What's the Likely Future of Cybersecurity in the States?

During a keynote session at their annual conference this week in Orlando, the National Association of State CIOs (NASCIO) released their biennial survey results on state cybersecurity. While the overall report trends (compared with the previous three surveys) seemed encouraging, many attendees asked me if the real situation was as positive as the data seemed to imply. Let’s explore the state CISO survey answers and the rest of the story.

by / September 25, 2016
NASCIO Annual Conference 2016 - Cybersecurity Study Panel photo credit: Dan Lohrmann

In the same week when Yahoo announced one of the biggest data breaches of all time — that actually occurred two years ago but was just discovered this summer. ...  

And the White House announced a data breach that included a scan of First Lady Michelle Obama’s passport. ... (Note: this second most talked about data breach story led the CBS Evening News at a time when violent protests occurred in Charlotte, N.C.)

And in a week where the majority of state government technology grades from the Center for Digital Government (CDG) improved over two years ago. ...

And in a week where the Federal CIO Survey from the Professional Services Council (PSC), which now includes federal CISOs answering questions, released their survey results calling-out big increases in cyberattacks against the federal government over the past year. ...

The 2016 Deloitte-NASCIO Cybersecurity Study was released.

Here are some of the key themes from the report’s executive summary:

  • Governor-level awareness is on the rise. 
  • Cybersecurity is becoming part of the fabric of government operations.
  • A formal strategy and better communications lead to greater command of resources.
  • There is a need to rethink talent strategies

Another highlight included the general need for more cyberfunding, roughly in line with a slight growth from previous cybersecurity reports and the spending levels recorded in 2010, 2012 and 2014. You can read about my coverage of the 2014 NASCIO cybersecurity report that was released in Nashville, Tenn., here. Note: the coverage of that 2014 report was much wider, including National Cyber Security Alliance (NCSA) livestream coverage and a speech by Michael Daniel, special assistant to the president and cyber security coordinator.

Coverage of the 2016 NASCIO Cybersecurity survey did include these quotes highlighted by many media outlets:

"There continues to be challenges with proper funding and finding qualified talent, but the good news is that we are seeing positive indications that state CISOs and CIOs are having an impact as communication and collaboration among government is increasing," said Darryl Ackley, NASCIO president and cabinet secretary and CIO for the New Mexico Department of Information Technology.

"The survey results spell out a clear message for CISOs: State leaders are paying attention. Take advantage of this focus to make substantial progress," said Srini Subramanian, principal, Deloitte & Touche LLP, and state government cyber risk services leader. "Those CISOs who are able to harness this attention and build stronger relationships with business executives and state legislators have an opportunity to garner more resources and support for their initiatives."

Subramanian continued, "For the first time, all respondents report having an enterprise-level CISO position. The CISO role itself has become more consistent in terms of functions and responsibilities. CISOs are also focusing their energies more on what they can control."

Press Analysis of the NASCIO Report on Cybersituation in the States

An excellent Stateline article by Jenni Bergal focused on the fact that state computers are increasingly under attack by cybercriminals. Here are a few excerpts from that article:

“State information technology officials have strengthened their defenses against hackers and cybercriminals who attack their computer networks millions of times a day, but admit they’re not fully prepared for increasingly complex threats that could expose the personal information of their residents. ...

Last week, Oregon Democratic Gov. Kate Brown ordered state agencies to overhaul their cybersecurity systems, which she called “antiquated” and vulnerable to attacks. ...”

The Stateline article went on to rightly focus on the big cybersecurity issue currently on everyone’s mind the upcoming general election in November.

“The association noted that it would be “highly improbable” for the national election to be hacked because of the decentralized process in which each state and local government conducts its own system of voting.”

Government Technology magazine ran this story, which focused on interviews regarding cybersecurity plans with the CIOs in Minnesota and Florida.

This NASCIO Conference Day 2 highlight article highlighted several quotes from state leaders from the NASCIO keynote session:

Washington state CISO Agnes Kirk: “We realized our legislators have to make policy and funding decisions about vast topics. Everybody has a need and at varying degrees. I just hope legislators understand that if you don’t invest in cybersecurity up front, you'll invest on the back end."  

Indiana CISO Tad Stahl: “When we established our funds, we put together a strategy [about] what we needed to do to address the most significant risks at the time. Largely for us, the strategy has stayed the same while tactics have changed.” 

Connecticut CIO Mark Raymond: “We don’t have a strategy in Connecticut. Nobody wants to give you money when you have problems. They want to give you money when you have a strategy to fix the problems.”  

Digging Deeper: My NASCIO Cybersecurity Study Analysis and Future Look

I want to start by underlining how important this cybersecurity study is every two years. It provides perhaps the best snapshot that we have of progress made on protecting data in state governments across state governments. I think the Deloitte staff, NASCIO security committee, state CISOs, government business leaders and others who participate in this biennial survey are to again be commended for this effort. I urge you to download and read the 2016 study. I personally participated in answering the questions for Michigan in 2010, 2012 and 2014, and this 2016 product is another excellent study based on state CISO answers. 

These survey results seem very similar to 2014; nevertheless, online threats continue to increase dramatically. As the survey shows, I do think that most state governments have made modest progress on cybersecurity over the past two years. However, just as in the majority of businesses in the nation and world, not enough is being done on cyber. In fact, states are falling further behind the cyber bad guys. Although the survey shows leadership progress, overall cyberawareness and moderate funding increases, the overall threat level is increasing much faster. 

Yes, there are plenty of positive survey answers, but compared to industry averages, the funding and technical resources for cybersecurity remain inadequate in the majority of states. Furthermore, if Yahoo.com, the White House, OPM and dozens of other public- and private-sector organizations have faced headline-grabbing data breaches over the past two years, many more data breaches in state governments seem inevitable.

Add in the coming surge of new Internet of Things (IoT) devices including smart cities connectivity, more scary nation-state attacks against election (and other critical) systems and the proliferation of ransomware, and it seems almost impossible to stop future reputation damaging for state governments. Just as techrepublic.com reported, it’s hard to miss a bleak future for cybersecurity over the next few years.

Further, I continue to see three different groupings in state governments leaders, adopters and laggards with roughly a third of states in each group. Even the best state government technology and security programs in the country are struggling to stop cyberattacks from succeeding. Since public trust in government is at a low ebb right now, I think it is essential that state government leaders somehow turn the general awareness of cybersecurity challenges into a greater focus on addressing cyberthreats and incident response in local situations.

During this tough time, states need to maintain some level of optimism in order to have any hope of improving technology infrastructure over the next several years. Government leaders cannot "throw in the towel," but must persevere in the midst of this cyberbattle.

I have no doubt that we will continue to see more high-profile data breaches coming from state and local governments over the next few years  much like other sector cyber incidents in areas such as health care and banking. I am hoping that these reported breaches can lead to the needed cyberattention being provided in lagging states.

Eventually I think there will be a turning point on cybersecurity, but I just don’t see it yet - in either the public or private sectors.

I close with these two quotes from Winston Churchill: “Success consists of going from failure to failure without loss of enthusiasm.”

Also, “Success is not final, failure is not fatal: It is the courage to continue that counts.”