States need better security

Almost all state governments are not adequately protecting their information systems, leaving them vulnerable to hackers who could steal sensitive personal citizen data or disrupt vital services, according to a former White House cybersecurity official.

Citizens expect their Social Security numbers, income information, and sensitive medical and health data, which state governments collect and store, to be protected. But a hacker can easily penetrate a state system and steal information — or commit even more serious crimes, said Richard Clarke, a longtime federal information security expert who until earlier this year was head of the President's Critical Infrastructure Protection Board.

"If I am really nasty, I could do something like knock out a 911 system," Clarke said July 23 at the annual meeting of the National Conference of State Legislatures in San Francisco.

State governments are much worse off regarding cybersecurity than financial institutions and civilian federal agencies, said Clarke, who is now a private consultant on homeland security. "You've got a fiduciary responsibility as a state legislature to protect those system against what is going on," he said.

An average of 30 computer and network vulnerabilities a week have been identified during the past two years, Clarke said. The increasing number of attacks is costing the country billions of dollars, he said.

Cyberattacks are criminal in nature and law enforcement should get the tools to prosecute offenders, he said. But he believes that's not the ultimate solution — better management, better governance and better use of technology are the only ways to stop computer crimes, he said.

"It's not that hard; it's not that expensive," Clarke said.

He listed 10 points for states to consider in improving information security:

* Develop a policy for it.

* Put one person in charge of cybersecurity statewide, and have a contact person at each agency.

* Provide an education/awareness program to teach employees the policy in a fun way. For example, employees can take a test in the form of a computer game and win prizes for high scores.

* Enforce the policy. Software programs can provide daily audits and reports for each agency.

* Buy security products on a governmentwide basis, rather than letting each agency do its own buying.

* Use resources and experts at local universities. States could also — based on the federal Cyber Corps model — pay tuition for students who get degrees in cybersecurity in exchange for working for the state for a period of time.

* Work with commercial firms, such as telecommunications and technology companies.

* Use outside contractors for managed security services, because state salaries probably won't attract the top talent.

* Encrypt sensitive data so even if digital information is stolen, it can't be read.

* Get help and money from the federal government. For example, states can urge expansion of the federal student tuition program so recipients can also work for state governments. Federal officials can do many things, but they're not hearing anything from states, Clarke said.

The National Association of State Chief Information Officers did hold talks with federal government, private-sector and municipal officials regarding cybersecurity, a topic that has emerged at the top of the list for the groups.