Cyberattacks continue to threaten our everyday lives, impacting the way we shop, the way we communicate and the way we do business. State governments play a significant role in society, administering and delivering services and providing the backbone of governance in the United States. It is therefore important that they implement a robust and multi-faceted cyber policy. That’s why we’re releasing a new white paper today entitled “From Policy to Practice: Strengthening Cybersecurity in State Governments” to provide support and key policy recommendations for state governments as they look to strengthen their existing state practices.
The seven key recommendations for state governments discussed in the paper are:
- Ground cybersecurity policy in established guidelines and standards. State governments should adopt and implement federal frameworks, such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework, to help lay the groundwork for strong, effective state cybersecurity policy.
- Establish an ongoing cybersecurity advisory council with industry and academia. In many states, cybersecurity expertise lies across industry sectors and academic disciplines, and many of these experts would likely be eager to contribute to state cybersecurity policy. We recommend that states utilize these assets and create a cybersecurity advisory council, which would bring together industry experts, academics and public sector leaders to develop cybersecurity strategies for the state and help respond to ongoing threats.
- Create a culture of cybersecurity. The weakest point of security for any organization, including state governments, is its personnel. Yet today, only 18 states require cybersecurity training for all their employees. We believe it is essential to develop a knowledgeable, cyberliterate workforce to reduce cyber risks to the state.
- Leverage new resources to enhance election integrity. Over the past few years, threats to democratic processes from cyber-enabled interference have become a critical concern. In this section, we discuss the resources available to states to better protect their election systems and increase the overall election integrity in the U.S.
- Integrate cyber resilience into every step of strategic planning. Cybersecurity is a journey that can be marked by major challenges and sometimes failures. That is why we believe that states need to prioritize making their services and data more resilient and have processes in place to respond to and quickly recover from cyberattacks.
- Consider cyber insurance to help protect state assets. Cyber insurance can help states complement their cyber risk management process by providing financial protection against risks that cannot be fully mitigated.
- Strong procurement policies and compliance are essential. As data being created and stored by states has increased, so too have the legal and regulatory obligations of those states. It has become increasingly important that states examine their compliance and procurement policies, ensure that they comply with these obligations and, importantly, that their vendors can demonstrate that they will enable compliance through their tools and services.
Policymakers today face an increasingly complex array of threats, challenges and considerations. Microsoft supports states’ efforts to develop strong cybersecurity strategies, policies and practices. We hope that the strategies and approach described in this paper provide a useful guidance for states in advancing their security goals.