Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //

Compliance

11/6/2015
03:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

States’ Cybersecurity Readiness Presents “Grim Picture” Pell Study Finds

Just eight states of 50 fared decently in a Pell study on their preparedness to deal with current and emerging cyberthreats.

Discussions about the cybersecurity readiness of government agencies have typically tended to focus on federal entities rather than on their state counterparts. That may be a big mistake.

A new study by the Pell Center for International Relations and Public Policy at Salve Regina University revealed a troubling lack of preparedness to deal with cybersecurity threats among a vast majority of state governments.

All 50 states are investing in broadband communication and moving forward aggressively on promoting wider use of the Internet to stimulate economic growth and to improve service. But not a single one of them managed to meet all the evaluation criteria that Pell used to measure their cyber readiness, says Francesca Spidalieri, senior fellow for cyber leadership and author of the report.

“The study was really meant to bring awareness to the role that state governments, not just the federal government, play in protecting critical infrastructure and the data than has been entrusted to them by their citizens,” Spidalieri says.

Just like the federal government, state governments, too, hold data on millions of citizens and depend heavily on the Internet and communications technologies to deliver services and to maintain critical infrastructure. But few appear to be considering the potential exposure and costs associated with cyber threats, says Spidalieri.

For the study, Pell looked at measures like whether the state had a strategic cybersecurity plan, formal incident response capabilities, data breach notification, and other cybersecurity laws, threat information-sharing mechanisms, and spending on cybersecurity R&D. Pell interviewed state CIOs, chief information security officers, and other state government officials and also reviewed open source data, to arrive at its conclusions.

California, Texas, Maryland, and Washington were among eight states that were identified by the study as being relatively more prepared to deal with current and emerging cyber threats than counterparts. The others are New York, New Jersey, Washington, and Virginia.

Each of these states fared better then others on some of they key measures used to evaluate them. For example, California scored well in areas like incident response, e-crime laws, and cyber R&D. But its performance in areas like regular threat assessments and accountability for cyber preparedness remained a work in progress. Pell assessed Texas as being adequate in areas like having a competent cybersecurity authority, doing regular threat assessments, and following the NIST framework, but found it still has work to do in terms of implementing effective cybersecurity laws. Michigan appeared to be the most prepared, based on its meeting most of the measures it was evaluated against.

A vast majority of states though are unprepared, says Francesca. “Most states don’t even mention the need to secure their IT systems or to address cyber threats,” she said. Some acknowledge the problem but appear to have done little to address it.

The common challenges somewhat unsurprisingly related to a lack of funding for cybersecurity programs, lack of executive engagement, the growing sophistication of threats, and a shortage of cybersecurity professionals. “It’s a grim picture and my report meant to shed some light on the states that are leading the way,” she said.

Meanwhile, a second report also released this week served up another reminder of the challenges that federal agencies continue to face on the cybersecurity front. The report by MeriTalk and Palo Alto Networks found that 44 percent of federal endpoints are vulnerable to cyber threats while 30 percent of federal network connected devices have been infected with some type of malware.

As with state governments, barely half of all federal agencies have taken specific steps to secure endpoints while some 20 percent of endpoint security audits do not include all network-connected devices.

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
11/9/2015 | 1:36:09 PM
Standards
Throughout the states there should be a mandated standard that needs to be adhered to...otherwise each state is going to handle cyber security in ways that make the most sense to them. This provides a lack of consistency and too much leeway for states to perform little to no actions at all.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Modern Day Insider Threat: Network Bugs That Are Stealing Your Data
David Pearson, Principal Threat Researcher,  10/21/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27187
PUBLISHED: 2020-10-26
An issue was discovered in KDE Partition Manager 4.1.0 before 4.2.0. The kpmcore_externalcommand helper contains a logic flaw in which the service invoking D-Bus is not properly checked. An attacker on the local machine can replace /etc/fstab, and execute mount and other partitioning related command...
CVE-2020-7752
PUBLISHED: 2020-10-26
This affects the package systeminformation before 4.27.11. This package is vulnerable to Command Injection. The attacker can concatenate curl's parameters to overwrite Javascript files and then execute any OS commands.
CVE-2020-7127
PUBLISHED: 2020-10-26
A remote unauthenticated arbitrary code execution vulnerability was discovered in Aruba Airwave Software version(s): Prior to 1.3.2.
CVE-2020-7196
PUBLISHED: 2020-10-26
The HPE BlueData EPIC Software Platform version 4.0 and HPE Ezmeral Container Platform 5.0 use an insecure method of handling sensitive Kerberos passwords that is susceptible to unauthorized interception and/or retrieval. Specifically, they display the kdc_admin_password in the source file of the ur...
CVE-2020-7197
PUBLISHED: 2020-10-26
SSMC3.7.0.0 is vulnerable to remote authentication bypass. HPE StoreServ Management Console (SSMC) 3.7.0.0 is an off node multiarray manager web application and remains isolated from data on the managed arrays. HPE has provided an update to HPE StoreServ Management Console (SSMC) software 3.7.0.0* U...