If a hacker attacks a city, county or local school, a lot of things can go wrong. Residents might lose access to water or power, or the police may not be able to communicate. Officials might not be able to process important government documents, like paychecks or marriage licenses.
To prevent this type of scenario, the Indiana Office of Technology has partnered with Indiana University Center for Applied Cybersecurity Research and Purdue University’s cyberTAP to provide cybersecurity assessments for local governments. Called Cybertrack, the partnership has been underway since September 2022. It is expected to complete more than 300 assessments by 2026.
“Local governments provide all kinds of services to the public, but it’s likely that many of them are at risk and unprepared to handle cybersecurity incidents,” said Craig Jackson, the Center for Applied Cybersecurity Research’s deputy director. “When attacks do happen, things can unfold very quickly, get very complicated, and implicate a lot of different people and technologies. Like all organizations, local governments need help with cybersecurity.”
The goal of Cybertrack is to reduce the chances of cyberattacks happening in the first place, Jackson said.
“Local governments in Indiana have suffered attacks,” he said. “It’s a real problem, and they need help figuring out how to prioritize what’s most important. We help them figure out what they can do that will matter the most.”
Jackson is part of a five-person team that manages Cybertrack. During the first year, Cybertrack developed a unique, robust assessment methodology that has attracted attention from the Cybersecurity and Infrastructure Security Agency and colleagues at Naval Surface Warfare Center, Crane Division, Jackson said.
“That’s because it’s not just a firehose of recommendations, which is often the case with cybersecurity guidance; Cybertrack’s methodology focuses on actions that our research has shown will make a difference right away,” he said.
Cybertrack uses a framework developed by Trusted CI, the NSF Cybersecurity Center of Excellence, a team of cybersecurity experts from several universities, including IU. Jackson, also a member of Trusted CI, was the primary architect of the Trusted CI Framework, which has now been adopted by Indiana as part of its standard for local government cybersecurity.
Joining Jackson on the Joint Management Team is Ranson Ricks, a senior project manager at the Center for Applied Cybersecurity Research, and three collaborators from Purdue. Cybertrack also has five two-person assessment teams, each with an expert from Purdue and IU.
“The partnership with IU CACR has been exciting for many reasons,” said Joe Beckman, assistant director at cyberTAP. “In terms of impact, and what local government really needs, IU’s expertise in cybersecurity strategy and program-building has been huge. The Trusted CI Framework is providing a much-needed piece of the puzzle in terms of cybersecurity governance, resourcing and structure.”
The team started with three pilot assessments in Kosciusko County, Tippecanoe County and the City of Warsaw.
“They do a good job of pointing out areas of improvement without making you feel bad,” said Eric Sorensen, Kosciusko County systems administrator. “They also focus on the positive things your organization is doing. Our Cybertrack experience has led to us being able to push some positive initiatives in Kosciusko County.”
Based on feedback from the pilots, the team revised processes and tools and then started assessments with the second pilot group: Franklin County, Grant County, Greendale and Veedersburg. The pilot process was completed by August, and the team started scheduling local government entities for assessment.
As of this month, 85 Indiana entities have expressed interest, including 16 counties, 21 cities, 17 towns, 16 school districts and six libraries. The teams expect to complete 24 assessments by the end of November. IU students will participate in the project, working alongside university cybersecurity professionals, starting next year.
The work of the Cybertrack program aligns with all three pillars of the IU 2030 Strategic Plan: Student Success and Opportunity, Transformative Research and Creativity, and Service to Our State and Beyond.
“Serving our society is central to CACR,” he said. “Everything we do has a solid evidentiary foundation. We are sharing our research with other states and the federal government, so the impact of Cybertrack extends beyond Indiana. We are having a real-world impact, and it’s exciting for everyone involved.”