By Jo Anne Bourquard
The massive data hack that hit Sony and resulted in the cancellation of the release of a major holiday-season movie is just the latest and most high-profile in a series of devastating data breaches, email attacks and other cybersecurity incidents.
State computer systems have seen an uptick in the past few years in the number of high impact cyber events with serious ramifications for citizens and state budgets.
“Unfortunately, state officials are often looking at data breaches in the rear view window,” says Doug Robinson, executive director of the National Association of State Chief Information Officers (NASCIO) at the NCSL Cybersecurity Summit last week in Washington, D.C.
Cybersecurity experts who spoke at the workshop warned that assaults on state computer systems are a given and urged state legislators to ensure their state has a well-developed plan with clear authority for individuals responsible for handling cybersecurity.
State computer systems store massive volumes of personally identifiable information (PII), such as Social Security numbers, financial information, drivers’ license data, tax records, as well as marriage, birth and death records for adults and children, all of which is extremely attractive to bad actors.
Kelvin Coleman, director of Cybersecurity and Communications Office at the U.S. Department of Homeland Security, told the audience that data is currency these days, and bad actors are creating a marketplace to sell the data they collect.
As states make more government information and services available online, particularly through mobile devices, thwarting cyber attacks becomes even more difficult.
A 2014 Cybersecurity Study by Deloitte and NASCIO found that malicious code is the most dreaded channel for a data breach. A breach of South Carolina’s computer system two years ago occurred when one government worker clicked open an email causing malicious software to be downloaded. The tax records of 70 million people were exposed. As a result of this breach, which has cost the state nearly $41 million and counting, South Carolina created an ID Theft Unit and agreed to pay for credit monitoring for its citizens.
Nearly all states have created chief information security officer (CISO) positions to handle cyber security. Finding and retaining staff with sufficient cybersecurity savvy, however, is an ongoing challenge as these people are in great demand. The Deloitte-NASCIO study found IT staffing along with sufficient funding to address the increasing complexity of cyberattacks were two of the greatest hurdles states face.
Cybersecurity experts HP, SAS and Deloitte along with Robinson and Coleman made the following recommendations to state lawmakers:
Elevate the importance of cybersecurity in your state
- Embrace cybersecurity as part of the state’s business and technology culture.
- Increase public education about the risks of cybersecurity and provide strategies to prevent breaches
Communicate and Collaborate
- Meet with your state CIOs and CISO to discuss your state’s plan and approach to cybersecurity.
- Empower your executive leadership team so they have clear authority and responsibility to handle threats.
- Require all state agencies to participate in cybersecurity planning and management, no exceptions.
- Enable cross branch and level collaboration (judicial, executive, legislative, state, federal and local)
Identify and Protect Critical Data
- Make sure your state’s cybersecurity plan identifies the kinds of data you have and sets priorities for protecting the most critical information.
Tap Resources Needed
- Consider partnerships and outsourcing to supplement state capabilities to address cybersecurity.
The NCSL Cybersecurity Summit was sponsored by the The NCSL Cybersecurity Summit was sponsored by the Leveraging IT to Strengthen Government Foundation for State Legislatures (FSL) Partners Project.. For more information, see the project web page.
Jo Anne Bourquard is a senior fellow in NCSL’s Member Outreach and Digital Communications Division.
Email Jo Anne