State Cybersecurity Chiefs Want More Attention from DHS
State information security superintendents crave closer dealings with the Dept. of Homeland Security (DHS), in place of the more detached, business-based approach that exists, leaders of the National Assn. of State Chief Information Officers (NASCIO) said Wed. Fellowships for state and local chief information security officers (CISO) at DHS’s National Cyber Security Division (NCSD) would be ideal for broadening the agency’s outreach to and coordination with such officials, they said during a teleconference with reporters. The group released a report on U.S. cybersecurity strategies that laid out 5 strategic recommendations and 18 tactical recommendations.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
The best way to ensure cybersecurity is handled properly by states and localities is for cybersecurity assessment to be added to the State Homeland Security Assessment and Strategy (SHSAS) done by DHS’s Office of Domestic Preparedness (ODP), NASCIO said. While that wouldn’t guarantee as much money for cybersecurity efforts as CISOs want, it would ensure appropriate consideration of security at all govt. levels, the group said.
The FBI’s InfraGard program and the Multi-State Information Sharing Analysis Center (MS-ISAC) have provided an “underutilized foundation” on which to build DHS cybersecurity programs and develop best practices, consistent methodologies and tools for risk assessments, planning, training and contracting, the group said. Meanwhile, DHS’s role as a direct provider of alert systems seems redundant and its “reputation for timeliness” is questionable, Kan. CIO Denise Moore said.
Most state security officials are confident about handling external automated threats like viruses and worms, flagged and publicized by private organizations. But more emphasis is needed on ineptitude and attacks directed outward, she said. Fending off those threats requires specialized analysis, training and awareness procedures that could be furnished by “trusted 3rd parties” like the U.S. Computer Emergency Readiness Team (US-CERT), the MS-ISAC and Carnegie Mellon’s CERT Coordination Center, she said.
NASCIO’s survey also found that state information security experts don’t know about academic programs aimed at producing competent workers and practical research in the field. More localized education opportunities as well as a stronger bond between researchers and an organization like the MS-ISAC and local InfraGard chapters would help, the group said.
“We really haven’t seen much coming out of DHS,” Kan. CISO Larry Kettlewell said: “We'll continue to try to engage DHS in that closer relationship, so that we know who to call in Washington when there’s an incident and they know who to call in the states and localities.” But until the situation improves, he won’t turn first to the federal govt. when cyber-threats emerge. Kettlewell said he taps private sources because they have proven more detailed, helpful and reliable information.
The survey’s goal wasn’t criticism of DHS, Moore said. NASCIO sees the arrival of DHS Secy. Michael Chertoff and his proposed reorganization for the agency as “a chance to further refine and reinvigorate activity in the state and local sector,” she said. But some worry that his changes, announced last summer (WID July 14 p1), have been slow to take shape. House Homeland Security Committee ranking member Thompson (D-Miss.) said Wed. that he hoped DHS’s the new job of assistant secretary for cyber & telecom would be filled quickly.
DHS needs to offer businesses more incentives because “much of the heavy lifting is done by the private sector,” Thompson said. The development and adoption of large- scale risk assessments for cyberattacks will also help identify and publicize risks, he said, citing a 2004 Congressional Research Service report that found the govt. lacked standard methodologies for cost measures, and organizations were reluctant to report their cyber- vulnerabilities. “It is unacceptable that in this day and age, the majority of our states are not well equipped to defend themselves from a cyberattack, should one occur,” Thompson said.
The federal National Infrastructure Protection Plan (NIPP), which has been delayed almost a year, will include cybersecurity details that aren’t due for 4 months, a committee minority staffer said. Lawmakers are waiting to see plans for individual sectors in NIPP and hope detail will be provided on DHS and NCSD’s roles in securing state and local cyberspace, the staffer said. The federal govt. is “more than simply a point of contact for state and local governments,” and DHS must realize that current efforts “aren’t up to task,” Thompson said. DHS officials didn’t return calls by deadline.
Democratic committee aides compiled their own analysis of NASCIO’s data. A 10-page minority report, also released Wed., identified what it called cybersecurity gaps DHS has failed to address and offered the agency recommendations to improve preparedness. The committee’s view paralleled NASCIO’s recommendations but added pointed guidance. It called for more funding for NCSD on the basis that Congress and the White House have called cybersecurity a pressing issue but it receives relatively little money. In 2005, Congress appropriated $870 million to DHS’s Information Analysis and Infrastructure Protection Directorate, but cybersecurity efforts only received $7.3 million, Democrats said.