DOCSLIB.ORG

Michigan Cyber Governance Case Study

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Michigan Cyber Governance Case Study Cybersecurity Governance in the State of Michigan A CASE STUDY December 2017 1,2,3 Michigan State Fast Facts ELECTED OFFICIALS: EDUCATION: • Governor Rick Snyder • Public with a high school diploma: 54.4% • Michigan House of Representatives: • Public with an advanced degree: 34.5% 110 Representatives • Michigan State Senate: 38 Senators STATE CYBERSECURITY EXECUTIVES: COLLEGES AND UNIVERSITIES: • Chief Information Officer (CIO) • 33 community colleges4 David DeVries • 15 public universities5 • Chief Security Officer (CSO) Rajiv Das • 54 private colleges6 • Chief Technology Officer (CTO) Rod Davenport STATE DEMOGRAPHICS: KEY INDUSTRIES:7 • Population: 9,886,095 • Manufacturing • Workforce in “computers and math” • Agri-business occupations: 2.1% • Cybersecurity • Defense • Information Technology 1 Executive Summary The Overall Challenge: How to address a range of cybersecurity challenges that cut across multiple government, public, and private sector organizations? Overall Lessons Learned from Michigan’s Governance Approach: • Leadership Matters. Leaders across multiple government, public, and private organizations make cybersecurity, and cybersecurity governance, a priority. • Leadership Is Not Everything. Laws, policies, structures, and processes instantiate and align cybersecurity governance with cybersecurity priorities so that focus does not change as personalities change. • Governance Crosses Organizational Boundaries. The distributed nature of cybersecurity requires a range of governance mechanisms that connect across multiple organizations and sectors. This case study describes how Michigan has similar challenges. As the case covers a broad used laws, policies, structures, and processes to range of areas, each related section provides an help govern cybersecurity as an enterprise-wide, overview of Michigan’s governance approach, strategic issue across state government and rather than a detailed exploration. Individual other public and private sector stakeholders. It states and organizations seeking greater detail explores cross-enterprise governance would likely need to engage directly with mechanisms used by Michigan across a range of Michigan to better understand how to tailor common cybersecurity areas—strategy and solutions to their specific circumstances. planning, budget and acquisition, risk Since the early 2000s, the state of Michigan identification and mitigation, incident response, executive and legislative branches have taken a information sharing, and workforce and series of deliberate steps to enable education. cybersecurity to be governed as an enterprise- This case study is part of a pilot project intended wide strategic issue both across state to demonstrate how states have used government and across a diverse set of public governance mechanisms to help prioritize, plan, and private sector stakeholders. As former and make cross-enterprise decisions about Michigan Department of Technology cybersecurity. It offers concepts and approaches Management and Budget (DTMB) Director and to other states and organizations that face Chief Information Officer (CIO) David Behen For purposes of this case study, governance refers to the laws, policies, structures, and processes that enable people within and across organizations to address challenges in a coordinated manner through activities such as prioritization, planning, and decision making. 2 said, “The focus is state of Michigan consistent, informal communications, in cybersecurity, not [just] the state of Michigan combination with formal communication lines, government’s cybersecurity.”8 to stay prepared for cyber disruptions.10 The state of Michigan government governs Information sharing has also played a critical information technology (IT) through a role in connecting a cybersecurity ecosystem of centralized structure, which enables a unified public and private sector stakeholders. This and coordinated approach to cybersecurity started as a grassroots effort by the Governor’s across the executive branch. Under Michigan and CIO’s offices to reach out across law, the DTMB has authority for IT, including stakeholders and ask for input. The initiative has cybersecurity, management, and budget evolved into an intentional set of formal and operations, for all state departments and informal communication governance agencies. (In this case study, “agency” refers to mechanisms to solve problems at strategic, executive branch agencies.) The DTMB is led by operational, and tactical levels. “Over time, a Director who is also the CIO.9 Under the relationships and trust were built with partners direction of this single Director and CIO, Chief across government, private, academia, etc., to a Technology Officer (CTO), Chief Security Officer point where communication and partnership (CSO), and Agency Service Information are part of the fabric of how [the state of Technology leads, the DTMB is responsible for Michigan approaches cybersecurity],” Ashley coordinating and executing a unified executive Gelisse, the Chief of Staff to the CIO, said.11 branch strategic IT plan, which includes To strengthen the cyber workforce, Michigan cybersecurity and aligns with overall statewide called on a governance approach developed by management and budget priorities. Michigan’s education community. Specifically, it Michigan also utilizes a range of governance utilized Merit Network12 (Merit), a consortium structures and processes to address a variety of of 300+ members, including Michigan’s public cybersecurity challenges that require universities, K-12 schools, libraries, local collaboration and coordination across public government agencies, and not-for-profits. Merit and private stakeholders. For