States say insufficient budgets, increased sophistication of threats and a lack of qualified cyber professionals hold them back, the vice president of NASCIO testified.
House lawmakers pressed state IT executives for ways the federal government could help them better prepare for cyberattacks.
States identified cybersecurity as their “lowest-rated core competency” in the Federal Emergency Management Agency’s most recent annual National Preparedness Report. During a hearing before two Homeland Security subcommittees Tuesday, state tech and emergency response leaders said boost state cyber defenses was a priority — but lamented that resource concerns stymie their efforts.
Indeed, Mark Raymond, vice president of the National Association of State Chief Information Officers, said state IT managers recognize the importance of cybersecurity: His group found in a 2015 survey that 80 percent of states had adopted a cybersecurity framework based on national standards and guidelines.
“State CIOs are committed to securing state networks, protecting the digital business of state government, and coordinating with diverse stakeholders to ensure government continuity in times of disaster,” said Raymond, who also serves as Connecticut’s chief information officer.
Though he cited several barriers for states addressing cyber: insufficient budgets, increased sophistication of threats and a lack of qualified cyber professionals. He added that most state governments spend 1 to 2 percent of their overall IT budget on cyber. By comparison, the federal government spends 15 percent.
“The workforce is probably the biggest challenge where federal government can help,” said retired Brig. Gen. Steven Spano, president and chief operating officer of the Center for Internet Security. “That’s an area where states are really struggling.”
States have to compete with industry, which often offers better pay, he said at the hearing — which was held by the Cybersecurity, Infrastructure Protection, and Security Technologies, and the Emergency Preparedness, Response, and Communications subcommittees. He suggested that the federal government could serve as a "catalyst" to promote interest in science and technology careers so that
Other witnesses, while praising the work the Department of Homeland Security has done to assist state governments, said that sometimes the federal government's priorities for states are not well defined.
“I think that part of it is because the [cybersecurity] emphasis from the DHS to the states and to the state administrative agents that are doing the investment adjustments are not very clear,” said Mark Ghilarducci, director of emergency services for the office of the governor of California. “After all, it’s an evolving field.”
States will continue to face challenges in cybersecurity as the field evolves, Raymond said. As a result, states must streamline their processes and continue to partner with the federal government to position themselves for success.
“Given this background, the Congress and federal agencies should continue to partner with state CIOs and CISOs when reviewing or promulgating new data security laws or regulations to ensure that the goal of security is achieved without undue burden or redundancy," he said.