Risk //

Compliance

11/6/2015
03:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

States Cybersecurity Readiness Presents Grim Picture Pell Study Finds

Just eight states of 50 fared decently in a Pell study on their preparedness to deal with current and emerging cyberthreats.

Discussions about the cybersecurity readiness of government agencies have typically tended to focus on federal entities rather than on their state counterparts. That may be a big mistake.

A new study by the Pell Center for International Relations and Public Policy at Salve Regina University revealed a troubling lack of preparedness to deal with cybersecurity threats among a vast majority of state governments.

All 50 states are investing in broadband communication and moving forward aggressively on promoting wider use of the Internet to stimulate economic growth and to improve service. But not a single one of them managed to meet all the evaluation criteria that Pell used to measure their cyber readiness, says Francesca Spidalieri, senior fellow for cyber leadership and author of the report.

“The study was really meant to bring awareness to the role that state governments, not just the federal government, play in protecting critical infrastructure and the data than has been entrusted to them by their citizens,” Spidalieri says.

Just like the federal government, state governments, too, hold data on millions of citizens and depend heavily on the Internet and communications technologies to deliver services and to maintain critical infrastructure. But few appear to be considering the potential exposure and costs associated with cyber threats, says Spidalieri.

For the study, Pell looked at measures like whether the state had a strategic cybersecurity plan, formal incident response capabilities, data breach notification, and other cybersecurity laws, threat information-sharing mechanisms, and spending on cybersecurity R&D. Pell interviewed state CIOs, chief information security officers, and other state government officials and also reviewed open source data, to arrive at its conclusions.

California, Texas, Maryland, and Washington were among eight states that were identified by the study as being relatively more prepared to deal with current and emerging cyber threats than counterparts. The others are New York, New Jersey, Washington, and Virginia.

Each of these states fared better then others on some of they key measures used to evaluate them. For example, California scored well in areas like incident response, e-crime laws, and cyber R&D. But its performance in areas like regular threat assessments and accountability for cyber preparedness remained a work in progress. Pell assessed Texas as being adequate in areas like having a competent cybersecurity authority, doing regular threat assessments, and following the NIST framework, but found it still has work to do in terms of implementing effective cybersecurity laws. Michigan appeared to be the most prepared, based on its meeting most of the measures it was evaluated against.

A vast majority of states though are unprepared, says Francesca. “Most states don’t even mention the need to secure their IT systems or to address cyber threats,” she said. Some acknowledge the problem but appear to have done little to address it.

The common challenges somewhat unsurprisingly related to a lack of funding for cybersecurity programs, lack of executive engagement, the growing sophistication of threats, and a shortage of cybersecurity professionals. “It’s a grim picture and my report meant to shed some light on the states that are leading the way,” she said.

Meanwhile, a second report also released this week served up another reminder of the challenges that federal agencies continue to face on the cybersecurity front. The report by MeriTalk and Palo Alto Networks found that 44 percent of federal endpoints are vulnerable to cyber threats while 30 percent of federal network connected devices have been infected with some type of malware.

As with state governments, barely half of all federal agencies have taken specific steps to secure endpoints while some 20 percent of endpoint security audits do not include all network-connected devices.

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
11/9/2015 | 1:36:09 PM
Standards
Throughout the states there should be a mandated standard that needs to be adhered to...otherwise each state is going to handle cyber security in ways that make the most sense to them. This provides a lack of consistency and too much leeway for states to perform little to no actions at all.
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
BEC Scammer Pleads Guilty
Dark Reading Staff 3/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Well, at least it isn't Mobby Dick!
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-4035
PUBLISHED: 2019-03-22
IBM Content Navigator 3.0CD could allow attackers to direct web traffic to a malicious site. If attackers make a fake IBM Content Navigator site, they can send a link to ICN users to send request to their Edit client directly. Then Edit client will download documents from the fake ICN website. IBM X...
CVE-2019-4052
PUBLISHED: 2019-03-22
IBM API Connect 2018.1 and 2018.4.1.2 apis can be leveraged by unauthenticated users to discover login ids of registered users. IBM X-Force ID: 156544.
CVE-2019-9648
PUBLISHED: 2019-03-22
An issue was discovered in the SFTP Server component in Core FTP 2.0 Build 674. A directory traversal vulnerability exists using the SIZE command along with a \..\..\ substring, allowing an attacker to enumerate file existence based on the returned information.
CVE-2019-9923
PUBLISHED: 2019-03-22
pax_decode_header in sparse.c in GNU Tar before 1.32 had a NULL pointer dereference when parsing certain archives that have malformed extended headers.
CVE-2019-9924
PUBLISHED: 2019-03-22
rbash in Bash before 4.4-beta2 did not prevent the shell user from modifying BASH_CMDS, thus allowing the user to execute any command with the permissions of the shell.