Are States Slacking on Cybersecurity?

A recent audit finds California’s efforts are woefully inadequate. And that’s the good news.

by / November 3, 2015

Hackers in the past year have broken into computer systems at the White House, the State Department, the Pentagon, the Internal Revenue Service and the Office of Personnel Management. The carnage doesn’t stop at the federal level, either. Both South Carolina and Utah were victims in 2012 of major data breaches that compromised personal data stored on government computers. But if you think that these increasingly frequent and expensive breaches, hacks and data leaks have led to the public sector being more prepared, you would be wrong. Public-sector technology is more vulnerable than ever.

At least that’s the word from an August report released by the California state auditor that has state CIOs nationwide taking note. The report revealed that California’s cybersecurity efforts are riddled with so many problems that information could be badly compromised in the event of a cyberattack. It criticized the state technology department for failing to make sure that other state agencies are complying with information security standards. The auditor found 73 out of 77 agencies surveyed were not in compliance.

Even a recently developed state pilot program to beef up cybersecurity compliance was blasted. The report said the pace of the program was so slow that it would take roughly 20 years to review the security standards of every agency. Part of the problem is the self-certification process, which lacked enforcement and was found to be confusing due to unclear requirements. For example, 41 agencies reported to the IT department their security standards were certified, yet when the auditor did a more thorough check, it found only four agencies were actually compliant.

Because of how self-certification worked, the IT department was unaware of vulnerabilities in 37 agencies.

To remedy the situation, the auditor recommended that the state legislature enact statutory changes that would mandate that its technology department undertake a more rigorous security assessment of the state’s information assets and shore up funding for cybersecurity. The state IT department has agreed with the auditor’s report and pledged to increase oversight. Meanwhile, legislation has been introduced requiring the IT department to conduct security assessments of all state agencies at least once every two years. But the state Department of Finance has warned that such a requirement would be costly, an argument that has stymied expansion of cybersecurity programs in other states as well.

Mark Weatherford, a former chief information security officer in both federal and state government and now a principal with the Chertoff Group, a firm that specializes in information security, says CIOs in many states have been requesting more cybersecurity funding for years to no avail.

“Lawmakers don’t want to spend money on something that is invisible; they can’t visualize the damage, so they won’t fund what’s required,” he says.

In a 2014 study of the cybersecurity problem, the National Association of State Chief Information Officers reported a small uptick in security spending at the state level, thanks in part to the slowly improving budget situation. But the report went on to say “budgets are still not sufficient to fully implement effective cybersecurity programs.”

Funding, of course, is not the only remedy. The decentralized way that technology is managed, especially at the state level where individual agencies are often responsible for running their own computer systems, is also a problem. State and local governments instead need to have just one agency handling technology and, thus, security. A centralized cybersecurity strategy, says Weatherford, is far more effective than multiple ones managed by individual agencies.

However, there are a couple of hurdles states and localities will first have to overcome before they can implement any of these changes. The biggest is that many of today’s hackers are sophisticated, state-run organizations based in autocratic regimes such as China, North Korea and Russia. “Government agencies are being outmatched when it comes to fighting the bad guys,” says Weatherford. “State governments simply don’t have the skills and resources to combat them.”

But before we can even begin to confront that problem, we have to get over our own inertia. Changing the status quo in state and local government isn’t easy. Despite the growing list of data breaches in government, the problem remains largely off the radar for many public officials. “Lawmakers need to see that this is a critical issue, which they need to embrace,” says Weatherford. “This is not an IT problem, it’s a leadership problem.”

This article was originally published on Governing.

Tod Newcombe Senior Editor

With more than 20 years of experience covering state and local government, Tod previously was the editor of Public CIO, e.Republic’s award-winning publication for information technology executives in the public sector. He is now a senior editor for Government Technology and a columnist at Governing magazine.