A new study by the Pell Center for International Relations and Public Policy at Salve Regina University revealed a troubling lack of preparedness to deal with cybersecurity threats among a vast majority of state governments.
All 50 states are investing in broadband communication and moving forward aggressively on promoting wider use of the Internet to stimulate economic growth and to improve service. But not a single one of them managed to meet all the evaluation criteria that Pell used to measure their cyber readiness, says Francesca Spidalieri, senior fellow for cyber leadership and author of the report.
“The study was really meant to bring awareness to the role that state governments, not just the federal government, play in protecting critical infrastructure and the data than has been entrusted to them by their citizens,” Spidalieri said via darkreading.com.
Just like the federal government, state governments, too, hold data on millions of citizens and depend heavily on the Internet and communications technologies to deliver services and to maintain critical infrastructure. But few appear to be considering the potential exposure and costs associated with cyber threats, says Spidalieri.
For the study, titled “State Of The States On Cybersecurity,” Pell looked at measures like whether the state had a strategic cybersecurity plan, formal incident response capabilities, data breach notification, and other cybersecurity laws, threat information-sharing mechanisms, and spending on cybersecurity R&D. Pell interviewed state CIOs, chief information security officers, and other state government officials and also reviewed open source data, to arrive at its conclusions.
California, Texas, Maryland, and Washington were among eight states that were identified by the study as being relatively more prepared to deal with current and emerging cyber threats than counterparts. The others are New York, New Jersey, Washington, and Virginia.
Each of these states fared better than others on some of the key measures used to evaluate them, according to darkreading.com. For example, California scored well in areas like incident response, e-crime laws, and cyber R&D. But its performance in areas like regular threat assessments and accountability for cyber preparedness remained a work in progress. Pell assessed Texas as being adequate in areas like having a competent cybersecurity authority, doing regular threat assessments, and following the NIST framework, but found it still has work to do in terms of implementing effective cybersecurity laws. Michigan appeared to be the most prepared, based on its meeting most of the measures it was evaluated against.
A vast majority of states though are unprepared, says Francesca. “Most states don’t even mention the need to secure their IT systems or to address cyber threats,” she said. Some acknowledge the problem but appear to have done little to address it.
The common challenges somewhat unsurprisingly related to a lack of funding for cybersecurity programs, lack of executive engagement, the growing sophistication of threats, and a shortage of cybersecurity professionals. “It’s a grim picture and my report meant to shed some light on the states that are leading the way,” she said.