Are States Slacking on Cybersecurity?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.govtech.com/security/Are-States-Slacking-on-Cybersecurity.html

Hackers in the past year have broken into computer systems at the White
House, the State Department, the Pentagon, the Internal Revenue Service and
the Office of Personnel Management. The carnage doesn’t stop at the federal
level, either. Both South Carolina and Utah were victims in 2012 of major
data breaches that compromised personal data stored on government
computers. But if you think that these increasingly frequent and expensive
breaches, hacks and data leaks have led to the public sector being more
prepared, you would be wrong. Public-sector technology is more vulnerable
than ever.

At least that’s the word from an August report released by the California
state auditor that has state CIOs nationwide taking note. The report
revealed that California’s cybersecurity efforts are riddled with so many
problems that information could be badly compromised in the event of a
cyberattack. It criticized the state technology department for failing to
make sure that other state agencies are complying with information security
standards. The auditor found 73 out of 77 agencies surveyed were not in
compliance.

Even a recently developed state pilot program to beef up cybersecurity
compliance was blasted. The report said the pace of the program was so slow
that it would take roughly 20 years to review the security standards of
every agency. Part of the problem is the self-certification process, which
lacked enforcement and was found to be confusing due to unclear
requirements. For example, 41 agencies reported to the IT department their
security standards were certified, yet when the auditor did a more thorough
check, it found only four agencies were actually compliant.

Because of how self-certification worked, the IT department was unaware of
vulnerabilities in 37 agencies.

To remedy the situation, the auditor recommended that the state legislature
enact statutory changes that would mandate that its technology department
undertake a more rigorous security assessment of the state’s information
assets and shore up funding for cybersecurity. The state IT department has
agreed with the auditor’s report and pledged to increase oversight.
Meanwhile, legislation has been introduced requiring the IT department to
conduct security assessments of all state agencies at least once every two
years. But the state Department of Finance has warned that such a
requirement would be costly, an argument that has stymied expansion of
cybersecurity programs in other states as well.

Mark Weatherford, a former chief information security officer in both
federal and state government and now a principal with the Chertoff Group, a
firm that specializes in information security, says CIOs in many states
have been requesting more cybersecurity funding for years to no avail.

“Lawmakers don’t want to spend money on something that is invisible; they
can’t visualize the damage, so they won’t fund what’s required,” he says.

In a 2014 study of the cybersecurity problem, the National Association of
State Chief Information Officers reported a small uptick in security
spending at the state level, thanks in part to the slowly improving budget
situation. But the report went on to say “budgets are still not sufficient
to fully implement effective cybersecurity programs.”

Funding, of course, is not the only remedy. The decentralized way that
technology is managed, especially at the state level where individual
agencies are often responsible for running their own computer systems, is
also a problem. State and local governments instead need to have just one
agency handling technology and, thus, security. A centralized cybersecurity
strategy, says Weatherford, is far more effective than multiple ones
managed by individual agencies.

However, there are a couple of hurdles states and localities will first
have to overcome before they can implement any of these changes. The
biggest is that many of today’s hackers are sophisticated, state-run
organizations based in autocratic regimes such as China, North Korea and
Russia. “Government agencies are being outmatched when it comes to fighting
the bad guys,” says Weatherford. “State governments simply don’t have the
skills and resources to combat them.”

But before we can even begin to confront that problem, we have to get over
our own inertia. Changing the status quo in state and local government
isn’t easy. Despite the growing list of data breaches in government, the
problem remains largely off the radar for many public officials. “Lawmakers
need to see that this is a critical issue, which they need to embrace,”
says Weatherford. “This is not an IT problem, it’s a leadership problem.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!