example, Michigan led the effort to build the Michigan Cyber Range has established a cross-ecosystem governance (MCR), an unclassified virtual private training approach to managing cyber incident response. cloud that can be used for hands-on adaptive Working collaboratively with federal, state, training and certification in cybersecurity and IT local, and private sector organizations, leaders as well as product development and testing. The from the Cyber Security Infrastructure MCR also provides a controlled environment to Protection Division of the DTMB and the perform a variety of simulations and testing, Emergency Management and Homeland including running attack scenarios, applying Security Division of the Michigan State Police responses, and analyzing the effect on a developed the Cyber Disruption Response Plan network without putting an organization or (CDRP). The CDRP provides a framework for network at risk. The MCR services can be emergency management and IT agencies to accessed through a virtual connection or at a identify cyber threats and coordinate cyber physical extension of the MCR called a hub. response and recovery operations. The plan Cybersecurity is a challenge that cuts across uses a threat matrix that considers cyber events many issues and many interdependent along a five-level escalation/de-escalation path stakeholders. Therefore, Michigan uses a range and articulates which organization is responsible of governance mechanisms to work across for the cyber response management at each different public, private, academic and nonprofit level. Stakeholders across the ecosystem rely on organizations. The approaches described in this 3 case study were the result of many years of economic development perspective. However, intentional effort by many leaders and leadership was not everything. Protecting data individuals who made cybersecurity and and critical infrastructure across the state, not cybersecurity governance a priority across the just in state-run systems, required engagement state. Governor Rick Snyder made cybersecurity and partnership across the entire cybersecurity a top priority. He and others in the executive ecosystem. In Michigan, tangible laws, policies, branch agencies, state legislature, and private structures, and processes instantiated and organizations addressed cybersecurity as aligned cybersecurity governance with broader important from both a threat mitigation and cybersecurity priorities 4 Table of Contents Michigan State Fast Facts ......................................................................................................................................... 1 Executive Summary .................................................................................................................................................. 2 Background & Methodology .................................................................................................................................... 6 I. Strategy & Planning ............................................................................................................................................... 7 II. Budget & Acquisition .......................................................................................................................................... 11 III. Risk Identification & Mitigation ......................................................................................................................... 13 IV. Incident Response ............................................................................................................................................. 16 V. Information Sharing ........................................................................................................................................... 19 VI. Workforce & Education ....................................................................................................................................
Load more

Recommended publications
  • Merit Network, Inc
    Single Source Certification DATE: 10/18/2017 Authority is requested to make the following purchase under the provision of USF System Regulation USF4.02040(2)(b) , as a non-competitive purchase available from only one source. ITEM(S): Model City/Simulated Cyber Range, Educational Services and Training, and Secure Sandbox technology PRICE: $ Approximately $300,000 over three years FUND #: 100009 VENDOR ID: REQUISITION#: TBD TBD VENDOR NAME: Merit Network, Inc. PURCHASE ORDER #: TBD FEDERAL GRANT:__ Y __✔ N Describe the equipment, commodity or contractual service and how it is to be used. Provide the justification for the single source (note price cannot be used for justification). Attach additional pages if necessary. See Attached 10/18/2017 _____________________________ ________________________________ Purchasing Agent Date Approved by: Date Authority: USF4.02040 (2)(b) PUBLIC POSTING START DATE END DATE 10/18/2017 10/20/2017 Last Modified: 02/15/201107/27/2012 Page 1 of 4 The Florida Center for Cybersecurity is seeking to obtain a comprehensive set of solutions from a vendor including the following: Model City/Simulated Cyber Range, Educational Services and Training, and Secure Sandbox technology to ensure a robust user experience that delivers continuity across systems and ease-of-use. Merit Network, Inc. is a non-profit corporation, governed by Michigan’s four-year publicly supported universities, that operates a statewide research and education network, and provides network services and other cyber-related products and services (such as the Michigan Cyber Range) to its users. Merit offers a “Cyber Range Hub”. This hub would provide all of the following services: Alphaville, created by the Michigan Cyber Range, is a virtual training environment specifically designed to test cyber security skills.
