Imagine the impact on the government cybersecurity landscape if the mantra for every U.S. state were something like, “Every student, every school, cyber-educated.” It’s the first I’ve heard about an objective this bold, and it comes from a state that gets little media exposure: North Dakota.
The small Great Plains state has established a sweeping goal of providing computer science and cybersecurity training to 700 teachers across the state. And instead of being reactive, North Dakota has developed a proactive plan that utilizes technology, people and process to stimulate its defensive mindset. It has also committed to the Zero Trust model of cybersecurity from the outset, employing the methodology in more than 70 percent of its data centers.
If municipalities, cities, states and government agencies followed this same blueprint, we would all be much better off. But how can we start making the critical shift? As soon as I learned about North Dakota’s approach, I knew I had to reach out to them to learn more and share my findings.
Cybersecurity Begins in the Classroom
Shawn Riley, chief information officer (CIO) of North Dakota, explained that the driving force behind the state’s mantra is the simple fact that computer science and cybersecurity are foundational 21st-century skills which are valuable in virtually every career field. With nearly 3 million cybersecurity openings around the world, it’s widely understood that the workforce gap is mushrooming everywhere. Riley is encouraged by recent government action emphasizing the growing shortage of cybersecurity professionals and the need to invest in these critical skills.
“We recognized that this is a challenge, but also an area of opportunity for us to be proactive,” he said. According to Riley, North Dakota has a unique ecosystem with more than 40 public and private sector partners and state leaders committed to both students’ and the state’s continued success.
“In a world where rapid technological advances are impacting every job and every industry, providing our students with these skills at an early age and promoting these opportunities throughout K-12 and higher ed is incredibly important from a workforce development standpoint,” Riley said.
EduTech, the educational technology arm of the North Dakota Information Technology team, has spearheaded a collaborative effort to provide training and resources for North Dakota teachers, students, parents and administrators through a variety of programs. Some of the highlights include cybersecurity and computer science training for teachers, a cybersecurity focus for the University’s PhD program, the highest participation in the SANS Institute’s Girls Go CyberStart program, and strategic alliances with various institutions, including NICERC, Code.org, the SANS Institute, the National Center for Women & IT, Palo Alto Networks, Microsoft TEALS and TechSpark, and Girls Who Code.
“These are just a few examples of the partnerships, resources and programs we’ve pursued in our efforts to lead the nation in cybersecurity,” said Riley. “It’s a grassroots effort with an incredible level of support.”
While these grassroots, education-first priorities are critical, it’s equally imperative that the state’s IT departments also prioritize cybersecurity operationally — especially since North Dakota’s IT architecture is unique, as the state’s chief information security officer (CISO), Kevin Ford, explained.
Dealing With a Rapidly Expanding Infrastructure
“We have a statewide network that we run for the executive, judicial and legislative branches of state government as well as the counties, cities, school districts and higher education,” Ford said. “The security team is responsible for protecting and responding to incidents associated with over 250,000 devices a day. In addition, we have research institutions and government agencies that are running autonomous drones, tractors, dairy farms, smart roads and environmental sensors that could push the count of internet of things (IoT) devices on the state network into the billions.”
As such, the department is positioning itself to tackle both current and next-generation issues. “We are looking at implementing IoT security practices, enabling our team with AI and machine learning, and moving to an automated security response wherever possible,” Ford said.
This is where the Zero Trust model comes in handy. Ford explained that they have been steadily deploying Zero Trust environments with a general philosophy of focusing on the endpoint as the most vulnerable piece of their architecture.
“[The endpoint] must be protected from all other assets that cannot prove their identity and trustworthiness,” Ford said, adding that the Zero Trust concept is difficult to nail down. “I would suggest that a ‘more complete’ Zero Trust model implements protections at multiple layers, including identity-based access policies on the devices as well as deployment of policy enforcing devices on the network. My ideal scenario is that every endpoint will communicate using mutual TLS and will not receive traffic unless it is from a known and trusted device.”
The Importance of a ‘Whole-of-Government’ Mindset
Without long-term, significant investments in today’s critical technology, the state would not be able to prosper in the long term. Riley suggests a blend of hyper-scale reinvention of government operations supported by 21st-century technologies, IT unification and artificial intelligence (AI). He estimates the state will soon boast over a billion sensors monitoring water, air, roads, animal health, agriculture and more, which will gather data for more informed decisions.
Given this extensive scope, a holistic approach is critical. To that end, North Dakota is developing a suite of technologies and meeting with top technology officials in other states to develop a shared security operations center (SOC) that can adapt to threats wherever they occur.
“We’re not just protecting and defending data and government systems,” said Riley. “We must enable the private sector to defend every citizen, device and business so we can continue to thrive economically.”
It must be pointed out that the state’s IT department wouldn’t be able to achieve these results were it not for top leadership — the governor, senators, mayors, etc. — and its full support of these government cybersecurity efforts. “That top-level support and leadership is imperative,” Riley said, noting that North Dakota’s Governor, Doug Burgum, as well as its legislature, Superintendent of Public Instruction, higher education stakeholders, private sector partners, and state and local stakeholders are essential elements of success.
“A unified strategy and singular approach are not possible without that ‘whole-of-government’ mindset,” he added. “Education and awareness with stakeholders are key. As a team, we’ve really invested time one-on-one with our legislators, Cabinet and other state leaders to help them understand the nature of the threat, what we have in place to address the threat, and what is needed to have a comprehensive, world-class cybersecurity posture.”
Riley told me that they go a step further by letting hands-on hacking demonstrations play a role in their numerous briefings to the media and public so others can understand why government cybersecurity is a priority for their state.
When Security Awareness Is Built-in
Finally, it seems like almost every time I write about how a government or enterprise makes security work, security awareness always comes up. Once again, the importance of preventing phishing, social engineering and other common attack methods can’t be understated here — no matter how deep we get into the weeds, the basics will always apply.
“Security awareness is critical, particularly around phishing,” said Ford. “Phishing is quickly becoming one of the most prevalent access methods because it is often easier to trick a human than beat against the defenses an organization may have in place. I strongly suggest running phishing simulations on a regular basis to try to inoculate your user base. You’ll never be perfect, but you can remove a lot of work from your response team’s plate by educating constantly around phishing.”
What makes security awareness more manageable? Hiring employees who already have a robust cybersecurity mindset from day one can make a significant difference. And if the state of North Dakota has anything to say about it, that much is possible when cybersecurity is prioritized at the K-12 level.
“Our long-term vision is a future workforce enabled with computer science and cybersecurity education to every student, in every school, because every job now and in the future will require knowledge of these foundational skills,” said Riley.