States need cybersecurity focus

A new Zeichner Risk Analytics LLC study found 36 state governments have failed to prepare, adopt and implement acceptable cybersecurity policies, which could have damaging consequences to citizen services, communication systems and critical utilities if the nation were to undergo cyberattacks.

But while state governments and organizations such as the National Association of Chief Information Officers and National Governors Association are aware of the problem and discussing the issue, several cybersecurity experts said what's needed is deployment.

"I think what's important is that states take action," said Richard Pethia, director of the CERT Coordination Center at Carnegie Mellon University. He said there are plenty of good resources and work on the issue, but what's missing is a "commitment to action."

That's important in light of the increasing threat, he said. CERT says more than 82,000 incidents were reported in 2002, about four times more than in 2000. Nearly 5,000 vulnerabilities were reported last year, up from 1,090 reported in 2000. "There's no end in site to that trend," said Pethia, adding that denial-of-service attacks occur every day.

John Burke Jr., a Washington, D.C., attorney who serves as general counsel to BITS — the technology arm of the Financial Services Roundtable, made up of the top chief executive officers of the largest banking institutions — said if financial systems are compromised "and they don't get back online very quickly, we have a serious, serious problem. It would seriously shake public confidence."

Lee Zeichner, president of the consulting company that conducted the study released today, said states are generally behind the federal government and the private industry in securing their systems.

"What's missing here is leadership, focus and consistency across the states," he said, noting that governors must take the lead.

Following a yearlong review, the study found that only 14 states and the District of Columbia are in full compliance with the Gramm-Leach-Bliley Act of 1999, which requires federal agencies and states to prepare cybersecurity guidance for financial institutions. Fourteen other states have pending legislation and/or regulations for compliance, while 22 states have little or no cybersecurity activity.

Reasons, Zeichner said, for noncompliance include confusing privacy with security guidelines, lack of funds and shifting priorities due to the Sept. 11, 2001, terrorist attacks.

John McCarthy, executive director of the Critical Infrastructure Protection Project at George Mason University, said states are dealing with competing priorities, such as a greater focus on providing first responders with greater information and tools. But as police and fire departments become more dependent on technology, there needs to be an equally greater emphasis on protecting systems and databases, which are easily corruptible.

The study recommended that:

*States adopt the National Association of Insurance Commissioners nationwide proposal, which provides an approach similar to that of states in compliance with the Gramm-Leach-Bailey Act.

*States create a single, nationwide process for developing cybersecurity laws and policies.

*A single public-private "focal point is badly needed" to coordinate strategy.

The report said the recommendations "do not require extensive funding, retooling of state procedures or other drastic action."