    [Show full text]
  • The Quilt Circle 2014 Edition
    A Letter from the President The cover of The Quilt Circle this year is a photo from the inside of the Large Hadron Collider (LHC) in Geneva, Switzerland. We chose this cover for several reasons. First, it depicts a renowned example of global, collaborative scientific research that requires specialized networking infrastructure. This type of effort would not be possible today if not for the advanced networking infrastructure deployed by research and education networks all over the world. Through extensive collaboration, coordination and interconnection, these networking facilities bring new high-energy physics data to the desktop of the physicists dispersed worldwide leading to new scientific discoveries. Secondly, the LHC photo is significant because it is an example of collaborations within the research and education community at the highest level. These types of collaborations toward the pursuit of common goals are the hallmark of the research and education (R&E) networking community. Collaboration is a vital component of our community’s work, and our Quilt members are the ultimate collaborators bridging the human network with physical networks at the community, state, national and international levels. You can read all about these types of collaborations in this latest edition of The Quilt Circle. This year’s publication showcases our members’ efforts in providing tools and infrastructure to support science research and the big data movement; deploying and training on leading-edge networking technologies including software-defined networking; the completion of statewide network infrastructure projects funded through the Broadband Technologies Opportunity Program; the role of R&E networks in economic development; connecting libraries, municipal and county governments to our networks; partnering with member institutions for education technology; providing strategic services to members, and much more.
    [Show full text]
  • Michigan Cyber Civilian Corps
    2017 Michigan NASCIO Award Nomination Sponsor: David Behen, DTMB Director and Chief Information Officer Program Managers: Rajiv Das, Chief Security Officer Paul Groll, Deputy Chief Security Officer Ray Davidson, Project Manager for MiC3 Project Title: Michigan Cyber Corps Reboot 2016 Category: Disaster Recovery/Business Continuity Completion Date: December 2016 EXECUTIVE SUMMARY In today’s threat landscape, it’s not a matter of if, but when a cyber-attack will occur. The main question is: do you have the resources in place to address the attacks no matter where they occur? Every day, the State of Michigan detects tens of thousands of attempts to infiltrate its network. With the realization small and medium sized businesses and local governments are likely facing the same cyber threats; the State of Michigan created the Michigan Cyber Civilian Corps (MiC3), an all-volunteer force of cyber defenders to supplement its publically available resources such as the Michigan National Guard and Michigan State Police to its citizens. Michigan is unique among the 50 states in having an all-volunteer cyber corps and is routinely sought for guidance from other states. The original idea came from Governor Rick Snyder and was announced at the 2013 North American International Cyber Summit. The MiC3 started as a partnership among Michigan’s Department of Technology, Management & Budget (DTMB), Merit Network of Ann Arbor, MI, and the Volunteer Registry System of the state department now known as the Department of Health and Human Services (DHHS). Members were sought and recruited throughout the state, largely by Merit, and chiefly by word of mouth.
    [Show full text]
  • Maritime Cybersecurity Project
    MARITIME CYBERSECURITY PROJECT 1. Risk-Based Performance Standards Recommendation 2. Framework for Cyber Policy 3. Critical Points of Failure 4. Requirements for Maritime Cyber Range 5. Framework for Point of Failure Detection Methodology 6. Maritime Cyber Deterrent Strategy Effectiveness MARCH 9, 2018 This material is based upon work funded by the U.S. Department of Homeland Security under Cooperative Agreement No. 2014-ST-061-ML0001. The views and conclusions contained in this document are those of the authors and should not be interpreted as necessarily representing the official policies, either expressed or implied, of the U.S. Department of Homeland Security. Maritime Cybersecurity Project Contents 1. Introduction .......................................................................................................................................... 1 1.1. Intended Audiences ...................................................................................................................... 1 1.2. Intended Processes ....................................................................................................................... 2 1.3. Guiding Principles ......................................................................................................................... 2 2. U.S. Marine Transportation System (MTS) ........................................................................................... 2 3. Analytical Scope ...................................................................................................................................
