Welcome to CyberFocus from the McCrary Institute where we explore the people and ideas shaping and defending our digital world. I'm your host, Frank Cilluffo and today have the privilege to sit down with Patrick Wright. Patrick is the Chief Information Security Officer and Chief
Privacy Officer for the state of Nebraska. He has served in multiple roles in both industry and government and also serves on the Executive committee of the multi state ISAC, or Information Sharing and Analysis center and is here today to discuss the significance not only of cybersecurity, but also artificial intelligence and its role in state and local government. We've had many episodes talking about the national security implications, but really excited to get
down to where it touches the average citizen every day. And that's at the state and local, tribal and territorial focus. Patrick, really excited to sit down with you. Thank you for joining us. Thank you. It's a pleasure to be here and welcome to dc. Hopefully you came and it's pretty cold. We haven't had too much cold weather recently. But you know, it was this report out of the national association of State Technology Directors Nasty, I think is the acronym. Is that fair? That is fair.
And did a great survey in terms of what state, state, local, tribal, territorial are doing around artificial intelligence. Do you want to maybe kick us off with some of the key findings and then we'll get into a discussion around cybersecurity? Sure. So when
we set out to do this survey, we wanted to really focus on how states are implementing AI, what they're looking at for AI, what they're looking for as far as use cases for AI and how that can benefit their constituents across their state
and impact their local communities. You know, looking at the AI landscape and really focusing on several areas like chatbots and where constituents are interacting with government services and really hoping to streamline that and create efficiencies throughout government services and streamlining processes so that customers can interact with agencies faster and have better outcomes. And when you think about
state and local governments, they face the same threat and risk that national agencies and entities do, but don't necessarily have all the resources. Is AI an opportunity to maybe leapfrog some of that? Obviously keeping guardrails and everything else into consideration here? Yeah, we
see a number of areas where we're leveraging cybersecurity and AI to bolster our defenses against against the national and global threats that we face from the cyber threat landscape.
And when one of the findings I think was a majority did see AI's most significant role to enhance cybersecurity efforts Is that the case? Yes. One of the major
findings that we found when we polled states and got the data back from the survey was that they're leveraging AI within cybersecurity, both to be a force multiplier for them and to be a augmentation to their existing staffs, but leveraging it for security orchestration, automated response, and automating playbooks in responding to incidents. And I mean, before we
can actually implement all these solutions, you do need a baseline. And that's why I think the survey itself is really important. It's bringing some actuarial data, it's bringing an evidence based approach. How do you cooperate with some of your colleagues across the great United States of America? So when really when we take surveys like this, we obviously
share this information out and we are collaborating across from cybersecurity perspectives, from not just security, but it's how other states are implementing it so that we can learn from each other, so that we don't necessarily fall into the same pitfalls as other states. Because we have, you know, a number of other states have. We're all serving the
same issues, we're all dealing with the same issues. And so we're trying to leverage those services, leverage AI, but do it in a way where we can all learn from each other so that we don't fall down and we can continue to push the AI forward and emerging technologies forward. Love it. My late dad, may he rest
in peace. One of his lines was, always make sure you learn from your mistakes, but even better to learn from the mistakes of others. Absolutely. And truth is, there is a whole lot of learning going on, especially with emerging technologies. I'd like to
sort of go into some of the cybersecurity considerations that you're seeing right now. And bottom line is, what are the greatest challenges you face in your role as Chief Information Security Officer for the great state of Nebraska, but also what your friend, your peers would also be dealing with at the state and local perspective? Sure, we deal
with a number of different things. When you look at the survey results, 35% of states say that they're only in a proof of concept stage for AI that can be from a constituent service delivery aspect, that can be from a cybersecurity aspect and what they're doing to leverage that. But a lot of the things that we face from a, whether it be challenges, roadblocks, you know, you have to look at how
does AI fit into the cybersecurity frameworks that we're implementing? How does it fit into the data Privacy frameworks that we're trying to implement, how does it fit into regulation that are being passed within states? And when you think of cybersecurity and privacy, they
ideally are sides of the same coin. How are you pulling that together? So when
you, when we look at that, we look at. They really are. I call them cousins, you know, very. Some you love, some you, some you love, some you don't. They're very similar veins. So they kind of parallel each other. You get into auditing compliance is kind of the. In the same boat there where they parallel each other. But leveraging AI and emerging technologies to be that force multiplier to analyze data across
security platforms so that we can augment staff and streamline incident response procedures. Looking at it from a How do we analyze data faster and make decisions, security based decisions faster, incident response based decisions faster. Any use cases that come to mind from. We
always focus on the challenges, the impediments and the obstacles. But what about on the positive side of the coin? So we're seeing a lot of positive potential use cases
for AI and emerging technologies within the government landscape. We're seeing use cases for social services and where they're actually using decision based models to analyze applications for social services and make those decisions for granting eligibility for those services. One of the things that we recently had, you know, in Nebraska had a series of tornadoes this summer and emergency management was a. Played a key role in that, in dealing with those incidents.
