OSHKOSH, Wis. — Addressing the cybersecurity threats that face Wisconsin requires close collaboration between all levels of government and the private sector, according to Wisconsin’s adjutant general, who spoke to members of the Wisconsin Biogas Council during a cybersecurity conference on the campus of the University of Wisconsin-Oshkosh Aug. 22.
Maj. Gen. Don Dunbar, who also serves as the senior state official for cyber matters, spoke to the group on a variety of cybersecurity topics ranging from recent state efforts to exercise for cyber disruptions, public-private partnerships, the role of the National Guard in cybersecurity, elections security, the Wisconsin Cyber Threat Alliance, and the importance of practicing good cyber hygiene.
Dunbar noted that Wisconsin treats cyber emergencies no different than other emergencies with which the state grapples such as tornadoes or floods, and it responds within the constraints of the National Response Framework. Within that framework the emergency response continuum begins at the local level, then mutual aid agreements and county resources before requesting state or potentially even federal resources. There are also provisions in place that allow emergency managers to call for state or federal assistance long before exhausting all available local resources.
“We don’t treat physical emergencies different than cyber emergencies,” Dunbar said. “Some agencies say, ‘if it’s a physical emergency like a hurricane that’s the emergency management agency, if it’s a cyber event that’s something else.’
“I believe that if there’s a physical event there will be cyber effects,” he added. “If there is a cyber event there will be physical effects. We treat them the same, and we need to develop well-groomed responses for cyber events like we have for physical emergencies such as tornadoes and flooding.”
He also said that, in accordance with the state’s cyber disruption plan, state resources must be ready and prepared to assist smaller governmental agencies and businesses in the event that they need additional resources, much the same way the state provides assistance in the event of a natural disaster.
Dunbar said, however, that generally state level cyber response teams would only be employed in an advise and assist capacity during cyber events.
The adjutant general said the state has five key roles as it relates to its role in cybersecurity – as a regulator, providing emergency response, enforcing laws, ensuring the state can function as a corporate entity, and educating and developing cyber talent.
The state, he said, has come a long way in its cyber preparedness in the past decade. The adjutant general heaped praise on Wisconsin’s Chief Information Officer David Cagigal and Wisconsin’s Chief Information Security Officer Bill Nash, for their efforts in advancing Wisconsin’s cybersecurity initiatives.
“We exercise, and we test ourselves, and we keep getting better,” he said. “We’re not there. We aren’t finished, but we have gotten a lot better.
“In the last 10 years, Wisconsin has dramatically improved,” Dunbar added. “Long way to go, and you never get there. It’s a process and a journey, not a destination.”
He pointed specifically to the ongoing public-private partnership established between the Wisconsin Department of Military Affairs – which includes the Wisconsin National Guard, Wisconsin Emergency Management, and the Office of Emergency Communication – and the state’s power and utilities companies. Through the charter that established that partnership, the state and private sector began developing processes through which the members would share information and respond collaboratively.
Managing an emergency in which there is no power for an extended period of time due to cyber and physical threats was the focus of the Dark Skies exercise in May 2018. The exercise, he said, forced the state to think through managing fuel resources, communication, water supplies, and the second and third order effects a long-term mass power outage would have on the population.
“We need to think about how does the government function?” Dunbar said. “How does law enforcement function? The key services government provides like communication, power, water, sewers how do we function without them?”
Ultimately, he said, cyber security is the number one concern among the four main threats outlined in the state’s homeland security strategy, but readiness for cyber emergencies begins at the lowest level with good cyber hygiene practiced by individual users and agencies at every level. Everything from updating passwords regularly, checking settings, establishing automatic and recurring software updates and patches, and repeating the process regularly, go a long way toward hardening potential cyber targets.