Is State and Local Cybersecurity Maturing Fast Enough?


Connecting state and local government leaders

Failure to use artificial intelligence to manage cyber programs and lack of cyber insurance remain weak points for governments.

State cybersecurity programs continue to mature with more expected to shift focus from operations to strategy in 2019, according to security experts.

In a 2018 survey, the National Association of State Chief Information Officers found 98 percent of state governments have developed security awareness training for workers and contractors, 94 percent have adopted a cyber framework based on national standards, and 92 percent have established trusted information-sharing and response partnerships.

That said, only 44 percent of state governments were using analytical tools, artificial intelligence or machine learning to manage cyber programs, and only 42 percent had cyber insurance, according to the report. Among local governments, 54 percent report having cyber insurance, according to a parallel Public Technology Institute survey.

Cyber insurance covers governments infiltrated by internet-based attacks on information technology infrastructure.

Insurers have increased their cyber expectations of late, said Alan Shark, executive director of PTI, a technology organization that works with city and county governments.

“They want to make sure the records are safe,” he said.

Both state and local IT agencies prioritized security and risk management spending first, but new for state CIOs is an emphasis on identity and access management.

Increasingly state governments are requiring people to prove their identities before they can access systems or services, with 33 states having either established IAM or nearing selection of a product, according to the NASCIO survey. IAM can enable single sign-ons using passwords or multi-factor identification involving mobile devices.

Ransomware and phishing remain the top security threats to states, but data theft is no longer the only goal—disrupting the continuity of government by redirecting state employees is a new focus of attackers, said Doug Robinson, executive director of NASCIO.

Employee training to not fall for phishing scams remains voluntary in more than half of states, he added. And how often that training is applied is hard to measure, Shark said.

Cyber awareness and the acquisition of better threat detection tools is improving, Shark added, but budget and staffing remain the biggest barriers to effective cybersecurity.

“The [chief information security officers] are much more concerned about their budgets,” Robinson said. “CIOs tend to be more concerned about the increasing sophistication of threats because that’s what they’re hearing. They’re also hearing they need more money.”

More money means a better ability to compensate cyber talent, the public sector’s “major crisis,” Robinson said, with most agencies facing negative or flat unemployment in the space. Scholarship programs are one avenue for acquiring more talent, as are public-private partnerships, he added.

“Cybersecurity is a team sport and we need to collaborate across the board … particularly with the private sector and higher education,” Robinson said.

Dave Nyczepir is a News Editor at Route Fifty and is based in Washington, D.C.

NEXT STORY: Toward A Circular Economy: Tackling the Plastics Recycling Problem