States need better security

Almost all state governments are not adequately protecting their information systems, leaving them vulnerable to hackers who could steal sensitive personal citizen data or disrupt vital services, according to a former White House cybersecurity official.

Citizens expect their Social Security numbers, income information, and sensitive medical and health data, which state governments collect and store, to be protected. But a hacker can easily penetrate a state system and steal information — or commit even more serious crimes, said Richard Clarke, a longtime federal information security expert who until earlier this year was head of the President's Critical Infrastructure Protection Board.

"If I am really nasty, I could do something like knock out a 911 system," Clarke said July 23 at the annual meeting of the National Conference of State Legislatures in San Francisco.

State governments are much worse off regarding cybersecurity than financial institutions and civilian federal agencies, said Clarke, who is now a private consultant on homeland security. "You've got a fiduciary responsibility as a state legislature to protect those system against what is going on," he said.

An average of 30 computer and network vulnerabilities a week have been identified during the past two years, Clarke said. The increasing number of attacks is costing the country billions of dollars, he said.

Cyberattacks are criminal in nature and law enforcement should get the tools to prosecute offenders, he said. But he believes that's not the ultimate solution — better management, better governance and better use of technology are the only ways to stop computer crimes, he said.

"It's not that hard; it's not that expensive," Clarke said.

He listed 10 points for states to consider in improving information security:

* Develop a policy for it.

* Put one person in charge of cybersecurity statewide, and have a contact person at each agency.

* Provide an education/awareness program to teach employees the policy in a fun way. For example, employees can take a test in the form of a computer game and win prizes for high scores.

* Enforce the policy. Software programs can provide daily audits and reports for each agency.

* Buy security products on a governmentwide basis, rather than letting each agency do its own buying.

* Use resources and experts at local universities. States could also — based on the federal Cyber Corps model — pay tuition for students who get degrees in cybersecurity in exchange for working for the state for a period of time.

* Work with commercial firms, such as telecommunications and technology companies.

* Use outside contractors for managed security services, because state salaries probably won't attract the top talent.

* Encrypt sensitive data so even if digital information is stolen, it can't be read.

* Get help and money from the federal government. For example, states can urge expansion of the federal student tuition program so recipients can also work for state governments. Federal officials can do many things, but they're not hearing anything from states, Clarke said.

The National Association of State Chief Information Officers did hold talks with federal government, private-sector and municipal officials regarding cybersecurity, a topic that has emerged at the top of the list for the groups.


  • Cybersecurity
    malware detection (Alexander Yakimov/

    Microsoft targets copycat influence websites

    Microsoft went to court to take down websites it believes to be part of a foreign intelligence operation targeting conservative think tanks and the U.S. Senate.

  • Cybersecurity
    secure network

    FAA explores shifting its network to FISMA high

    The Federal Aviation Administration is exploring an upgrade to the information security categorization of IT systems as part of air traffic control modernization.

  • Cybersecurity
    Shutterstock photo id 669226093 By Gorodenkoff

    The disinformation game

    The federal government is poised to bring new tools and strategies to bear in the fight against foreign-backed online disinformation campaigns, but how and when they choose to act could have ramifications on the U.S. political ecosystem.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.