Cybersecurity Committee Update

Representatives of the TAGITM Cybersecurity Committee had a series of meetings Thursday, October 31 with State Cybersecurity Incident Response (IR) working group in Austin, as well as Department of Information Resource (DIR) leadership and a representative from DHS. Here are some of the topics that were discussed.

Incident Preparedness/Prevention

What resources are available for both protection and response? A catalog of federal and state resources available to local government before, during and after an incident is needed.

Incident Response

To whom should a local government report an issue for which they need assistance? There are reasons and times to contact various agencies such as local law enforcement, TDEM, DIR, FBI, DHS, MS-ISAC, etc. However, the answer is situational. There needs to be a playbook that helps local government know who to contact in the various situations.
What constitutes a cybersecurity disaster vs. an incident?
How does jurisdiction differ for a cybersecurity disaster vs. an incident?
What is the incident response process, and who is authorized to communicate in the event of a cybersecurity disaster or incident?

Communication

How do local governments get the information required to help protect their agencies and prevent the incident from spreading further? While we don't need to know specific actors or get information that would jeopardize the investigation, we need to know whether we are at risk and to the extent available how to protect ourselves.
How do we ensure that the information is secure and goes only to the appropriate people? Local government IT staff are vetted, and most have gone through the same FBI (CJIS) background check as police officers due to their access to sensitive information.
What cybersecurity incidents should be reported by local government, and to whom and by what means? A smaller agency might be devastated by an event that would not even phase an agency with a more mature cybersecurity program. How do we ensure that potential attacks are reported in order to corelate attack data and to whom should it be reported?
How do we ensure that the information we share is secure and anonymized to protect the local agency?

The meetings were productive, and our questions and input were well received. DIR is working with other agencies to identify a vetted and secure means of communication before, during and after such events. There is also a need to have a means for local government to securely share intelligence related to malicious activity that we are seeing in our agencies. That intelligence needs to be collected, reviewed and anonymized so that it may be shared back to local government as threat intelligence. There are existing avenues such as MS-ISAC and HISN portals that may be used, but they are looking at various options. DIR is also working on information that can be shared related to the cybersecurity response resources that are available to local government.

With SB 64, which included cybersecurity events as incidents that could be declared a disaster, local government now has access to emergency management resources should an event be declared a disaster at either the local or state level. This is a new process. The IR working group with which we met, as well as emergency management officials across the state, are working to understand how they can best aid with a cybersecurity event, which is quite different from the natural disasters to which they most often respond. The good news is there are resources available to local government IT. IT leadership is encouraged to get to know their emergency manager/coordinator as they will be a great resource in the event of a declared disaster.

If you have an incident with which you need help, additionally you may can call DIR directly. They can help connect you with resources to quickly and cost effectively assist with remediation and response if requested. They also work closely with other state and federal agencies. For non-urgent requests, email DIRsecurity@dir.texas.gov. If the issue is urgent, you can call DIR’s 24-hour hotline at 512-350-3282. Contacting DIR does not replace the need to contact your emergency coordinator, local PD, cybersecurity insurance provider, etc. as applicable.

A clearly defined process to address all the items that committee members shared in the bulleted lists above will not happen overnight. However, progress has been made to open communication channels with the officials that have the means to implement the needed processes and programs. Follow-up meetings and communication will continue.