You probably heard all about the devastating ransomware attack WannaCry. Starting May 12, it ripped through the globe, infecting more than 300,000 computers worldwide.
What you probably didn’t hear was that the first reported appearance of the worm in the U.S. was on government computers in Cook County, Illinois.
Though they’re easy to overlook, states and localities play an enormous role in the lives of their citizens. In fact, when it comes to cybersecurity, your daily life might be far more affected by your state or city government than national policy. After all, if you drive, your Department of Motor Vehicles has collected a massive amount of information about you. Cities around the country are deploying all sorts of sensors to improve citizen quality of life by tracking things like traffic data or waste. Your state’s official cybersecurity strategies will dictate how it responds to a crisis like, say, an attack on the network of the state agency in charge of corrections. These are all state and local issues, playing an outsize role in your life. Malicious actors have already realized this and are increasingly targeting states and cities with ransomware and other hacking attempts.
And yet when President Trump issued a long-awaited executive order on cybersecurity—a largely uncontroversial document that mostly continued Obama’s efforts—on May 11, it included virtually no mention of these tiers of government. That’s deeply disappointing, because we can’t afford for states and localities not to be part of the national cybersecurity policy conversation.
Of course, what President Trump signed was an executive order. It’s meant to direct the federal government to improve the nation’s cybersecurity posture, which it does largely by commissioning a number of reports on topics such as risk management in federal agencies and critical infrastructure. By its very nature, such a document won’t offer a litany of directions for other tiers of government.
All the same, the order presents the first and most in-depth look at the administration’s cybersecurity vision. That it doesn’t clearly emphasize states and localities is somewhat troubling. One section calls for reports on educating, training, and supporting the American cybersecurity workforce of the future—a crucial move, as it’s widely expected that a huge number of jobs in the field will go unfilled. But there is little recognition that many of the very education policies that would address our urgent workforce issues sit at the state and local level. (Who actually sets curricula and other education policies in the United States? Not the federal government. That happens largely at the state and even at the local level.) State and local governments also play an enormous role in developing creative policies to tackle our urgent workforce shortage, such as cybersecurity apprenticeships, which the order explicitly mentions. States, our labs of democracy, are nimble enough to experiment with workforce policies in a way the federal government can’t.
Similarly, states, cities, and municipalities have an outsize (if often forgotten) role in overseeing, protecting, and managing “critical infrastructure.” That term—which includes nuclear power plants, manufacturing plants, and major financial institutions—is a hot topic in cybersecurity, particularly after the 2015 attack against the power grid in Ukraine. In the order, the administration instructs the executive branch to support the cybersecurity risk management efforts of the “owners and operators” of this critical infrastructure.
Yet the document only mentions state, local, tribal, and territorial governments once, in an explicit call for the federal government to coordinate with counterparts to secure the electric grid. That’s excellent advice, considering that these networks are about as “critical” as critical infrastructure gets. But state, local, tribal, and territorial governments play a role in at least 15 other sectors of critical infrastructure, including emergency services, water treatment, and election systems. If the administration is looking to make a real difference to the nation’s security, it needs to engage on a more local level about more than just the electric grid.
The executive order also calls for an international strategy. It may not be obvious, but states and cities can play an important role here, too. States, with budgets and populations that rival many countries, have economic and diplomatic heft, along with soft power. (Think of the reaction to California or New York City in some places abroad, as opposed to how the United States is received.)
In some cases, states are already forging ahead on the international stage. The National Guard State Partnership Program, for example, matches a state’s National Guard with a partner nation’s security forces to participate, cooperate, and train on topics including emergency management and disaster response, border and port security, counterterrorism, and as of a few years ago, joint cyberdefense efforts. In 2015, these pairings led to cooperative cybersecurity trainings between North Dakota and Ghana, Colorado and Jordan, and New Jersey and Albania, to name a few. These exercises run the gamut from boosting partner force efforts to strengthening “cyber defense capabilities and capacity by sharing information and mentoring” to “demonstrating techniques for the development of a reserve component cyber capability to leverage civilian capabilities within their populace.”
Cities are also racing ahead. The Council of Global City CIOs, launched last year to bring together chief information and technology officers across the world, has partnered with U.S. cities to “ensure the responsible and equitable deployment of smart city technologies,” including a focus on cybersecurity. And this is only the start. A good model here is the C40—a network of cities across the globe committed to tackling climate change.
Hopefully, this executive order is only the start of the Trump administration’s cybersecurity vision for the country, and a more mature vision down the line will pay sufficient attention to the role and potential of states and localities. But for the executive order, and the administration, to be as effective as possible in its quest to cyber-secure the nation, it needs to organize itself in a way that lets us leverage opportunities in other tiers of government. With the urgency of the task at hand, we can hardly afford not to.