With Gov. Eric Holcomb’s signature earlier this week of a bill that imposes new information-sharing requirements on state agencies and local governments that experience cyberattacks, the Indiana Office of Technology will soon be taking a greater hand in how organizations around the state plan for and respond to online threats, state Chief Information Officer Tracy Barnes told StateScoop this week.
The new law, which Barnes and his team started working on with legislators last summer, requires state entities and local governments to report attacks — including ransomware, denial-of-service, website defacements and zero-day exploits — to IOT within two business days of discovery. It also empowers IOT to work more closely with those organizations on finding third-party vendors to work with.
Holcomb’s signature also came shortly after the National Governors Association added Indiana to its cybersecurity policy academy, an annual program in which state government officials work to develop new policies that could eventually be shared with other states. Indiana’s focus during the NGA academy is to address strengthening partnerships between the state IT office and local governments, Barnes said.
“We’re going to be refining the toolkit and tangible connection between state government, local government and the small business side. We’ve done a great job in Indiana with our Executive Cybersecurity Council,” he said, referring to a group of about 250 individuals from the public and private sectors that advises Holcomb periodically on IT security. “How do we get tangible, practical action items?”
Barnes said that as Indiana’s participation in the NGA academy unfolds, his office plans to be “very aggressive” in partnering with a handful of municipalities and possibly with entities in the utilities sector, as well. The objective, he said, will be “sharing tools and technologies.”
“We don’t have unlimited funds,” he said. “The first and foremost thing is strategy. It’s recognition a local government may not have a playbook, or even know where to start.”
Barnes said that the state government is reasonably well-resourced, as are some of Indiana’s larger cities.
“But especially as you get into the non metro areas, rural and off the beaten path, it’s day-to-day,” he said.
The timing of the new cybersecurity law and the NGA policy academy were coincidental, Barnes said, but both go toward enhancing a “whole-of-state” approach that more states are taking toward their cybersecurity and infrastructure postures.
“That collaborative need is what’s driving me here in Indiana,” he said. “I’m confident it’s driving other states as well. It’s that tenet of we’re only as strong as our weakest link. There’s the altruistic reality that I see my role as trying to protect all 6 million Indiana citizens at some level.”
With the new information-sharing law taking effect July 1, Barnes said he plans to push out some communications about the new reporting requirements. But he also said IOT needs to ensure that information can flow in smoothly.
“From a tech standpoint, it’s making sure we have the submission tools in place,” he said.
Barnes said that during the bill’s writing and passage, he worked with two local-government organizations — Accelerate Indiana Municipalities and the Association of Indiana Counties — that he said were receptive to it.
“The bill has been a catalyst to increase the collaboration,” he said. “It’s not an end-all be-all, but it’s policy to help shape the behavior and mindset of where things are going.”