States need better security

Almost all state governments are not adequately protecting their information systems, leaving them vulnerable to hackers who could steal sensitive personal citizen data or disrupt vital services, according to a former White House cybersecurity official.

Citizens expect their Social Security numbers, income information, and sensitive medical and health data, which state governments collect and store, to be protected. But a hacker can easily penetrate a state system and steal information — or commit even more serious crimes, said Richard Clarke, a longtime federal information security expert who until earlier this year was head of the President's Critical Infrastructure Protection Board.

"If I am really nasty, I could do something like knock out a 911 system," Clarke said July 23 at the annual meeting of the National Conference of State Legislatures in San Francisco.

State governments are much worse off regarding cybersecurity than financial institutions and civilian federal agencies, said Clarke, who is now a private consultant on homeland security. "You've got a fiduciary responsibility as a state legislature to protect those system against what is going on," he said.

An average of 30 computer and network vulnerabilities a week have been identified during the past two years, Clarke said. The increasing number of attacks is costing the country billions of dollars, he said.

Cyberattacks are criminal in nature and law enforcement should get the tools to prosecute offenders, he said. But he believes that's not the ultimate solution — better management, better governance and better use of technology are the only ways to stop computer crimes, he said.

"It's not that hard; it's not that expensive," Clarke said.

He listed 10 points for states to consider in improving information security:

* Develop a policy for it.

* Put one person in charge of cybersecurity statewide, and have a contact person at each agency.

* Provide an education/awareness program to teach employees the policy in a fun way. For example, employees can take a test in the form of a computer game and win prizes for high scores.

* Enforce the policy. Software programs can provide daily audits and reports for each agency.

* Buy security products on a governmentwide basis, rather than letting each agency do its own buying.

* Use resources and experts at local universities. States could also — based on the federal Cyber Corps model — pay tuition for students who get degrees in cybersecurity in exchange for working for the state for a period of time.

* Work with commercial firms, such as telecommunications and technology companies.

* Use outside contractors for managed security services, because state salaries probably won't attract the top talent.

* Encrypt sensitive data so even if digital information is stolen, it can't be read.

* Get help and money from the federal government. For example, states can urge expansion of the federal student tuition program so recipients can also work for state governments. Federal officials can do many things, but they're not hearing anything from states, Clarke said.

The National Association of State Chief Information Officers did hold talks with federal government, private-sector and municipal officials regarding cybersecurity, a topic that has emerged at the top of the list for the groups.

Featured

  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.