States Need to Develop Solutions to Individual Cybersecurity Threats, Governors Say
States can no longer take a perimeter approach to cybersecurity, and need to look at systems in terms of threat and impact, said Terrorism Research Center CEO Matt Devost, in a presentation at the National Governors Association (NGA) annual meeting Sunday. Cybersecurity needs to be managed in terms of “what systems are in use, how they are used and the vulnerability profile,” he said. Not all data are critical, and critical decisions need to be made to identify the points with the highest threat and impact to organizations, said Devost. “If you try to protect everything, you don’t protect anything at all."
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
Cybersecurity threats continue to increase in number and sophistication in malware, spyware, distributed denial-of-service attacks, phishing and intrusion into industrial control systems, said Delaware Gov. Jack Markell (D), outgoing NGA chairman. Devost said the level of activity from threat actors in cyberspace is the highest he has seen since he started working in the industry 20 years ago. “You need to spend time looking at your most likely attacker and what they are most likely to target,” said Devost at the event that was carried on C-SPAN (http://cs.pn/16pjWOt). Critical infrastructure and public safety systems are necessary to protect systems in case of attacks, said Devost. Citizen and personal data are high profile and therefore they attract a lot of attention because they impact “citizens on an individual level,” he said.
There’s no silver bullet to solve the cybersecurity problem, but there are “silver concepts” that can help organizations protect themselves, said Devost. Critical data review, assessment and self-awareness, mitigation, threat intelligence and information sharing can help organizations, he said. Awareness and employee training also play a role, because “if employees make fewer mistakes, there is less risk in the cybersecurity environment,” said Devost. Cybersecurity is not always about prevention because incidents will happen, said Devost. “You need to have programs that will detect that a breach took place and build security around that.” Early detection and containment are key to these efforts and spear-phishing metrics can raise awareness, said Devost.
States can’t rely on the federal government to provide their cybersecurity infrastructure, said Michigan Gov. Rick Snyder (R) and Maryland Gov. Martin O'Malley (D), who both lead the Resource Center for State Cybersecurity. “Waiting for help or clear advice from Washington in these changing times before we act is not a security strategy and it is irresponsible,” said O'Malley. In Michigan, 294 million spam emails, 31.5 million pieces of malware from email and 187,000 cyberattacks were blocked daily last year, said Snyder. O'Malley said Maryland’s most effective tool for cybersecurity is the “talent and skills of our people.” In 2011, the Maryland Cybersecurity Center was established at the University of Maryland-College Park, and state employees do cybersecurity drills regularly, said O'Malley. “The things that get measured are the things we get done."
The National Guard can also be leveraged to meet the needs of states in terms of cybersecurity, said Heather Hogsett, NGA Health and Homeland Security Committee director. “We have a real opportunity to allow state National Guard units to move to the forefront of cybersecurity and to encourage all possible avenues for participation.” The 2014 defense spending bill in Congress would provide money for National Guard units to work on cybersecurity issues in states, she said. At the end of the meeting, Oklahoma Gov. Mary Fallin (R) became the chairwoman of the NGA and Colorado Gov. John Hickenlooper (D) was named vice chairman (http://bit.ly/19IQYy4). Fallin’s initiatives as chairwoman will focus on improving education and workforce training systems and aligning those systems with the needs of individual state economies.