    [Show full text]
  • Future Skills: Preparing for the Changing World of Work
    SEMCOG, the Southeast Michigan Council of Governments, is the only organization in Southeast Michigan that brings together all governments to develop regional solutions for both now and in the future. SEMCOG: • Promotes informed decision making to improve Southeast Michigan and its local governments by providing insightful data analysis and direct assistance to member governments; • Promotes the efficient use of tax dollars for infrastructure investment and governmental effectiveness; • Develops regional solutions that go beyond the boundaries of individual local governments; and • Advocates on behalf of Southeast Michigan in Lansing and Washington The Metropolitan Affairs Coalition (MAC), a non-profit public/private partnership, is the only group that brings business, labor, government and education leaders together to build consensus and seek solutions to regional issues. It promotes regional cooperation and dialogue, and works to advance policies and programs that enhance the region’s economic vitality and quality of life. With its partner organization SEMCOG, and the diverse perspectives of its members, MAC is uniquely positioned to be a catalyst for change and help move the region and state forward. For more information about MAC, please go to www.mac-web.org. SEMCOG 2019 Educating and preparing our workforce for the changing world of work is critical to Southeast Michigan’s future economic growth and success. The convergence of technological advances, business trends, and demographic and social changes require a transformation of education and training systems to meet the needs of employers and increase opportunities and access to family sustaining jobs for all. Preparing both the current and future workforce requires a comprehensive strategy for leveraging existing talent assets as well as developing new ones; updating education and training systems; accommodating evolving work environments; and broadening hiring practices.
    [Show full text]
  • Cyber Range Cyber Defense Training
    2011-2012 JEF Grant Cyber Range Cyber Defense Training Flint Campus Technology Center Room S100 Morris Fulcher Associate Dean CIS Baker College of Flint 1050 W. Bristol Rd. Flint, MI 38507 810 766-8798 [email protected] Cyber Range Capabilities • Traditional in-room education/training • One class at a time • For any particular time period • All students physically present • Instructor physically present • New abilities for education/training • Remote Instruction (via Webex with Audio and Visual) • Instructor remote/Students in class • Instructor in class/Students remote • Instructor and Students remote • Multiple classes at the same time • One in the classroom and one remote • Increase sections and program offerings • Campuses with minimal students for a class can join together to create a section • Campuses can pickup programs that they ordinarily would not. They could be “joined” with other campuses to create section(s) • LABs • Students would be allowed to remote into the system to work on LABs during non-class hours • Learner Centered Instruction (LCI) • Hybrid classes (in pilot phase) • Generate Revenue • law enforcement, Military, Business sector Cyber Range Direct Cyber Defense Training Contacts Department of Homeland Security (DHS) Department of Defense (DoD) State of Michigan Cyber Range Mike Rogers, U.S. Congressman Brigadier General Mike Stone, Michigan National Guard Mile2 Corp. U.S. Army - Cyber Range (Georgia) U.S. National Guard Cyber Range (Arkansas) Michigan National Guard Collegiate Cyber Defense Competition (CCDC)
    [Show full text]
  • Academy Program
    Academy Program Embedding Cybersecurity Certification with Academic Programs Introduction Jason Brown, CISSP Chief Information Security Officer Merit Network, Inc [email protected] @jasonbrown17 https://linkedin.com/in/jasonbrown17 2 Agenda ● Background of Merit ● What is the Academy Program? ● How did we come up with this idea? ● How does it work? ● What does it cost? ● Who do I talk to? 3 Background of Merit Merit Network, Inc. Merit exists for the benefit of our membership Member owned since 1966 Governed by 12 public universities Supported by 300 affiliate members 501(c)3 non-profit 5 Introduction 6 Map of the Cyber Range 7 What is the Academy Program? What is the Academy Program? The Academy Program is part of Merit’s drive for early credentialing of students. ● Students enroll in courses that cover the same material as certification courses, augmented by appropriate academic material. ● These courses are taught in the same time frame as other academic courses. ● At the end of the semester/term, students are eligible to sit for the certification exam, which is covered in the tuition. 9 What is Early Credentialing? ● Early credentialing embeds industry-recognized certification training into an academic program ● Obtaining certificates qualifies students for jobs in addition to degrees and experience ● Academy courses are accredited by the NSA, NIST, NICE, NICCS, DOJ, and the FBI ● Certificates however do not comply with 8570 credentialing requirements 10 DoD 8570 11 Mile2 Offerings 12 How Did We Come Up with the Idea? How Did We Come Up With This Idea? ● Dr. Adams used to teach at the US Military Academy.
