North Dakota turns to AI to boost effectiveness and efficiency of its cybersecurity

The recent proliferation of tools that employ artificial intelligence (AI) or machine learning (ML) to perform human-like tasks has sparked a great deal of interest in the cybersecurity community. And they’ve prompted some very hard questions about the future, not the least of which is whether ChatGPT, BardAI, Bing AI, and the dozens of other “AI” applications and tools already in use represent a threat or boon to security operations.

The State of North Dakota is betting on boon. The Upper Midwest US state, located smack in the middle of the country just below the border with Canada, is already using AI to help it deal with cyber threats in a more efficient, cost-effective manner. At the same time, AI is also being used to improve the workdays of the state’s cybersecurity personnel by relieving them of the most tedious and time-consuming tasks, Michael Gregg, North Dakota’s chief information security officer, tells CSO.

State of North Dakota

Gregg became the state’s CISO in November 2021, having served as interim CISO and director of North Dakota’s cyber operations before that. He is responsible for North Dakota Information Technology (NDIT), the department that by law is responsible for all state and municipal government cybersecurity, from cities down to the smallest counties and townships.

“Last year, our cybersecurity team dealt with about 50,000 incidents,” Gregg says. “Probably about half of these were related to phishing. Historically, a lot of my analysts’ time has been tied up working on phishing incidents. Now, this may be okay for some CISOs, but I’d really rather have my analysts doing more enriching work,” he says. “I’d rather them be working on higher priority stuff and I’d rather be varying their duties so that they have a chance to grow and expand their skillsets — so hopefully I can keep them a little longer.”

How AI came to ND

To bring AI and machine learning (ML) into its cybersecurity operations, NDIT partnered with cybersecurity technology vendor Palo Alto Networks. The company and the state worked together to build a next-generation autonomous security operations center (SOC) to handle all of NDIT’s cyber protection and response duties.

These duties, which required the protection of 250,000 endpoints — “every school, county government and city police station in the state,” Gregg says — include guarding its users against the theft, damage, or destruction of their data; the disruption of their networks; unplanned downtime due to ransomware and other cyberattacks; and harm to public reputations, which is no small matter in the age of social media.

The goals of the project were a wide-ranging laundry list: NDIT set out to establish key priorities that included building resilient security capabilities, detecting and defending against current and future threats, raising security awareness, buttressing endpoint protection, improving risk management, vulnerability analysis, and management, and training for continuous improvements. North Dakota’s IT leadership had also identified the need for enhanced cyber awareness, data sharing, and cyber skills development, and wanted to respond to stakeholders’ requests for dashboards that would provide insights into their respective vulnerabilities and environments.

Employing AI and ML freed up staff resources

To achieve these goals, NDIT and Palo Alto relied heavily on AI and ML, using both to automate the resolution of current low-level and less-threatening security incidents, resolve thousands of backlogged security incidents, and develop proactive tools to anticipate and address emerging cyber threats. The success of these tactics also had to be provable, by comparing NDIT SOC’s incident resolution results before and after the enhancements were implemented.

“As far as I know, NDIT is the first state agency in the nation to roll out AI/ML to enhance cybersecurity,” Gregg says. “We use it to go through our phishing emails, having allowed the AI/ML system to ‘learn’ how to detect the traits of phishing attacks and validate its results before deployment. Today, our AI/ML can handle a large amount of these phishing incidents and auto-close them.”

The automation frees NDIT analysts to perform cyberattack forensics, malware analysis, threat hunting, red-teaming training exercises to help staff to deal with actual cyberattacks, and other duties that they didn’t have the time to do before, Gregg says. He believes that from a big-picture perspective, adopting AI- and ML-based technology has allowed the NDIT to move from passive to active cyber defense.

“When I started as CISO, we were very much in a responsive mode with probably 1,000 tickets backlogged in an incident response queue,” says Gregg. “Now we’re being proactive using Palo Alto Networks’ AI/ML tools such as Cortex XSOAR, and Cortex XDR.”

Joining StateRAMP has increased security depth

In addition to implementing AI/ML-enhanced cyber threat management with Palo Alto Networks, NDIT has also deployed third-party risk management policies to reduce its vulnerability from this threat vector. It has achieved this by joining StateRAMP, the nonprofit organization that helps US state and local governments verify the cybersecurity readiness of third-party vendors who sell cloud technology solutions.

StateRAMP is based on a framework created by the National Institute of Standards and Technology. It’s similar to the FedRAMP system and uses a “complete once, use many” approach. This means that service providers only need to complete the assessment process once and can then use that information for multiple government agencies, saving time and money. Just like FedRAMP, StateRAMP uses third-party assessment organizations that are authorized by FedRAMP to conduct assessments.

“My goal has been for my team to get everything in place for us to join StateRAMP, which we have done,” Gregg says. “And that’s been a big thing for us because I believe there are 17 states that have joined StateRAMP. As well, we’ve already had about 40 vendors that are fully vetted through StateRAMP and about another 40 that are pending. The biggest advantage for us is that StateRAMP offers continuous monitoring of cloud service providers. So, if any of them suffer a security breach, we get flagged on it right away and can respond quickly to protect our users and network. This matters, because if you look at a lot of the big cybersecurity events that’s happened over the last few years — SolarWinds and others — the network intrusions have come from third-party vendors or supply chains.”

Next step: improved data governance

Having made this much cybersecurity progress, Gregg has plans to further strengthen NDIT’s security posture. “Where we go next is to continue on this journey to better data governance,” he says. “We’re now working with NDIT’s Data Division to really define what data governance means, to put out a plan and program to secure all the information that the state houses and the state itself have. So, data classification, data governance, that whole piece is what we’re going to really try to tackle next.”

How much NDIT can achieve in terms of effective data governance depends on how much money the state legislature allocates to this project. Mindful that this could go in any direction, NDIT has developed data governance plans that can work “if we get very little funding, we get maybe half of our funding, or we get all of our funding,” says Gregg. “Based on any one of those models, we’ll be set to go forward and continue this data governance journey because I think it’s a key one for the state to be on.”

In the meantime, Gregg continues to advance the effectiveness and efficiency of cybersecurity at all levels of the North Dakota government, guided by one simple insight: “Nothing good is ever easy in life,” he tells CSO. “Everything worthwhile takes effort.”