So one of the potential use cases is how can we take data from an emergency management perspective, plug it into like an AI model and let's look at our resources, what's available, and look at our resource allocation and where potential gaps could be based on certain criteria and certain incidents. So does your office work with the emergency
management team in the state of Nebraska? We do. We work very closely with them.
Not only even closer now with the implementation of the SLCG grant program. So through that process, that has only bolstered our relationship with the emergency management because emergency management is the saa, the grant administrator for the state of Nebraska. So we have a closer relationship because of that project. No, that's good to see because I mean, when
you look at the federal Alphabet soup, you sort of have fema, you have CISA at the Department of Homeland Security, and clearly responding to natural disasters right now is front and center given this is a tough hurricane season. Absolutely. And anything you can share in terms of what you're learning from your brethren in the EMA environment and vice versa. You know, it's interesting in how they handle incidents and how they handle
planning. And we're taking some of that and incorporating that into some of our cyber incident plans. Interesting. So because you know, when you think about our cyber incident plans, we not only have cyber incident plans for the state of Nebraska as in the state government, but we also have cyber incident plans for potential incidents that would impact the constituents, whether it be starting to look at power grid issues or water systems.
I know that water systems are highly targeted lately. And so we're starting to build out plans for that. You know, how would we deal with a constituent impacting service outage such as power grid or water or any essential, any essential really critical infrastructure and dealing with that from a cyber perspective? You know, have you thought of maybe
having a unified cyber physical where you have a combined kind of approach? Because I mean, when you look at it, we tend to look at the world through our boxes and org charts. Bad guys don't, in fact they very intentionally exploit the seams in our defense. And I'm just curious. We talk physical, we talk cyber. I see them getting hard to delineate between the two. They're getting very hard to delineate where
you're starting to see more and more cyber attacks have physical impacts and physical implications.
Physically targeted attacks that have cyber impact as well, right? Absolutely. When you start talking
about targeting power grid, not only are you disrupting power supply generation for constituents across a state or region, but you're also impacting power for other critical infrastructure like healthcare and banking. Those have economic implications and health implications, but also dealing with the cyber elements of that. If you take out the power for data centers now, you're impacting the cyber element of those incidents and of those constituents. Absolutely. And from a public
health and safety perspective, that's obviously where I think roles such as yours, your emergency manager, the large PDs, are so essential to serve our citizens. I'd be curious what you think some of the biggest hurdles are to states adopting AI for some of these public services. Some of the roadblocks that you're going to find are obviously looking
at things like you're going to have budgetary roadblocks, you're going to have the perceived risk of AI as a roadblock. You're going to have the skilling of employees and staff. You know, do we have the necessary skills sets to implement AI technologies effectively and efficiently? Do we have the risk management in place for AI? When you start to look at AI, it's very, very data driven. And what is the privacy implications of that, what is our data governance look like? And I want to pull the
thread on that in a little bit. We will. Yeah, but so even if you
have the risk management in place, even if you have the appropriate skilling in place, budgetary constraints can still be a hindrance to that, you know. You know, we can have the people necessary to implement it, we can have the, the knowledge, the know how, we can have the risk management and the data governance and the guardrails in place, but if we don't have the budget to implement it, we still can't. And
the women and men who can take advantage of it as well. Absolutely. I mean, when we're looking at the cyber workforce challenges, it's monumental in the country and it's got to be even more challenging, I would think, at state and local in some ways, but also uniquely kind of cool if you know, you can actually help your citizen on a daily basis. But on the privacy, since you sort of teed that up a little bit, what does that look like? How does a decision making process
