department of Homeland Security testing services demonstrates their value. But critical infrastructure owners and operators--particularly the smaller ones--need those services now. States such as New Jersey (through the NJCCIC), Pennsylvania, Missouri, New York, and Kansas (through its Fusion Center) offer models for providing response and resilience services to organizations in their states, increasing the coverage for these valuable resources.

Similarly, although federal law enforcement has notched major wins against cyber criminals, limited resources force investigators to prioritize only the most serious crimes. The result is a broad swath of cyber criminals that, despite exacting a terrible toll on the economy, operate with relative impunity. It is up to state and local law enforcement to pick up the slack. Utah and Michigan, for example, have made strides in building the capacity to prosecute cyber crimes, proving that it is possible and fruitful.

States are also moving on cybersecurity regulation. In the absence of wide-reaching federal government action, states are issuing first-of-their-kind rules in multiple areas, such as data breach safe harbors (Ohio), security for connected devices (California), and financial services (New York). Any national framework for cybersecurity must account for sub-federal mandates, lest we wind up with a patchwork of security standards that mimics the landscape of state data breach notification laws.

State and local cybersecurity governance will only gain importance in the coming years with the rollout of smart city initiatives. As local governments deploy nascent technologies across the country, states and local leaders will be responsible for integrating security into the conversation, setting standards for implementation, and establishing appropriate contract vehicles.

As governments and businesses digitize more functions and services, the workforce gap continues to grow. The National Institutes of Standards and Technology (through its National Initiative for Cybersecurity Education) and the National Security Agency do great work, setting national standards and scaling opportunities for cybersecurity education. Yet it is state and local governments who control curriculums and are critical to building an effective workforce pipeline.

Some federal policymakers do champion the role of states and localities in cybersecurity, and they work hard to support their non-federal counterparts. But achieving a truly mature national risk posture means Washington must keep state and local functions at the center of policy, operations, and legislative engagement.