How one state pushes cybersecurity to local agencies

Local governments and school districts trying to defend themselves against cyberattacks have long struggled with staff shortages and tight budgets. Now, state IT offices are stepping up to help.

In Arizona, the statewide information security and privacy office known as Cyber Command offers cloud-based security services to state and local agencies free of charge—an approach known as whole-of-state cybersecurity that is gaining traction nationwide.

“We’re buying en masse cybersecurity tools for all of our agencies and then providing them back at no cost to them, which is sort of a novel concept,” said Ryan Murray, deputy director of Arizona’s Cyber Command and interim chief information security officer.  

Typically, when state IT offices provide this kind of service, they usually use “some kind of chargeback model,” he said. “They may be doing large bulk purchases, but they’re either requiring those [smaller state and local] entities to pay into it or sending them a bill every month. We really wanted to drive adoption of these products, and one way to do that is basically say, ‘These things are free, just use them.’”

Because the tools are cloud-based security stacks, the state can easily bring on more customers and allow them to connect from anywhere with any device. “We can manage and monitor those devices from any location, which has been incredibly impactful,” Murray said. Eighty percent of state agencies have moved to the state’s platform.

The biggest benefit to Arizona is cost savings resulting from economies of scale. “We’re now buying for 36,000 or 40,000 users, as opposed to each individual agency having to buy for their users,” Murray said. “[We are] getting significant discounts.”

The approach also helped Arizona tighten cybersecurity. When it rolled out the platform in November 2020, the improvement was almost immediate. By February 2021, the number of critical and important vulnerabilities went from more than 11,000 to less than 1,000 statewide.

“We literally saw overnight, as we started rolling this platform out, a significant drop in security vulnerabilities just by saying, ‘OK, now we can manage these devices, wherever they happen to live, regardless of whether they’re on state or personal networks,’” Murray said.

A third benefit of the setup is standardization that allows agencies to collaborate more easily.

“We’re all able to take the best ideas from all of our agencies for the products and platforms that they’re using and incorporate them at the state level and build standard work around that,” he said.

Initially, the program applied only to state agencies, but last summer, Arizona opened it to local governments including 15 counties, 91 cities, 200 school districts and 22 tribal nations. The advantages to them are threefold, Murray said. First, they get access to sophisticated cyber tools that they typically wouldn’t, mainly because of funding and personnel required to manage and support them.

That leads into the second benefit, which is gaining “the additional support from our team to help get them up and running,” Murray said. The state helps the smaller agencies deploy and configure the tools, then monitors them from the enterprise side, which has been “a significant boon,” he added.  

Third is building a problem-solving community among all the entities using the same tools.

It didn’t take long to see the approach’s advantages. A city government that had deployed state-provided and -monitored tools avoided a significant ransomware attack.

The state’s IT team saw some unusual behavior on one of the local workstations that “definitely looked malicious,” Murray said. After alerting the local agency about the identified issue, the on-site staff  “took action almost immediately—locked down that workstation and prevented it from spreading to the rest of the environment.”

Meredith Ward, deputy executive director of the National Association of State Chief Information Officers, said that the onslaught of ransomware attacks in 2019 led to an increase in cybersecurity communication and collaboration across state and local governments. Since then, the concept of whole-of-state cybersecurity has grown, especially since the passage of the Bipartisan Infrastructure Law of 2021, which secured $1.2 trillion in federal funding for state and local government programs including cybersecurity.

Still, the whole-of-state concept is not new, Ward said. She pointed to efforts in Michigan, Ohio and Wisconsin, which offer cyber response teams to all levels of government experiencing a cyber incident. The Texas Department of Information Resources also delivers technology solutions to state and local governments, Virginia has a “whole of commonwealth” approach to addressing cyber incidents, and in July 2022, New York Gov. Kathy Hochul announced a $30 million shared-services program to boost cyber defenses in counties.

“When it comes to procurement contracts, states have been offering statewide contracts for a really long time, but what they’ve not been great at is advertising those offerings to local governments and marketing what’s available,” Ward said. “We’re seeing more of that now.” 

To encourage adoption in Arizona, Murray said he and his team did road shows to talk about the program’s benefits, and they set up a Slack workspace, where all government entities can communicate in real time. “They’re sharing threat information, they’re sharing best practices, they’re talking to each other and learning from each other, and really just learning who each other are across the entire state,” he said.

Ward said she expects to see more states follow suit. “I think we don’t really have a choice,” she said. “From a cybersecurity perspective, cyber criminals don’t really see borders. I don’t think they really care if it’s the state of X, the county of X, the city of X, it’s ‘Here’s the target.’ The amount and the richness, if you will, of the target could be different, but everyone’s a target. Every locality, every state is going to face some sort of attempt.”

Looking forward, Murray said the next year will  focus on more deployments across all levels of government and explaining to government clients “that this is going to be an ongoing program, not just a one-time grant.” 

Arizona expects its whole-of-state cybersecurity program to protect all governments across the state, he said. “It doesn’t make sense for us to be doing this alone.”