work? And I do want to pull the thread on the budgetary question as well. But before we go there, what would a privacy guardrail discussion look like when you're using new technology, especially AI? So one of the things that we're doing in Nebraska
right now is we're actually in the process of implementing what we call the Nebraska Information Technology Commission Standards and Guidelines. Okay. So we're actually in the process of passing a policy for AI utilization within state agencies. And there's actually a privacy section in there where we talk about the interaction with constituents in AI and being inclusive in disclosing where constituents are interacting with AI. I think it's important to be transparent in
that. Absolutely. And say, you know, hey, we're using your data in an AI model. You're interacting either whether it be an AI chatbot or whether we're plugging into, you know, we talked about the, the determining eligibility for social services if you implement AI and those types of models into those applications, you know, making sure that we're disclosing that to constituents to say, hey, we' going to use AI based modeling to determine
eligibility for services. And are you disclosing that? Currently? Currently we're not leveraging AI in that area. So that is a proof of concept that has come up. But we're not implementing that yet. But it's going to be part of the policy to disclose that, which I. Think is critical because technology's far outpacing policy in this respect. But
at the End of the day, trust is essential and you can have the best technology in the world and apply it so efficiently. But if you haven't prepped the battlefield or prepped the community for its use, it could actually have pretty negative effects. So I do hope that that is something that you all do think through in
terms of next steps. To pull the thread a little bit on the budgetary question, do you look at AI as a set aside technology issue or is it looking at the crosscut for everything agencies already do and how AI can make it more efficient? So I always sort of had an argument that we have all these new infrastructure spends. There should be a requirement on every new spend to have cybersecurity baked into that. I don't know what the magic number is. 12% is sort of one
that people turn to. But there are different and creative ways that maybe you can sort of turn the key on the budget. How are you looking at that? And how are most states, or at least Nebraska, which I know you would know. So
we're not necessarily looking at technology, particularly AI, from a standalone perspective. It's, it's more baked in. And how does the technology fit into the business processes that the agencies are trying to achieve and what their objectives are? You know, how, how are, say the Department of Transportation, how are they leveraging AI to increase their road efficiency, snowplow routes, things like that? Looking at, looking at things from that perspective. So really baking
the technology into the business processes and being a business enabler. And one of the.
I think that is the smart way to look at it. But one of the challenges is it's going to be contingent upon each leader and each one of those. Absolutely. To A have the confidence to lean forward and B, just recognize the value it could bring. Yes, it can bring its own set of challenges in that when
it comes to financing and their objectives with the technology, those are going to vary from agency to agency and business process to business process. Awesome. Yeah. And regulatory concerns,
is that something that factors in? I'm sure it does in the state House, but from a use perspective as well. Yeah. We're always looking at the regulatory implications of
adopting new technology and what that's going to mean for regulations in the state, whether it be from a state law perspective, whether it be from a constituent impact perspective, always keeping those at the forefront and being cognizant of that. And before something
is fielded, applied and used. I think. What about AI models from a testing perspective? Is that, is that something that you've started thinking through or some of Your colleagues have. Yeah. So from the survey results, about 35% of states are saying that they're
only in a proof of concept stage. They're not actively implementing AI into production yet, which is I think relatively a conservative model. Because when you look at it, states tend to be. State governments tend to be rather risk adverse. We're not going to just throw new technology out there and see what sticks. How about the Ms. Isac?
