After months of escalating cyberattacks against state and local governments dotted around the United States, North Dakota’s technology agency is setting out to build a shared infrastructure in hopes of rallying a unified defense.
North Dakota Chief Information Officer Shawn Riley told StateScoop the Information Technology Department he leads is developing a suite of technologies and meeting with top technology officials in other states with the goal of developing a shared security operations center that can adapt to threats wherever they occur, calling on those with security resources and intelligence to help those who need it.
“There’s a lot of conversations going on with this,” Riley said. “Part of what we have to work through is as we look at the potential of states supporting each other, how can we make sure there are no political overtones? We’re doing assessments of multiple states and how that applies to the ability of all of us to really truly to work together.”
North Dakota may seem an unlikely origin of such a project — it’s the fourth-smallest state by population, and hasn’t endured many high-profile cyberattacks, like the Aug. 16 ransomware incident that struck 23 communities across Texas — but North Dakota’s unique organizational structure combined with Riley’s affinity for collaboration make it a fitting launchpad.
North Dakota’s technology agency earlier this year assumed cybersecurity operations for all government offices throughout the state — more than 252,000 users riding on the state network who come from state agencies, schools, courts and the state legislature. This unique arrangement presented Riley’s office with an unprecedented level of responsibility and drove officials to begin thinking more holistically about how they can secure not only their own networks, but everyone’s.
More than 125 public institutions are known to have been hit by ransomware in 2019 and they were organizations at all levels of government and of all sizes. When word got out that North Dakota was working on this problem, Riley said he started getting calls from all around the country. Small communities and K-12 districts have a notoriously difficult time defending against cyberattacks, but it’s going to be a challenge for organizations of all sizes and sophistication levels, he said.
“I think a good example is on one hand we’ve got a community of 48 people, 48 humans in the entire town where the mayor, city auditor and bus driver are all the same person and then you have a school district with 35,000 kids in it,” Riley said. “This technology can scale across that entire environment.”
Riley said he’s not yet ready to reveal which states will participate — only that assisting local government offices and K-12 districts is a challenge widely shared by state governments. Tim Bottenfield, the CIO in neighboring Montana, told StateScoop he is among those talking to North Dakota, but Riley said this effort won’t be limited to a particular geographic region.
There are already organizations that help to widely distribute strategic advice and information on cyberthreats, such as the Multi-State Information Sharing and Analysis Center, or MS-ISAC, which is operated by the nonprofit Center for Internet Security and funded by the U.S. Department of Homeland Security. But North Dakota Chief Information Security Officer Kevin Ford said this project, rather, will focus more heavily on cybersecurity operations.
“While we will obviously ingest ISAC information to help prioritize operational responses, we are also offering improved operational capabilities,” Ford said. “We will be able to provide members the availability to respond to their own security issues as well as, when desired, pool resources to help each other respond to security emergencies. Our tech stack is heavily automated, and the more data we have flowing into it, the better the efficiencies will be for everyone involved.”
Details such as whether it’s appropriate for the governor’s office of one state to see the security logs for another state run by a governor of an opposing party still need to be answered, Riley said. There are also complex regulatory and technical hurdles to overcome. In North Dakota alone, there are more than 300 privacy laws that could potentially bear on the project’s implementation. But Riley says these challenges are trivial compared to the threat government is now facing.
“The reality is, individually, we are all screwed,” Riley said.