On the heels of the sixth annual National Cybersecurity Awareness Month, information security has been generally accepted as a cost of doing business. The question is how to pay the tab.
Confronted by the Great Recession, some states and localities have deferred security spending to survive the budget crisis, making the same kind of Faustian bargain uninsured motorists do when they choose rent and food over insurance premiums. They perilously calculate that they'll catch up eventually and gamble that they can avoid accidents in the meantime. When the bet goes bad, there's hell to pay.
That is a loser's game because there's no telling where and when the next threat will hit. Just ask those who must secure the information and systems on which government relies. California Chief Information Security Officer (CISO) Mark Weatherford and New York state CISO Will Pelgrin, who also heads the Multi-State Information Sharing and Analysis Center (MS-ISAC), have strikingly similar top-of-mind issues that need work. The issues are theirs, the categorization here is mine:
A. Resolving Domains: Governments must consider domain name system security and the increased vulnerability that comes when states and localities use the dot-gov top-level domain, which has become the attack vector of choice.
B. Resource Roulette: Even the relatively young cyber-security discipline has tended to produce silos rather than synergies while competing for resources. Critical infrastructure, new platforms (smart grid, cloud computing and Web 2.0), applications (light, legacy and new enterprise) and devices (desktop and mobile) all must be secured, but you'd never know it by looking at the funding and policy patchwork in most jurisdictions.
C. Reconciling Friends: Cyber-security deserves to be the next national priority, but "national" is more than the federal government. The federal government is rightfully concerned with getting its own house in order, but in an interconnected world, security must account for states and localities where system outages and breaches are felt most profoundly.
To be sure, there's much work going on. Washington state is the most recent to formally adopt a new security policy framework, New York is issuing best practices for integrating Web 2.0 into a secure environment, and several states are exploring the introduction of a standard configuration for their desktop core operating system to bring order and discipline to security settings, practices and patch management. Of course, all this occurs in the context of interstate collaboration - witness the strong track record of collaborative work through the MS-ISAC and, more recently, a nascent but allied effort through the Digital States Performance Institute.
Funding options have always been limited and have become more so with the recession. General fund appropriations are unlikely, and there isn't much elasticity left in the rate structure of technology agencies to make cyber-security costs recoverable.
In such circumstances, eyes turn to the federal government. As a practical matter, state and local cyber-security efforts compete for resources in a federal funding structure that grew up around physical security concerns.
Fresh guidance from the U.S. Department of Homeland Security on federal grant prioritization would help. So too would fresh thinking about a unified cyber-security funding model that accounts for potential weak links regardless of whether they are at the center or the periphery of what ultimately is government's shared operating environment.