Local governing bodies, from school systems to local and tribal government, to even state government, tend to be critically underfunded. This is especially true when it comes to cybersecurity and the protection of sensitive constituent data.
Arizona is one state entity that was prioritizing cybersecurity before it was cool. In our latest Voice of the Customer webinar, Virtru’s Matt Howard sat down with Arizona Deputy CISO Ryan Murray to discuss the state’s approach to the rapidly moving State and Local Cybersecurity Grant Program (SLCGP), along with the past, present, and future of cybersecurity in Arizona.
Around four years ago, Arizona decided to prioritize cybersecurity by mandating security awareness training and phishing test campaigns for all state employees. To start, the state mandated yearly cyber training for state employees. That flourished into new developments and security practices each year, like the rollout of multi-factor authentication, endpoint protection, and their Statewide Cyber Readiness Grant Program.
The Statewide Cyber Readiness Grant Program has provided security awareness training, advanced endpoint protection, multifactor authentication and web application firewalling to state and local entities at no cost to them.
“[Cybersecurity] is something that we all have to participate in, and... an attack against one of us in Arizona should be seen as an attack against all of us in Arizona. And that includes all of our local governments, all of our private-sector companies. We should be looking at this from a holistic, really, truly whole state approach.”
Cybersecurity has been a top priority in Arizona for years, with backing from Governor Ducey himself who has encouraged statewide cyber readiness since 2018.
“The big piece of this is, instead of looking at all of our employees, all of our users, all of the people that we do business with as potential threats, they are now cybersecurity professionals. They're now cybersecurity sensors. They are now gathering telemetry for us and sharing it with us and helping to spread that culture across the state.”
In addition to making cybersecurity a team sport, Arizona framed their organizational structure to further elevate cybersecurity as a statewide priority. By reporting to the Department of Homeland Security, Arizona's enterprise cybersecurity team can affect change on a systemic level, as opposed to being viewed as a glorified IT department.
“Governor Ducey said that cybersecurity is Homeland Security,” said Murray. “Arizona is a border state. So that's very heavily top of mind and something that Homeland Security is heavily involved with. There's the drug crisis happening across the nation. We've got other issues that our Director has to focus on, which is one of the main reasons I exist in the first place, is so I can focus solely on the cyber mission. But realistically, it's something that's sort of unique here in Arizona, having that elevated perspective and that elevated voice to be able to take [cybersecurity] directly to the policymakers and executives who can help drive that mission.”
With the tight time limit of SLCGP closing in on the states, Arizona is on target to submit their SLCGP application by the November 15 deadline. The same isn’t true for many other U.S. states and territories who will either forego the first year of funding or ask the federal government for a deadline extension.
Since Arizona has already put muscle into their cyber efforts, they plan to use funds from SLCGP to augment their current program. For them, this means obtaining better tools and products, expanding the features of current tools, and potentially bringing in new personnel at the local level to manage and run cybersecurity technology and programs.
Despite schools and local or tribal governments being the most vulnerable targets for cyber attacks, school districts are not allowed to apply directly for the SLCGP, but may have access to the funds awarded, should their state receive them. According to Murray, Arizona is already planning ahead for this.
“[K-12 schools] are significantly underfunded across the nation, just sort of as a baseline,” said Murray. “The typical funds that they get for school districts come through E-rate, which specifically does not cover cybersecurity protections … We made this a specific focus as part of our Cyber Readiness Program, as well as ensuring that was included as part of SLCGP, because we know that they're seeing the same threat actors attack them, the same nation-state actors, the same cyber criminals. And they're woefully unprepared to defend against those, just like other local governments.”
As taxpayers, we expect our dollars to go toward making our lives better, and safer. Cybersecurity plays a major role in that, as data breaches and attacks at the state and local levels have tangible implications on citizens. Using the funds from SLCGP and through Arizona state tax, Murray and his colleagues will remain diligent in keeping their state-led cyber programs alive and well to benefit AZ citizens.
“[The Statewide Cyber Readiness Program] is taken on the bill at the state of Arizona, utilizing our economies of scale, our ability to buy more licenses, getting that best bang for our buck and taking care of our taxpayer dollars and using them the best and most efficient way that we possibly can.”
Year one of the State and Local Cybersecurity Grant Program promises funds to states based on a 10% match. Since Arizona is expected to budget $300,000, the federal government will give them a $3 million grant in return.
As far as pie-in-the sky funding from the federal government to achieve new cyber goals each year, Murray’s a bit skeptical. For the first year, the SLCGP requires only a 10% match for participation in the program. But that percentage will grow throughout the four-year program, and then the program will end. For Murray, cyber self-sufficiency is the most important thing to gain from SLCGP.
“I don't think SLCGP is going to be the solution … but I think it's a good step in the right direction,” said Murray. “One, we have no idea what the threat landscape is going to look like in four years. And two, we have no idea what the political landscape is going to look like in four years. And three, this money runs out in four years. So state and local governments are going to have to find a way to fund these things that SLCGP is paying for currently when the money goes away after the end of this program. And that's something that hopefully between now and the end of this four years, we can have that conversation with our legislatures, with our executives, and let them know that this is a critical thing that states and local governments need to devote funding to actually continue the support of these programs.”
Looking to the future of Arizona’s cybersecurity efforts, Howard asks, “So, what do you intend to do with $3 million from SLCGP?”
In short, Arizona wants to do more. Currently, its proactive Statewide Cyber Readiness Program provides training for five vital topics: anti-phishing/security awareness training, advanced endpoint protection, converged endpoint management, multi-factor authentication, and web application firewall. However, five modules doesn’t cover the scope of threats directed at state, local, tribal, and educational entities under attack. Murray and the rest of the AZ cyber authority plan on facing the future in collaboration with these entities to best protect at-risk data.
“It needs to be an open line of communication with the community to talk about what are our next priorities and whether that's aligning to the NIST cybersecurity framework, whether that's looking at other frameworks like the CIS critical controls, how do we prioritize, what do we look at next. And what controls do we want to add that can greatly reduce the additional risk across the state of Arizona?” said Murray.
“Arizona, I think we're starting to do better, but obviously we've got a long road to go,” said Murray.
Part of the road ahead includes constantly evaluating the nature of data, trust, access controls, and security on a tangible level.
“Looking at those assumptions of trust between all of these things, our systems, our people, our data, and how do we best protect those? I think we can absolutely at least make it way more difficult for attackers, for these threat actors to try to come after Arizona and frankly, they'll go elsewhere … if we make Arizona, let's say, financially unfeasible for attackers to go after, they will stop, for the most part, coming after us. And as we start looking more and more at — let's put people behind bars, let's start looking at convictions, let's work with law enforcement to share information with them … To make it unfeasible for threat actors to do significant damage or significant harm to both our public sector and our private sector and our critical infrastructure. And, you know, hopefully that's a reality sometime in my lifetime.”
Arizona, along with many other state and local governments, uses Virtru to protect sensitive data flowing in and out of their organization. You can watch the full webinar with AZ’s Ryan Murray below where they further discuss SLCGP, data protection, and cloud infrastructure.
Interested in exploring affordable data protections for your state entity, school district, local municipality, or tribal government? Contact our team today.