States need better security

Almost all state governments are not adequately protecting their information systems, leaving them vulnerable to hackers who could steal sensitive personal citizen data or disrupt vital services, according to a former White House cybersecurity official.

Citizens expect their Social Security numbers, income information, and sensitive medical and health data, which state governments collect and store, to be protected. But a hacker can easily penetrate a state system and steal information — or commit even more serious crimes, said Richard Clarke, a longtime federal information security expert who until earlier this year was head of the President's Critical Infrastructure Protection Board.

"If I am really nasty, I could do something like knock out a 911 system," Clarke said July 23 at the annual meeting of the National Conference of State Legislatures in San Francisco.

State governments are much worse off regarding cybersecurity than financial institutions and civilian federal agencies, said Clarke, who is now a private consultant on homeland security. "You've got a fiduciary responsibility as a state legislature to protect those system against what is going on," he said.

An average of 30 computer and network vulnerabilities a week have been identified during the past two years, Clarke said. The increasing number of attacks is costing the country billions of dollars, he said.

Cyberattacks are criminal in nature and law enforcement should get the tools to prosecute offenders, he said. But he believes that's not the ultimate solution — better management, better governance and better use of technology are the only ways to stop computer crimes, he said.

"It's not that hard; it's not that expensive," Clarke said.

He listed 10 points for states to consider in improving information security:

* Develop a policy for it.

* Put one person in charge of cybersecurity statewide, and have a contact person at each agency.

* Provide an education/awareness program to teach employees the policy in a fun way. For example, employees can take a test in the form of a computer game and win prizes for high scores.

* Enforce the policy. Software programs can provide daily audits and reports for each agency.

* Buy security products on a governmentwide basis, rather than letting each agency do its own buying.

* Use resources and experts at local universities. States could also — based on the federal Cyber Corps model — pay tuition for students who get degrees in cybersecurity in exchange for working for the state for a period of time.

* Work with commercial firms, such as telecommunications and technology companies.

* Use outside contractors for managed security services, because state salaries probably won't attract the top talent.

* Encrypt sensitive data so even if digital information is stolen, it can't be read.

* Get help and money from the federal government. For example, states can urge expansion of the federal student tuition program so recipients can also work for state governments. Federal officials can do many things, but they're not hearing anything from states, Clarke said.

The National Association of State Chief Information Officers did hold talks with federal government, private-sector and municipal officials regarding cybersecurity, a topic that has emerged at the top of the list for the groups.

Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.