In recent years, US states have faced a growing number of digital threats ranging from data breaches to hacktivism and identity theft. These incidents have not only compromised the personally identifiable information (PII) of millions of citizens, but they have also threatened the critical national infrastructure and many governmental entities that depend on states for their protection.
The seriousness of today’s threat landscape demands that states work to formulate a comprehensive plan that bolsters their cyber readiness. However, a lack of funding, an absence of executive leadership, a shortage of security professionals, and a number of other obstacles have prevented many states from adequately doing so.
As a result, many states do not even mention the need to secure their IT systems, for they simply do not have the requisite resources, support, or manpower.
In the absence of comprehensive federal legislation, some states have seized the opportunity to implement security controls based upon the guidelines of the National Institute of Standards and Technology (NIST) and/or have integrated ISO 27001 into their critical systems. A select few have gone even further.
Presented below are the findings of a study sponsored by the Pell Center. This initiative, entitled “State of the States on Cybersecurity,” sought to use open source data and interviews with state representatives, including CIOs and CISOs, to understand what states were doing to enhance their cyber preparedness.
These responses were subsequently organized according to a modified version of the Cyber Readiness Index 1.0 (CRI), an experience-based methodology that seeks to evaluate states’ level of engagement with cyber security. (The CRI generally pertains to nation-states, but it has been modified to pertain to those states that comprise the United States of America.)
Authored by senior fellow Francesca Spidalieri, the report focuses on eight states that have acknowledged the importance of cyber security as evidenced by their respective policies and initiatives. These states and their security programs are shown in the image below:
A few findings from this report are worth noting:
- As leaders of cyber security, these states – California, Maryland, Michigan, New Jersey, New York, Texas, Virginia, and Washington – generally have at least parts of most if not all of the categories provided in the CRI. Texas lacks three policies/initiatives, but it has at least parts of 15 others in place. Meanwhile, Washington and California are not entirely missing a single category.
- Many of these leading states have meaningful Incident Response, Law Enforcement, and Information Sharing structures in place. For example, each state has a data breach notification law, an IR plan, and a fusion center in place.
- All of the focus states have at least parts of a cyber research and development (R&D) agenda, which includes higher education, workforce development, and industry engagement.
Commenting on her report, Spidalieri had the following to say:
“Local and state governments, just like the federal government, hold the information of millions of people and depend on information communication technologies and the Internet to provide a number of services to their citizens, to maintain critical infrastructure as public utilities, to share information across states and federal networks, and to make sure that first responders receive the data they need in crisis situations. This is why it is critical that states protect their cyber infrastructure and digital investments and develop comprehensive plans to increase their preparedness and resilience.”
Indeed, Spidalieri does see some room for improvement among all US states, even the leaders outlined in her report. For instance, not one of the eight had full programs for all of the categories specified in the CRI. (Michigan fared the best at 15 full implementations, two partial, and one absence.)
Additionally, while the states had clearly invested in IR, law enforcement, and R&D, there was significant variability and oftentimes a lack of full-fledged programs in the “Cyber Security Strategic Plan” heading, which might suggest that states still have work to do with regards to formulating comprehensive security strategies going forward.
To learn more about the study, please click here. Alternatively, you can read the report in full here.
Title image courtesy of ShutterStock