News about successful hacks of large companies seem to have become common place. In the recent Anthem cyber attack, hackers accessed the names, birth dates, social security numbers, income, health status and many other details for companies’ customers. At present, Anthem does not even know the total number of records breached but estimates it to be “tens of millions”.
At present, government has been less affected by security breaches than the private sector. By late 2014, the Privacy Right Clearinghouse (which maintains a list of all publicly reported data breaches) recorded only 27 incidents involving government entitles which included a data breach involving 800,000 employees and 2.9 million customers at the U.S. Postal Service, 850,000 job seekers in Oregon, and background data on 25,000 underground investigators at the U.S .Department of Homeland Security.
In speaking broadly about threats, General Vincent Stewart, Director of the Defense Intelligence Agency commented that current intelligence gathering efforts afford a general awareness of threats but that tactically actionable information is much more difficult to obtain. We suggest that this is also true about cyber security. In our recent article The Vast Majority of the Government Lacks Clear Cybersecurity Plans, we examined how federal government agencies addressed the issue of cybersecurity. Our findings indicated that federal agencies are unprepared. Half of federal agencies make no mention of the need to secure IT systems nor do they address cybersecurity efforts in detail.
We have also studied cybersecurity in state government IT plans. All states, with the exception of Alaska, publish an IT strategic plan and we did a content analysis of these documents to assess each state’s cybersecurity positioning. We conducted this research knowing that the National Association of State CIOs (NASCIO), when issuing its annual list of priorities for state CIOs for 2015, exhorted state CIOs to examine a variety of security related concerns to determine what constitutes “due care” in addressing them. Our purpose in conducting this analysis was to determine how well states were conducting this “due care”.
As expected, our findings were mixed. We were able to identify two states that had strong efforts and performed better than their peers.
Weak cybersecurity plans
All states mention cybersecurity in their plans. But, Vermont and Utah were virtually silent on the topic and only touched on the need for cybersecurity in a general fashion. In these state plans, we saw little evidence of awareness of cybersecurity as an issue and no evidence of any robust plans for addressing it.
Vermont’s plan discusses the need to modernize it’s legacy systems. Security is only mentioned in passing and as part of it’s reporting of challenges raised in the prior year. Even in its discussion of operating IT more effectively, security is not even mentioned. It’s worth noting that its latest plan was developed in 2013 to cover 2013 – 2018.
If these states are addressing cybersecurity, we did not find evidence of it in their latest IT strategic plan. Given the omnipresence of cybersecurity, we were surprised.
Aware but lacking in details
Most of the states fell into this category of acknowledging the problem. These states have solid IT strategic plans and clearly mention the need for cybersecurity, however security does not figure prominently in their IT strategic plan. If strategies exist, they are mostly focused on a single aspect of cybersecurity such as infrastructure management.
For example, Maryland reports, “…[anticipating] a significant surge in cyber security activities, especially in the areas of planning, infrastructure hardening, and platform/network/application assessment and testing”. However, we scoured the plan but, outside of this single reference to cyber security, we found no plans, strategies, or actionable steps to implementing cyber security policies.
We are confident that these states understand the need for cybersecurity; their planning is only minimally effective and fails to address all of the aspects of cybersecurity (including training, security processes, etc). We believe that these states still have much work to do in order to fully address cybersecurity.
Addressing the problem
We put states into this category if they have a solid and robust recognition of the need for cybersecurity and a multi-faceted plan.
For example, New Mexico has a robust plan for cybersecurity that relies on metrics. As part of defining its 10-part plan for its new Information Technology Security Program, it uses a detailed metrics and reporting framework to assess how well it is working.
Colorado has clear metrics and assigns specific responsibilities to official. For example, it tasks the Chief Information Security Officer with:
(1) Insuring that more than 95 percent of its systems are monitored/evaluated in real time
Dr. Gregory S. Dawson is a senior faculty associate at the Center for Organization Research and Design (CORD) within the School of Public Programs at Arizona State University and is also an assistant professor at the W. P. Carey School of Business. Prior to becoming an academic, he was a partner in the Government Consulting Practice at PricewaterhouseCoopers (PwC) and was also a director in the State and Local Government Consulting practice at Gartner.
(2) Insuring that more than 90 percent of its employees have taken security awareness training
(3) Reducing overdue security related audit findings by 5 percent every quarter
(4) Reducing the average number of new high-risks security finding not remediated within 60 days to less than 50 annually
The states in this group focus on far more than simple technology components. As Delaware’s plan aptly observes, people are the weakest link in security. That state along with others stress training as the most cost effective way to achieve cybersecurity.
Leaders in the field
We consider Idaho and Mississippi to be truly outstanding in their focus on cybersecurity. Similar to states in the commendable group, they have a strong awareness of cybersecurity and take a multi-faceted approach. But these states take it one step further.
Rather than relying on locally developed plans, these states rely heavily on the standards established by groups like the National Institute of Standards and Technology (NIST). For example, Mississippi plans to align its “…Enterprise Security Policy (ESP) and overall information security program with the National Institute of Standards and Technology (NIST) Cybersecurity framework, the security controls defined in the 800 series of publications by NIST, the recommendations in the National Governors Association’s Call to Action for Cybersecurity, and the Top 20 Critical Security Controls maintained by the Council on Cybersecurity”.
Such an approach is the most cost efficient and effective way to enact standards and policies for cybersecurity. While we are not asserting that all states should adopt NIST’s proposals, we are concerned that locally developed standards may be inferior. Idaho and Mississippi have effectively applied these standards to their cybersecurity policies and, by doing so, are likely to adopt a much more robust and effective cybersecurity protocol.
Idaho and Mississippi are highly consistent with the philosophy espoused by Stuart Davis, National Association of State CIOs (NASCIO) President and CIO of Ohio, who calls on greater collaboration and resource sharing between the states and the federal government in addressing the cyber security issue.
Best cybersecurity planning practices
We recommend that states closely examine and adopt standards, policies and procedures enacted by nationally respected groups like NIST in order to jump start their cybersecurity planning.
States, unlike private sector firms, have the advantage of not being in competition with other states and so can adopt and leverage these standards to provide better cybersecurity to the citizenry. Failure to do so is likely to stall effective cybersecurity and leave states open for cyber threats.