Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //

Compliance

11/6/2015
03:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

States’ Cybersecurity Readiness Presents “Grim Picture” Pell Study Finds

Just eight states of 50 fared decently in a Pell study on their preparedness to deal with current and emerging cyberthreats.

Discussions about the cybersecurity readiness of government agencies have typically tended to focus on federal entities rather than on their state counterparts. That may be a big mistake.

A new study by the Pell Center for International Relations and Public Policy at Salve Regina University revealed a troubling lack of preparedness to deal with cybersecurity threats among a vast majority of state governments.

All 50 states are investing in broadband communication and moving forward aggressively on promoting wider use of the Internet to stimulate economic growth and to improve service. But not a single one of them managed to meet all the evaluation criteria that Pell used to measure their cyber readiness, says Francesca Spidalieri, senior fellow for cyber leadership and author of the report.

“The study was really meant to bring awareness to the role that state governments, not just the federal government, play in protecting critical infrastructure and the data than has been entrusted to them by their citizens,” Spidalieri says.

Just like the federal government, state governments, too, hold data on millions of citizens and depend heavily on the Internet and communications technologies to deliver services and to maintain critical infrastructure. But few appear to be considering the potential exposure and costs associated with cyber threats, says Spidalieri.

For the study, Pell looked at measures like whether the state had a strategic cybersecurity plan, formal incident response capabilities, data breach notification, and other cybersecurity laws, threat information-sharing mechanisms, and spending on cybersecurity R&D. Pell interviewed state CIOs, chief information security officers, and other state government officials and also reviewed open source data, to arrive at its conclusions.

California, Texas, Maryland, and Washington were among eight states that were identified by the study as being relatively more prepared to deal with current and emerging cyber threats than counterparts. The others are New York, New Jersey, Washington, and Virginia.

Each of these states fared better then others on some of they key measures used to evaluate them. For example, California scored well in areas like incident response, e-crime laws, and cyber R&D. But its performance in areas like regular threat assessments and accountability for cyber preparedness remained a work in progress. Pell assessed Texas as being adequate in areas like having a competent cybersecurity authority, doing regular threat assessments, and following the NIST framework, but found it still has work to do in terms of implementing effective cybersecurity laws. Michigan appeared to be the most prepared, based on its meeting most of the measures it was evaluated against.

A vast majority of states though are unprepared, says Francesca. “Most states don’t even mention the need to secure their IT systems or to address cyber threats,” she said. Some acknowledge the problem but appear to have done little to address it.

The common challenges somewhat unsurprisingly related to a lack of funding for cybersecurity programs, lack of executive engagement, the growing sophistication of threats, and a shortage of cybersecurity professionals. “It’s a grim picture and my report meant to shed some light on the states that are leading the way,” she said.

Meanwhile, a second report also released this week served up another reminder of the challenges that federal agencies continue to face on the cybersecurity front. The report by MeriTalk and Palo Alto Networks found that 44 percent of federal endpoints are vulnerable to cyber threats while 30 percent of federal network connected devices have been infected with some type of malware.

As with state governments, barely half of all federal agencies have taken specific steps to secure endpoints while some 20 percent of endpoint security audits do not include all network-connected devices.

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
11/9/2015 | 1:36:09 PM
Standards
Throughout the states there should be a mandated standard that needs to be adhered to...otherwise each state is going to handle cyber security in ways that make the most sense to them. This provides a lack of consistency and too much leeway for states to perform little to no actions at all.
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25414
PUBLISHED: 2021-06-17
A local file inclusion vulnerability was discovered in the captcha function in Monstra 3.0.4 which allows remote attackers to execute arbitrary PHP code.
CVE-2021-32078
PUBLISHED: 2021-06-17
An Out-of-Bounds Read was discovered in arch/arm/mach-footbridge/personal-pci.c in the Linux kernel through 5.12.11 because of the lack of a check for a value that shouldn't be negative, e.g., access to element -2 of an array, aka CID-298a58e165e4.
CVE-2021-31818
PUBLISHED: 2021-06-17
Affected versions of Octopus Server are prone to an authenticated SQL injection vulnerability in the Events REST API because user supplied data in the API request isn’t parameterised correctly. Exploiting this vulnerability could allow unauthorised access to database tables.
CVE-2021-34825
PUBLISHED: 2021-06-17
Quassel through 0.13.1, when --require-ssl is enabled, launches without SSL or TLS support if a usable X.509 certificate is not found on the local system.
CVE-2021-32944
PUBLISHED: 2021-06-17
A use-after-free issue exists in the DGN file-reading procedure in the Drawings SDK (All versions prior to 2022.4) resulting from the lack of proper validation of user-supplied data. This can result in a memory corruption or arbitrary code execution, allowing attackers to cause a denial-of-service c...