And I think it has done yeoman's work in supporting our women and men on the front lines dealing with a lot of these issues. Has AI factored into some of the thinking from that organization as well? Absolutely. You know, the Ms. ISAC serves
17,000 SLTT communities across the nation. At some of our recent meetings, you know, AI is definitely a topic that continues to come up and how states are going to leverage it and how we're going to secure it and what that means from security implications for state government and the broader sltt. And I think their role from a
cybersecurity standpoint has been essential. And I think the more that they can lean forward on some of these issues along with organ such as the national association of State Technology Directors is a good thing. Sure. And just being able to collaborate and learn and sometimes just ask the hard questions because it's not easy. If these were easy solutions, I don't think we'd have to have cyber focus wouldn't exist. The reality is
we'd just do it. But the truth is we don't know exactly what we need to do yet other than start learning. And I'm wondering if you've sort of initiated a learning model not necessarily just around AI, but cyber more generally from a state perspective. Yeah. One of the things that we're doing is we're taking a very proactive
approach to it. And NASTD and Ms. ISAC play a role in that, in distributing that information and that knowledge and just ensuring that awareness is out there. But having those collaborative partnerships across, whether it be nastd, Ms. ISAC throughout the SLTT communities is imperative to share that knowledge and being proactive in not only what we're doing from a cybersecurity awareness perspective, but from an emerging technology perspective, from a policy perspective, from
a best practices perspect. There's so many facets to it and implications that it can have that we have to ensure that that knowledge is being shared and that comes down to strategic partnership. And can you shed a little bit of light on what
your partnerships look like with the private sector inside Nebraska? Yeah. So we've got some
great strategic partnerships that we leverage throughout the state of Nebraska. Obviously we have a number of security vendors that we do business with. We have private partnership across the county and local communities that we do business with to ensure that we're getting the awareness out there, ensuring that we're spreading the word about cybersecurity and what's available to them for resources and learning those best practices. So leveraging those public private partnerships is
absolutely strategic to the success of the cybersecurity mission in Nebraska. And how about your
cooperative relationships with some of the D.C. agencies, whether it's FBI or whether it's NSA or whether it's CISA or anyone else for that matter? Yeah, those partnerships have been
immensely valuable as we start to move best practices information up and down the chain, whether that be the state interacting with the federal level and the in the three letter agencies here in D.C. or passing that information down that we discover from a state level to a more local, county, local level. That's important that we keep those lines of communication open and having those strategic partnerships to be able to improve the
broader cybersecurity landscape. So net net, you're getting value out of those relationships? We are. I think Nebraska's seen a lot of value out of those relationships and we've spent a lot of time trying to foster those relationships and those partners within discussions that we're having to ensure that that information is being passed along and that both up and down the chain. Awesome. And forgive my naivete, but sort of under the Title
32 statute, I mean Nebraska's home to a number strategic command and a number of very significant military capabilities. But is Nebraska working with the National Guard at least in its Title 32 statute under State or what does that look like? Yeah, the state
of Nebraska has a very close relationship with the Guard in Nebraska. So we actually partner with the Guard to put on a red team, blue team cyber exercise each year called Cyber Tatonka. It's actually a two week exercise that is the first exercise of its kind that actually brings together military, civilian, critical infrastructure and government partners to
train together on an unclassified range. And it's your range or we have. A cloud partner that we bring in to facilitate the range, but it's federal, state, local, county governments, local all the way down to local municipalities participating side by side with military operators and critical infrastructure, health care, banking, all of those critical infrastructure areas to train side by side and share best practices and information. Well, that's great to see because
when we lean forward that could have consequences for some of our partners at state and local. So having that ability to at least make the mistakes on the practice field, not Main Street USA when it matters, is a pretty big deal. Well, you
know, we don't want those cyber operators the first time that they're seeing something to be in a production environment. We want to see them learn from this test environment and see these attacks. We follow the crawl, walk, run mentality so that as the exercise progresses on the attacks get more difficult to identify. And so that we, we teach them and walk them through that attack model so that they learn. So just
back to some of the disaster response and emergency management functions. I do think that area is ripe with opportunity where AI can clearly, just because you're dealing at scale of moving food, people, material, equipment, whatever it may be at sort of rapid stages. Where have you seen AI play into that? And do you have any use case examples beyond sort of chatbots and the like. But maybe there are some really good ones on the chat. How it's being applied now? I think from a government
