Laws passed last year in both Indiana and North Dakota created a requirement that local governments to report cyber incidents up to the state level.  Government Technology checked in with officials in both states to assess the benefits and challenges of these programs now that they’ve been in place for a year.

In both states, governments have been flexible in crafting laws that won’t place too much of a burden on localities in terms of reporting.  In Indiana, discussion between state and local leaders allowed them to create a reporting process that takes around five minutes and avoids minor or irrelevant incidents like an employee being locked out of their machine for an incorrect password.  North Dakota was able to alleviate additional reporting effort by building automated reporting into their security tools.

The results have varied a bit, but are positive.  Localities are comfortable with the levels of reporting required of them and are receiving better support from their state-wide counterparts.

In North Dakota, passing the law made a big difference in the basic cybersecurity hygiene of many local organizations.  A need for reporting caused an increase of 200% in the deployment of the state’s basic cybersecurity tools like antivirus software.  So not only are these localities getting automated incident notifications, they’re also getting the technology to stop cybersecurity incidents from happening to begin with.

Indiana has been focused more on knowledge sharing.  By reporting on more than just high-profile ransomware attacks, local governments can get a more realistic idea of the type of threats they’ll be regularly facing and receive the training necessary from the state.  Officials are also conducting a road show, and have individually visited about half of the state’s 92 counties to promote the policy. 

The state has already received around 175 reports of incidents that provided the state with unexpected data such as how many of the incidents were a specific type of phishing attack known as a business email compromise attempt.  This, in turn, allows local governments to be prepared for the specific attacks they know they’ll face.

Programs like these have been easier to get off the ground than a federal initiative, simply given the smaller scope.  Nevertheless, they are real-world implementations that have shown minimal burden and measurable results.  Certainly this should give cybersecurity experts hope that further progress can be made in the public sector.

About the Author: Chris Mack

Chris is a Marketing Manager at Extract with experience in product development, data analysis, and both traditional and digital marketing. Chris received his bachelor’s degree in English from Bucknell University and has an MBA from the University of Notre Dame. A passionate marketer, Chris strives to make complex ideas more accessible to those around him in a compelling way.