State government cybersecurity efforts coming up short, study finds
As cybersecurity has moved into the forefront of the conversation in both the private and public sectors, many experts have drawn attention to the federal government’s efforts in this area. In certain regards, federal agencies have made impressive progress here, while at the same time there are numerous causes for concern.
However, it is important to recognize that government cybersecurity is not purely a federal issue. State governments must also make cybersecurity a priority in order to ensure their constituents’ personal information and other sensitive data remains safe in an increasingly dangerous digital landscape. Unfortunately, as a recent study from the Pell Center for International Relations and Public Policy at Salve Regina University revealed, the vast majority of state governments are coming up short in this capacity.
Speaking to Dark Reading contributor Jai Vijayan, Francesca Spidalieri, senior fellow for cyber leadership and author of the report, explained that the study aimed to emphasize the importance of state-level cybersecurity, which is often overlooked.
“The study was really meant to bring awareness to the role that state governments, not just the federal government, play in protecting critical infrastructure and the data than has been entrusted to them by their citizens,” Spidalieri said, according to the source.
“Zero states had cybersecurity plans that met all of the Pell Center’s criteria.”
The study found that among the 50 states, none of them managed to develop and implement cybersecurity plans that met all of the Pell Center’s criteria, as Vijayan reported. These criteria related to states’ data breach notification policies, formal incident response capabilities, threat-sharing abilities and strategic cybersecurity plans.
All told, eight states stood out as being relatively prepared to handle the dangers associated with cybersecurity, while still falling short of the Pell Center’s measures. The other 42 states were found to be even less prepared to deal with the growing threat posed by hackers and other cybercriminals.
This lack of preparedness can have serious consequences, as the report made clear.
“[T]he individual states of the United States, like national governments, have a responsibility to secure their critical infrastructure – including electric power grids, air traffic control systems, financial systems and communication networks – as well as the data that has been entrusted to them by their citizens,” the report stated.
In light of these findings, it’s clear to see that state governments need to step up their efforts to protect their IT systems and data from cyberthreats. However, the Pell Center report suggested that these initiatives cannot be a simple expansion of existing efforts, but must rather include new approaches.
Specifically, the study noted that most state agencies have typically focused their cybersecurity efforts on the pursuit of new, advanced security products and tools. Obviously such resources have their merits, but a strategy that depends on these assets exclusively can never be fully secure.
“While technology is a key component in this effort, it alone is insufficient – there must be an increased focus on educating and training users as well,” the report explained. “No matter how good any particular technology or plan may be, its efficacy is limited if it is not adopted and implemented effectively by management teams and used correctly by employees who follow well-defined processes and act in a concerted way.”
Federal and state
Of course, these types of issues are not limited to state governments. The federal government has also struggled with cybersecurity, and in many of the same areas.
“More than half of state and federal respondents’ organizations lack well-defined cybersecurity practices.”
GCN contributor Amanda Ziadeh recently noted that the Ponemon Institute’s latest “State of Cybersecurity in Local, State and Federal Government” report found that more than half of respondents from both the state and federal levels feel that their organizations do not have well-defined cybersecurity practices. What’s more, over half of these participants said that their firms are not effective when it comes to preventing or detecting cyberattacks.
The report also found that federal agencies have been forced to confront material security breaches once every nine weeks on average over the past two years, according to Ziadeh. For state agencies, this figure stood at one breach per every 12 weeks.
Despite this discrepancy, the Ponemon report concluded that federal cyberdefenses are currently stronger than those of state-level agencies, Ziadeh reported. Federal programs have generally reached a further stage of maturity, and the federal government is doing a better job of recruiting cybersecurity experts.
Consequently, it may be wise for state-level decision-makers to look to the federal government for guidance as to how to improve their cybersecurity efforts. After all, federal agencies, while not perfect by any means, have gone through many of the tribulations now facing state-level governments, and so the latter groups can learn from federal successes and shortcomings.
Ultimately, though, the only way for either federal or state government agencies to improve their cybersecurity capabilities to a satisfactory degree is by making this a top-level priority and seeking out expertise, either via recruitment or third-party consulting, to become and remain secure.