    [Show full text]
  • Michigan Cybersecurity Structures and Programs Profile
    NASEO State Energy Cybersecurity Models Analysis: Michigan Cybersecurity Structures and Programs Profile 21 | P a g e NASEO State Energy Cybersecurity Models Analysis: Michigan Cybersecurity Structures and Programs Profile Prepared by National Association of State Energy Officials 2107 Wilson Boulevard, Suite 850 Arlington, Virginia 22201 Telephone: 703.299.8800 Website: www.naseo.org December 2015 1 | P a g e Disclaimer of Warranties and Limitation of Liabilities Acknowledgment of work by the National Association of State Energy Officials contributing to this effort: This material is based upon work supported by U.S. Department of Energy under award DE-OE0000583. Disclaimer: This report was prepared as an account of work sponsored by an agency of the United States government. Neither the United States government nor any agency thereof, nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial product, process, or service by trade name, trademark, manufacturer, or otherwise does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States government or any agency thereof. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States government or any agency thereof. THE FOLLOWING ORGANIZATION PREPARED THIS REPORT: National Association of State Energy Officials 2107 Wilson Boulevard, Suite 850 Arlington, Virginia 22201-3091 Telephone: 703.299.8800; Fax: 703.299.6208 Website: www.naseo.org 2 | P a g e The National Association of State Energy Officials The National Association of State Energy Officials (NASEO) is the only national non-profit organization whose membership includes governor-designated energy officials from each of the 56 states and territories.
    [Show full text]
  • Automobility
    MICHIGAN IS Automobility INDUSTRY AT A GLANCE Michigan’s automotive and mobility industry came out of the last decade following the recession with more than 60,000 new automotive manufacturing jobs, a nearly 50% growth. Looking ahead to the next decade for the world’s most dense automotive industry cluster, Michigan is poised to drive next-generation mobility, the new frontier of the automotive industry. 21 96 of the top 100 $225 billion original equipment manufacturers contribution to Michigan’s automotive suppliers to North (OEMs) have headquarters or economy annually America have a presence in Michigan, technology centers in Michigan and 60 are headquartered here #1 for operational and planned U.S. 16 universities and colleges in Michigan offer nationally Department of Transportation-funded ranked undergraduate engineering programs and four connected vehicle deployments with offer nationally ranked graduate programs 14 projects 500+ miles of roadway 17% of all U.S. vehicle equipped for connected and production and 11% of all automated vehicles North American vehicle $14 billion business-funded production occurred in automotive research development occurs Michigan in 2019 in Michigan annually, making up 72% of the nation’s share 2,200+ facilities with 21 vehicle $41.5 billion engineering, design, models were in OEM investment in Michigan testing, and validation assembled in since 2009 capabilities. Michigan in 2019 Publication Sources: Automotive News, Bureau of Labor Statistics, Center for Automotive Research, CyberSeek, Detroit Regional Chamber research, EMSI, FIRST in Michigan, Integrated Postsecondary Education Data System (IPEDS), International Trade Administration, Merit Network, Michigan Defense Center, Michigan Department of Transportation, Michigan Economic Development Corporation, National Center for Science and Engineering Statistics, National Conference of State Legislatures, National Science Foundation, PatentsView, State of Michigan, Square One Network, Tax Foundation, The Brookings Institute, U.S.
    [Show full text]
  • Introduction Can You Describe Merit Network's Cybersecurity Training Programs, Such As the Michigan Cyber Range?
