On Wednesday, June 11, IST’s Senior Director for Preparedness and Response Michael Klein spoke on a panel at UC Berkeley’s Center for Long Term Cybersecurity (CLTC) Cyber Civil Defense Summit, “Without Washington: Rethinking Shared Responsibility for Regional Cyber Resilience.” Sean Frazier, Federal CSO at Okta, moderated a lively discussion that examined the shifting role of the federal government, the impact on state and local cybersecurity, and how public sector agencies need to reexamine priorities to do more with less federal support. Panelists began by addressing the recent cuts in federal funding for cybersecurity programs, leaving state and local leaders facing tough decisions about how to allocate resources to meet pressing needs.

Klein identified a few mechanisms in the K-12 education sector that have recently faced new challenges. While he worked at the U.S. Department of Education in 2022, the LA Unified School District faced a ransomware attack. After the incident, recognizing the lack of a clear roadmap for dealing with an ongoing incident, the Department established a Government Coordinating Council (GCC) with key sector stakeholders in state and local government. The Council served as a mechanism for convening specialists quickly, in a confidential manner to raise the problem through the federal government and ultimately up to the White House. This convening mechanism, however, has been suspended in recent months. In the wake of the recent PowerSchool attack, Klein noted, “we used to be able to sit in the federal government and address these challenges, but we can’t convene like that. Those are some of the gaps, not just the money, which is super important… not just information sharing… we need to help [state and local institutions continue to] build that capacity.”

The panel also discussed the importance of bolstering the broader cybersecurity workforce. Netta Squires from Open District Solutions spoke about the importance of looking at a whole-of-state approach. “During this time, we have to coordinate, collaborate, and communicate efficiently, effectively, and economically,” she said. She outlined a partnership with Maryland community colleges that creates opportunities for individuals to participate in cybersecurity ranges. “Anyone is eligible to go through the course and get certified,” she said. “Being able to have experience in a live environment helps with hiring… Here, we’ve taken a relatively simple resource, given it to the states, and then everyone gains from it.”

Tony Sauerhoff from the Texas Department of Information Resources spoke about a program in Texas where the state funds regional security operation centers (SOCs) that are staffed by a combination of students in paid and part-time positions working alongside full-time professionals. “These are real world SOCs supporting real communities,” he said. Similarly, David Batz of Edison Electric Institute highlighted the importance of building mutual assistance programs. 

Klein acknowledged, “we will never ‘people’ our way out of this problem.” Especially in K-12 education, resources are simply spread too thin. Klein advocated for companies and civil society to take on a larger role, particularly as the federal government seems to be stepping back. To catalyze this effort in the education subsector, IST launched the K-12 Cyber Defense Coalition (CDC)–composed of 13 membership organizations representing superintendents, schools boards, technology leaders, principals, and state leaders–to drive state and local collaboration, policy development, and information sharing to defend our nation’s schools from cyber threats.

In closing, Klein laid out three pathways for improving state and local cybersecurity. First, the community needs to ask owners and operators of critical infrastructure to do what they can to improve basic cyber hygiene. “In the case of the education sector, that would include implementing MFA… at the district level,” Klein noted. Second, state-level legislators and policymakers need to invest in better incident response mechanisms. Finally, Klein emphasized that companies need to embrace secure-by-design principles. “If you hand folks insecure systems,” Klein said, “it’s going to be really challenging.”