As the federal government continues to strengthen its cyber-defenses, malicious actors are turning attention more toward state governments that lack comparable resources to provide the same level of protection to their systems, said Mississippi Chief Information Officer Craig Orgeron before a House committee on Wednesday.
Orgeron, who also serves as president of the National Association of State Chief Information Officers, said despite fewer resources, states are tasked with protecting the same sensitive information and key critical infrastructure as the federal government, making them more susceptible for attack.
“The State of Mississippi’s IT systems, like systems from all states, face cyber-attacks every day, ranging from a few thousand attempts to as many as 10 million per day—some domestic, many international,” Orgeron told the House Committee on Homeland Security.
He continued: “To win this ongoing battle, state IT experts have to be right every time, while hackers need to only be right once. As these attacks continue to grow more sophisticated, both public and private sector entities will need to develop better tools and increase collaboration to both deter attacks and plan a coordinated response to contain the damage from successful attacks.”
This is only partially a financial issue—it is also a policy and skilled personnel issue, Orgeron said, adding there is a great deal the federal government can do to help state governments improve preparedness and response to cyber-attacks.
On policy, the single key to ensuring a substantial attack does not blindside us is the federal government facilitating greater information sharing between federal agencies, the private sector and state and local partners, something already being worked on with President Obama’s cybersecurity executive order issued earlier this year.
As each state’s cybersecurity level of maturity and governance is different, NASCIO would be concerned about any effort by the federal government to designate a single state entity as the responsible point for sharing and disseminating information between state and federal entities. Such decisions should ultimately be left to each state’s governor to fit their model of cyber-governance, Orgeron said.
Just as each state has different geography and vulnerabilities to extreme weather or manmade disasters, state information technology systems and the governance of those IT systems are very different. Federal resources and support to states must respect and bolster the state organizations.
As for workforce, NASCIO also supports efforts to include state governments as a participant in programs that build the public sector cybersecurity workforce, Orgeron said.
“One of the greatest difficulties states face is attracting and retaining talent in this information security sector,” Orgeron said. “States cannot compete with the salaries provided by the private sector, or the allure of positions in the U.S. federal intelligence services. Federal scholarships to study cybersecurity in exchange for working several years in the federal government, or for state or local governments, has the twofold benefit of better protecting our citizens and expanding the available talent pool of cyber security experts. Scholarships should be expanded to ensure those who take advantage of them can work at any level of government protecting IT systems.”
The federal government can also take steps to reduce burdens on state and local governments by harmonizing cybersecurity standards and requirements across federal programs so state governments can provide more efficient and effective security of programs at a lower cost to taxpayers, Orgeron said.
Under the Federal Information Security Management Act, better known as FISMA, states are required to check certain boxes regarding security when taking federal grant dollars.
However, federal agencies interpret these rules differently, and require different security standards. This often means states must spend money on redundant systems to comply with a patchwork of federal rules, he said. It also means a lack of compatibility between various systems states manage, which could otherwise be consolidated and more secure.
Orgeron said Congress should work with NASCIO and the states to replace FISMA with cybersecurity rules that better conform to universal, outcome-based standards that would provide both federal agencies and states with better security as well as greater efficiency.
“We ask that Congress continue to work with the states in identifying ways to protect our nation’s digital assets, including rapidly maturing threat information sharing-entities and developing a common framework that can serve as a roadmap and provide funding justification for state cybersecurity,” Orgeron said.