perspective when it comes to AI, we cannot just stop at chatbots. Governments have a plethora of data. I mean data is ubiquitous in government, but how are we leveraging that to achieve better outcomes? And I think AI and emerging technologies as they continue to advance are going to continue to play a significant role in that and in the strategic outcomes for agencies and interacting with constituents. Because I would think from a
resourcing perspective in particular, it'll bring some science to what those direct asks are. And sometimes you don't need three that look identical types of toys. And I'm not doing that, I'm not suggesting Nebraska does that. But the reality is it can get to a place where you can bring evidence, data and science to what these budget requests are, right? Yeah, absolutely. I think. Which could be scary to some because it threatens
potential. It can be scary to some, but what you're going to find is you're
going to have better data driven decision making is what you're really going to get. And when you talk about the EMA aspects of it, when you're dealing with food distribution, water distribution, it's all about resource allocation and having data to understand where our
potential pitfalls are, are important so that we can avoid those. And being able to plug that into something like an AI model and say based on this criteria, if we see this type of storm, here's our current resources availability, where are our shortfalls going to be based on if we have a storm on the eastern part of the state or the western part of the state or. And that can vary from storm type, whether it's tornadoes or snow. What does our resource allocation look like and
what are our shortfalls going to be? And distribution. I mean, distribution from a logistics
perspective. Exactly. There's an old saying in Marine Corps Hoorah that amateurs talk, strategy professionals logistics and logistics do over and over and over and over, make or break. How one responds to or even from planning perspective operationally is so important. And any thoughts there? Because I mean, it's also drawing on resources that maybe the government doesn't own, but can work with partners to be able to bring to the fight.
Yeah, absolutely. So at my level you get a number of a lot of conversations that are strategic in nature and how are we dealing with things strategically. But you're absolutely right. And it's logistics is where the rubber meets the road and how do we get, whether it be water in an emergency situation, food in emergency situation, generators to where they're absolutely needed, boots on the ground. The same thing applies in the
cyber world. You know, we can talk about cybersecurity from a strategic perspective all day long and we can talk about policy, but where it the rubber meets the road is in providing the critical capabilities for cyber down to the SLTT level and. Down
to the citizens. And having those incident response resources and capabilities to responding to incidents
is really the logistics part of that from a cyber perspective. And I sometimes feel
like we become so efficient to a fault that if, if the model doesn't work, it can also have catastrophic, just in time inventories and the like. And then you have something like Covid, which really brought to light some of the supply chain challenges with some of our international friends and not so friends and what those implications are. So I think the only way you start looking at that is if you do it though, right. And if you start working with entities. So at least you're not
exchanging business cards when that bad day happens. That is, that is one of the
things that I say quite often is the middle of an incident is not the time to be exchanging business cards. You should already have those relationships established. You should know who you're going to call in a cyber incident. Are you going to call
the FBI? Are you going to call my office? From a state CISO perspective, You know, a lot of the state CISOs, some of the SLTT communities, don't necessarily want to report those things up the chain, but it's important because the higher you go, the more resources that are available you know, we have toolkits that we can offer. We have resources available, you know, in the SLT community that they can leverage in a cyber incident. Now, this may be a very simple question, but who should, if
a citizen in Omaha is impacted, say? It's not an enterprise or corporate, as far as they know, but often it starts with individual. And then you see it broader. Who should they call? So they should. They should call their local law enforcement. I
mean, start there. And if they don't have resources to address the issue or. And start moving up that chain, you know, report it to the IC3 with the FBI if there's financial impact involved. So starting with that local level, particularly for an individual, start with that local level and work their way up. Patrick, what questions didn't I
ask that I should have? I think we pretty much covered it. I mean, we
covered a broad range of topics today, everything from AI to science. I've never had
an unspoken thought, so sorry if we jumped into too many. No, absolutely not. It
was great conversation. Well, Patrick, thank you for what you do for the great state
of Nebraska, for being a leader that will inspire others to take up the good fight, and for keeping our community safe. So thank you. Thank you. Thank you for joining us for this episode of Cyberfocus. If you liked what you heard, please consider subscribing your ratings and reviews. Help us reach more listeners. Drop us a line if you have any ideas in terms of topics, themes, or individuals you'd like for us to host. Until next time, stay safe, stay informed, and stay curious.