John Wood of Telos Corporation provides an inside look into the Virginia Cyber Security Commission, established by Gov. Terry McAuliffe in 2014.
- Shortly after taking office in 2014, Gov. Terry McAuliffe signed an Executive Order establishing the Virginia Cyber Security Commission “to bring public and private sector experts together to make recommendations on how to make Virginia the national leader in cyber security.” It was my privilege to serve as a member of the Virginia Cyber Security Commission for the past two years, and I want to commend my fellow commissioners for their contributions, particularly Co-Chairs Richard Clarke and Secretary of Technology Karen Jackson, as well as our executive director, Rear Adm. Bob Day (Ret.). With the Commission’s two-year authority ending this spring, it’s a good time to look back on what was accomplished and to see what’s next.
Being on the Commission was an eye-opener in many ways. The Commonwealth faces numerous and evolving challenges in the battle to secure state and local government networks, and to help protect the private sector and citizens of Virginia. I was incredibly impressed with how open and honest our discussions were as we explored many complex issues. This includes not only commissioners but the Governor’s appointees and other state employees who were party to our discussions – they were remarkably candid with us about the serious threats Virginia faces in cyber space and what actions are needed. We heard from and worked with representatives from state and federal law enforcement, the Virginia chief information officer, and other state government information security professionals. It was refreshing to hear such blunt assessments of our vulnerabilities – there was no “bureaucratic” caution, probably because the threat is so real and so immediate.
The Commission served to shine a bright light on the challenges facing Virginia. We made a number of recommendations that led to subsequent actions by the Governor and General Assembly, improving Virginia’s cyber security posture. Moreover, our activities have better positioned Virginia’s cyber security sector to be a vibrant national leader. These results are consistent with the Governor’s desire to “grow this key industry, keep Virginia’s cyber assets safe and create new, good jobs here in the Commonwealth.”
I urge everyone to read the report issued last summer by the Commission. It notes some of the recommendations that were already accepted by the Governor and adopted by the General Assembly, such as new laws to help prosecute cyber crime and put in place other policies to better protect Virginians. More importantly, the report raises a number of issues that require further work. The effort must continue – there is much to be done, and Virginia’s public and private sectors must continuously work together to illuminate the changing threats we face and to swiftly take appropriate actions to address them.
It was gratifying to see how easy it is to get things done when people work together to find consensus. The Commission explored problems and made recommendations, and the Governor and General Assembly took action. That’s the way government is supposed to work.
At the same time, I saw how difficult it is to get things accomplished when competing agendas battle for the same limited pool of resources. That was my biggest disappointment. In our report, we identified a real need for dedicated funding to promote collaborative cyber security research and development between the higher education community and private sector. That course was endorsed by the members of the General Assembly’s own Joint Commission on Technology & Science (JCOTS), which recommended $5 million to fund this effort. But this bi-partisan recommendation was set aside in Richmond, at least for now, because there were simply too many R&D agendas fighting for the same pool of money and attention. I am hopeful the Governor and General Assembly will return to this because I firmly believe, as do many of my fellow Commissioners and the members of JCOTS, that collaborative R&D will be a key element in our drive to grow the industry and make Virginia THE leader in cyber security.
One final note: cyber security does not recognize man-made, political boundaries. In that light, we in the technology sector should be looking at where other companies and other states are making investments (like in R&D), and see where we might do the same. Similarly, I hope the Commission’s work will set an example for other states, and help to chart a path for Gov. McAuliffe to pursue greater cooperation among the states. I know he is interested in making intrastate and interstate cyber security a major focus during his upcoming term as chairman of the National Governors Association, and Virginia’s cyber security leaders in the private sector should support his efforts in any way we can.