    Merit Network, Inc. 880 Technology Drive, Suite B Ann Arbor, Michigan 48108 Subcommittee on Research and Technology Committee on Science, Space, and Technology U.S. House of Representatives Hearing on “More Hires, Fewer Hacks: Developing the U.S. Cybersecurity Workforce” ​ ​ Merit Network Testimony Joseph Sawasky, President & CEO, Merit Network February 11, 2020 Introduction First, I'd like to thank the House Subcommittee and its members for the kind invitation and opportunity to present Michigan perspectives on the critical issue of cyber security workforce development. Our country faces real challenges many millions of times every single day from adversarial organizations, including hostile nation states and criminal enterprises. When defenses fail for U.S. organizations, companies, governmental entities, educational organizations, healthcare systems, manufacturers and others experience major negative impacts to operations - affecting services to citizens and customers. Quietly and diligently, on the front lines, are our nation's thin ranks of expert and dedicated cyber security professionals. However, according to the National Initiative for Cybersecurity Education (NICE), the U.S. had a shortfall of over a half-million cyber security professionals as of January 2019. According to NICE, in my home state of Michigan, we have over 9,000 vacant cyber security positions now. Estimates of the global cyber security workforce shortage has ranged from 1.5 million to 3 million unfilled positions, with a higher than average annual growth rate in demand for talent. Cyber represents the next horizon of warfare and crime, and it is essential that our nation nurture, support and grow the pipeline of cyber talent for our country - from K-12 to higher education and through continuing professional development.
    [Show full text]
  • MIA Mobility Report.Pdf
    Dear Friends: Welcome to Planet M — where big ideas in mobility are born. Planet M represents the collective mobility efforts across the state of Michigan, involving the technologies and services that enable people and goods to move around. It is no surprise that this initiative is happening right here in Michigan, the state synonymous with the auto industry. Throughout the past several decades, Michigan has continued to build upon its robust automotive history. Through our innovative spirit, industrial landscape and collaborative atmosphere we are driving the next generation of transportation. Although this industry is one that continues to evolve, our state has remained at the forefront of this expansion. Michigan is home to more than 75 percent of North America’s automotive R&D, 60 percent of the industry’s suppliers and a quarter of all U.S. assembly plants. Additionally, Michigan ranks number one in new automotive-related jobs created since 2009 and number one nationally in having the highest concentration of mechanical and industrial engineers. Together, these statistics all mean one thing — the future, including self-driving cars, connected vehicles and other new innovations — is coming together right here in Michigan. It is also being shaped by ongoing collaboration with our partners in the auto industry. These partners include the future American Center for Mobility, located on the site of the legendary Willow Run manufacturing plant, Mcity, located in Ann Arbor, and other automotive developments near Detroit, Grand Rapids and Lansing. Through these types of programs and initiatives, we have been able to continually demonstrate Michigan’s leadership role in developing the technology necessary to power the vehicles of the future.
    [Show full text]
  • Michigan's Leading Approach to Cybersecurity When It Comes To
    Michigan’s leading approach to cybersecurity When it comes to cybersecurity, Michigan is forging the future. With the state’s ample resources, talent and infrastructure, Michigan is building a strong cyber ecosystem of cross-sector partners and assets focused on finding innovative solutions to prevent and respond to cyber threats. It's not only home to the first public school district in the nation to create a cybersecurity program, but the state also has the largest concentration of electrical, mechanical and industrial engineers in the U.S. Currently, there are more than 140,000 people working in the IT and cybersecurity industry in Michigan, more than half of whom are in metro Detroit. In addition, the state launched the Michigan Cybersecurity Initiative, the world's first comprehensive state-level effort that is improving the state’s defenses while fostering rapidly growing cybersecurity industry and the talent needed to respond to cybersecurity incidents throughout the state. Through this initiative, Michigan is taking a proactive approach to cyber defense with the creation of the Michigan Cyber Range (MCR). Powered by the Merit Network, the MCR offers an unclassified, private environment to teach, test and train individuals and companies for real- world situations. Through classes, exercises and virtual infrastructure, it gives companies an affordable and flexible way to prepare for cybersecurity challenges of all types. Recently, the Cyber Range added two new hubs in Southeast Michigan – Pinckney Community High School and Wayne State University – that serve as centers for the cyber ecosystem within their communities, providing certification courses in more than 20 cybersecurity disciplines.
    [Show full text]