After watching major cities like Atlanta and Baltimore suffer massive and expensive data breaches in recent years, Virginia decided to take action to avoid being next on the hit list.
Nationwide, cities are struggling with how to handle ransomware attacks that put citizens' privacy and security, and the local economy, at risk. While it's too late for some jurisdictions, Virginia is trying to learn from these attacks and develop a framework to protect data across its cities and communities.
Through the framework, the commonwealth hopes that it can make data sharing more efficient and drive the national discussion about data ownership before a breach.
Taking a holistic approach to data protection
When Virginia won the Smart Cities Council "Readiness" Challenge in 2018, one of its main goals was to set out a cybersecurity and privacy plan. Shortly after the win, the commonwealth hired its first chief data officer (CDO), Carlos Rivero, to create a data governance policy, with the help of the Council and Virginia's Center for Innovative Technology (CIT).
"Virginia started out with a very positive ambition which was to get ahead of the curve in terms of data sharing," said Philip Bane, CEO of the Smart Cities Council. "But they are conscious, just like every other jurisdiction is, that there's a huge underbelly."
Virginia licensed the Council's Smart Cities Activator platform to start the assessment process. Now, Rivero is conducting surveys of cities and counties across the state to assess the current landscape of data governance and prepare for a statewide policy.
"The first part of the program is data discovery," said Bane. "It's the proverbial 'how do you herd the cats.' How do you get everyone on the same sheet of music?"
Two separate surveys, one for agencies and one for communities, will reach anyone collecting data on behalf of the commonwealth or a locality, including the state’s 63 executive branch agencies, 25 state-funded universities and over 130 Virginia communities.
The state hopes to finish assessment by Q4 2019, and will most likely have a working policy within two years, according to David Ihrie, chief technology officer of the CIT.
"It’s the proverbial 'how do you herd the cats.' How do you get everyone on the same sheet of music?"
CEO, Smart Cities Council
While other Readiness Challenge winners were individual cities, Virginia is taking on the issue of data governance as an entire state for two reasons: safety and efficiency. The surveys are a way for the commonwealth to take stock of its informational and financial resources to find strengths and weaknesses, and to determine who needs a seat at the table when determining the policy.
When states share data across city and county lines, the whole network is in danger if even one agency or department is affected by a cyberattack. Jurisdictions that don't have enough resources to handle big data may put those with strong cybersecurity departments and frameworks at risk.
As data breaches and hackers become more common, cities are suiting up to battle the issue. A report from cybersecurity firm Recorded Future shows cybersecurity attacks have been ramping up since 2016, with 58 in 2018 and already more than 21 attacks this year.
"It's the least protected city or county agency that's gonna make the whole network vulnerable," said Bane. "Now that we're all connected digitally we're as weak as the weakest link."
Looking beyond security
It's not only safety that Virginia hopes to tackle with its policy. A statewide framework can combine resources and budgets to be more efficient. Smaller cities may not have the same cybersecurity expertise as larger cities, but Virginia hopes that creating a framework will address the needs of a wide variety of jurisdictions.
"Can we do it in a way that will make it much easier for small- and medium-sized communities not to have to reinvent all that stuff, but just plug into a state digital infrastructure, where they can then start immediately addressing the priorities in their local communities?" Ihrie said.
Setting up statewide data infrastructure can also streamline any future data sharing, so it's easy to rapidly adopt new strategies and even create revenue. At a time when the public is becoming wary of giving their data to private companies, it's important to have a set of regulations in place before big opportunities to share data for the public benefit.
"I think we are in a great position to cherry-pick the best of those, and quickly adopt them across the state, if that digital infrastructure is in place," he said.
Creating a statewide policy can also drive a nationwide conversation about data ownership. The public is increasingly concerned about giving private companies access to their data, and startups and larger tech companies are beginning to think about data governance laws of their own, to avoid hefty fines and garner public support.
Toronto's partnership with the Alphabet-owned Sidewalk Labs raised public concern and doubt over data ownership for the proposed smart city on Toronto's waterfront. Backlash over data collection methods, like gobs of sensors on the streets, gave residents pause and has started a larger conversation.
Virginia wants to be part of the growing discussion. "We ought to take a stand on that," Ihrie said. "There's private industry that would like access to a lot of that info, and can commercialize that data, so how do you do that in an equitable way?"
The state hopes to one day have a policy that can fall outside of legislative lines into an entire geographic region, like the area's "DMV" (District, Maryland, Virginia) region. CIT is in talks with the Greater Washington Board of Trade to one day be part of a framework that crosses state boundaries.
"There’s private industry that would like access to a lot of that info, and can commercialize that data, so how do you do that in an equitable way?"
CTO, Virginia's Center for Innovative Technology
"We are actively talking with them to see if there are ways we can collaborate that will synchronize what we are doing with what they are doing, not necessarily identical but at least compatible types of approaches," Ihrie said.
While Ihrie hopes that the development of the policy can move quickly, Virginia is keeping busy in the meantime by adopting the NIST Cybersecurity Framework, implemented by the state IT agency VITA.
The cybersecurity capabilities aren't available to all smaller localities. "It is not quite as easy as it sounds," Ihrie said. The state is currently investing in cybersecurity workforce training programs, as well as private cybersecurity companies through a business accelerator.
Broad data governance is a process, Bane said. "In Virginia they need to figure out what they need from the ground up."