McAuliffe on Cybersecurity: ‘It’s Something That Every Governor Needs to Focus On’

When Virginia Gov. Terry McAuliffe took the reins of the National Governors Association’s executive committee as the new chair for 2016-17 this weekend in Des Moines, Iowa, it wasn’t necessarily a surprise that the Democrat made cybersecurity his main initiative for the organization in the upcoming year.

McAuliffe regularly talks about the nation’s cybersecurity challenges and is a champion for his state’s important tech and IT security sectors, largely based in the northern part of his state, adjacent to Washington, D.C.

“I am dead set in making Virginia the leader of cybersecurity,” the governor said in December.

With sensitive federal agencies, research organizations and defense installations—including the world’s largest naval base, in Norfolk—located within his state’s boundaries, hackers attack targets in Virginia regularly. State governments, naturally, are not immune to those cyber risks.

But cyber-readiness varies from state to state and McAuliffe wants the NGA to help facilitate new dialogue with governors about the risks their respective governments face when it comes to protecting critical IT assets and how they can not just help each other, but learn from one another.

McAuliffe spoke with Route Fifty on Monday morning about his cybersecurity initiative for the nation’s governors, called Meet the Threat: States Confront the Cyber Challenge.

What follows is a transcript of our conversation with the governor, which has been edited for length.

ROUTE FIFTY: Why did you make cybersecurity the top priority for the upcoming year as chair of the National Governors Association’s executive committee?

VIRGINIA GOV. TERRY McAULIFFE: I wanted a real deliverable for the governors, something that brings us all together, a very bipartisan issue. It’s something that every governor needs to focus on.

So, as I stressed, just in Virginia since Jan. 1, we have had 53 million cyber attacks which is about 1 every 4 seconds. About 300,000 per day. We’ve blocked 42,000 of malware [attacks], we’ve stopped about 131 ‘very serious’ cyber attempts into our system.

As I explained to the governors, we obviously, even more so than the federal [government] have even more data—all of the healthcare information that the states have, in addition to all of the state tax information that we have, and the point I tried to make, without mentioning any states by name, is that five states are doing a very good job, 20-25 are making significant progress and about 20 are in very bad shape.”

So the point is we in Virginia and Michigan—Gov. [Rick] Snyder and I worked very closely together on this—we can spend all this money and build all the protections we have, but if you have a state out there that is not building cyber protections, then these cyber hackers can go into a weak link on the chain, get into that state, whether through one of the businesses . . . and use that state to get into any of the other states. So, until all 50 states have done what they need to do to protect themselves, you’re only as good as the weakest link on the chain, so I said that year from today, we’re going to come back. I gave out a one-page checklist with what every governor ought to be doing in their respective states . . .

Because if you get hacked, it’s not only your businesses, it’s your state, there are financial problems, there are security problems. Virginia is very unique as you know we have the Pentagon, the CIA, the largest naval base in the world. All of these could be impacted, which affects your ability to do commerce, and protect your vital assets. So, it’s a real deliverable, and I wanted as chairman of the NGA to have a deliverable that would benefit all the states and bring us together and I’ve got to tell you the governors were very appreciative because many of them have not really focused in the manner that they should.”

ROUTE FIFTY: That checklist you referred to, is that the list of questions available on the NGA’s #MeetTheThreat website?

McAULIFFE: Yes. . . . I handed out the drafts of our legislation that has already passed. I handed out my executive orders. In Virginia, we lead the nation. We were the first state in America to adopt the NIST cyber framework.

We really have landmark legislation on the whole issue of digital identity, which is now the model for the other states.

We have led the nation in the adoption of the advanced credit card standard, the new chip security is now in all of our credit cards for the state. You do business with anyone who has a state credit card we now have the chip identity protection on every single card.

It’s all going to culminate next year with a national summit on cybersecurity which we’re going to host in Virginia.

ROUTE FIFTY: When you review surveys of state chief information officers and others involved with protecting state IT assets, they say there’s a problem with state budgets and not having enough resources to compete with the private sector to recruit and retain the top cyber talent. Do you view state workforce challenges as an unresolved issue that governors are dealing with?

McAULIFFE: Let’s be honest, it’s a big issue that we have to deal with. . . . [T]he federal government has a tough time getting these cyber warriors when you can go into the private sector and be paid three or four times as much. So I passed legislation here in Virginia that, if you give me two years in state government, I’ll pay your college expenses, I’ll pay for your cyber degree. We’re the first state to offer scholarship for service. Right now in Virginia, we have 67,850 people who work in the cyber workforce. I have 650 companies in cyber in Virginia. And it’s expected to grow by 25 percent through 2022.

I want all of our community colleges, our higher education institutions to stand up to be centers of academic excellence for cyber.

I’ll pay for you to go get a degree because it’s worth it to me.

We really want to develop in the K-12 system. I don’t want to wait for you to get to the higher education, or community colleges or a 4 year [institution] we need to start doing this much earlier. I have 17,000 jobs open right now sitting here in cyber in Virginia, the starting pay is $88,000. So, that’s about $3 billion in annual payroll for me. I need to fix that.

And I told these governors this weekend that it’s not only about protecting yourselves, it’s about growing your economy . . . you all need to get in the game on this and these cyber companies are only going to go where they know they’re going to have the workforce of the future and you’ve got to show that you’re rebuilding your education system. We’re redesigning our high schools here in Virginia, the don’t work, no high schools in America work—they were built in the Industrial Revolution—we are totally transforming them to make them applicable to the skill sets that are needed in the 21st century economy.”

ROUTE FIFTY: Does reporting need to be improved with cyber incidents? What should a cyber governance body look like?

McAULIFFE: I set up a cyber commission here in Virginia and they came back to me with 29 different recommendations.”

We are going through each of our state agencies . . . We are training people inside every one of our state agencies.

This year, we’re going into the 10 localities to do a full cyber up-and-down analysis because we can do this as a state, and related to the point I made about the 50 states, I have the same issue with my own localities, so we are now systematically going through our localities for us to go in and do a cyber analysis [to find out] where they need more work, where there are weak spots, and where we need to invest more. People make the argument on resources—you want to talk about a return on investment, you had better spend this money up front. If you don’t do it on the front side, you will pay for it on the back side and it will be a exponential multiple of what you would have paid for on the front side.

RELATED on Route Fifty:

• "Governors Discuss Trans-Pacific Partnership , Opioid Abuse at NGA Summer Meeting"