States grapple with cyber security challenges as threats escalatePosted On: May. 19, 2013 12:00 AM CST
States are struggling with many of the same challenges that face their business counterparts in the private sector when it comes to cyber security. The risks associated with cyber security are illustrated by a situation that occurred in South Carolina, which announced in October 2012 that about 3.6 million Social Security numbers and 387,000 credit and debit card numbers were exposed in a cyber attack. State officials also later revealed that some companies' business identification numbers had been stored in the database that was breached.
States “have been pretty remarkable” in light of the challenges they face, but South Carolina's experience “is evidence that there are significant problems,” said Doug Robinson, executive director of the Lexington, Ky.-based National Association of State Chief Information Officers.
Theresa Masse, Oregon's chief information security officer, said compared with the private sector, “we have a lot more information out there,” which “makes it easier for the bad guys to get information” and then “more quickly and easily target people.”
Furthermore, states have experienced significant budget cuts during the past few years, leaving them with fewer resources than in the past, Ms. Masse said.
There is a spectrum, said William Pelgrin, president and CEO of the East Greenbush, N.Y.-based Center for Internet Security, which operates the Multi-State Information Sharing & Analysis Center.
“There are many states and local governments that are as sophisticated as many of the large, private-sector companies, and there are others that are really more at the beginning stages of that development,'' Mr. Pelgrin said. “So what you've got is a very diversified environment out there relative to our preparedness.”
According to a survey by the state chief information officers association released in October, while 92% of state officials think cyber security is very important to the state, only 24% are very confident in how they are protecting state assets against external threats.
Mr. Robinson said, “The reality is, there are a number of challenges states are facing, including growing information technology security risks, foreign nation state cyber espionage and cyber hacking.” Probably the fastest-growing and most problematic issue is criminal hacking, which was the case in South Carolina, he said.
States are “inherently open, unlike other organizations” to their citizens, “so that can be problematic,” Mr. Robinson said.
The problems faced by the states are very similar to those faced in the private sector, Mr. Pelgrin said. “The actors may change a little bit, but the consequences and the targets are very similar,” he said. While governments are doing much to address the issue, “we still have a long way to go,” he said.
The state chief information officers association report — which was issued with New York-based Deloitte L.L.P. and based on a survey of 48 states and two territories' chief information security officers — focuses on four key areas: insufficient funding for cyber security; the fact that many chief information security officers operate in a highly distributed model with little direct authority; the wealth of personally identifiable information held by the states; and an “endless” stream of new cyber security regulatory requirements.
Efforts to address the technological threats facing the states include the Washington-based National Governors Association's creation of the Resource Center for State Cybersecurity, led by Maryland Gov. Martin O'Malley and Michigan Gov. Rick Snyder.
“The overall goal of the resource center is to help governors create the most robust policy environment possible to protect our infrastructure, our government and our citizens from cyber threats and data breaches,” Gov. O'Malley said in a statement when the center was launched in October. “This project is a significant step because it marks the first major focus on the role of states in protecting cyber security infrastructure.”
The state chief information officers group is working closely with the state cyber security resource center, Mr. Robinson said.
The nonprofit Center for Internet Security, established in 2000 to help organizations improve their cyber security and compliance positions, has “very strong partnerships with the Department of Homeland Security,” Mr. Pelgrin said, and the center's Multi-State Information Sharing and Analysis Center has been designated by the department as a central resource to help state and local governments improve their cyber security.
The center also has a trusted purchasing alliance, which leverages state and local governments' purchasing power to lower prices for cyber security efforts. This enables them to introduce measures such as encryption easily and “in a very cost-effective way,” Mr. Pelgrin said.
John Stephenson, director of communications and technology at the Washington-based American Legislative Exchange Council, said his organization also is “looking at public-private partnerships as one of the best solutions to the issue of cyber security.”