Feds Look to Partner With States on Cybersecurity

Now that Web-basedtechnologies control everything from the electric grid to the water supply,cyberattacks on critical infrastructure have become the most pressing threat tonational security, according to a national intelligence report to Congress.

Andy Ozment,senior director for cybersecurity at the White House, embraced states as keypartners in efforts to secure the nation’s assets.

“You own andoperate critical infrastructure,” he said Tuesday at a meeting of NationalAssociation of State Chief Information Officers. “Your own services constitutecritical infrastructure in ways that are hugely important. We have to work withyou to identify those portions of your systems and networks that are the mostimportant and the most critical, and share with you whatever resources we canto help you secure those.”

Federallegislation on cybersecurity appears stalled, so the White House is working ona strategy to protect such assets—which are often owned and operated by theprivate sector—through an executive order and presidential policy directiveissued in February.

The executive order directs the Department of HomelandSecurity to share timely information on cyber threats with state and localgovernments and private sector companies with responsibility for criticalinfrastructure. It requires DHS to expedite clearances for state, local andprivate sector personnel to receive classified and sensitive threatinformation.

Theexecutive order also requires the Commerce Department’s National Institute of Standardsand Technology to work with industry leaders to develop a cybersecurity frameworkfor companies with responsibility for critical infrastructure. NIST is expectedto finalize a framework that includes joint standards and best practices byFebruary 2014. Compliance will be voluntary.

NASCIO warnedagainst requiring states to take on responsibilities they don’t have theresources to deliver and pleaded for support in comments about the framework’sdevelopment submitted to NIST in April.

“States area key partner in delivering over $600 billion in federal programs to citizens,and therefore the federal government has a direct interest in helping statessecure their data and systems against attack,” NASCIO wrote. “The overarching demand to beefficient with taxpayer funds and ensure as much funding as possible goes tothe end users of public services often means that veiled costs of operationsuch as cyber defenses, training, and identity management are severelyneglected.”

A survey of state chief information security officersreleased by NASCIO and Deloitte in October found that only 24 percent are “veryconfident” that their state assets are protected against external threats. Only32 percent said their staff have the required cybersecurity competency.

Teri Takai,chief information officer of the U.S. Department of Defense, said the approach  in the executive order offers particularbenefits to state governments protecting critical infrastructure within theirborders.

 “For the states, [the executive order] isimportant because they have limited resources to be able to deal with thecybersecurity challenge,” said Takai, who previously served as chiefinformation officer of California and Michigan. “As much as the federalgovernment can promote information sharing that the states can take advantageof, my belief is that it will be a benefit to them.”

MarkReardon, Georgia’s chief information security officer, credited the executiveorder with improving the quality of threat information that DHS is sharing withstates and the private sector. “I see them working to improve that processevery day,” he said.

Still,Reardon is concerned that private sector interests be protected as theexecutive order gets underway and if Congress takes up legislation requiring orincentivizing companies to share information. “The public sector needs tounderstand that the private sector is in business, and sharing information canimpact their business in a bad way,” he said. “We need to understand that andput safeguards up so that the people sharing that kind of information with usare protected from fallout.”

As a first step, Reardon said Georgia has begunsharing information about particular threats with companies but is doing socarefully, with an eye toward not burning any bridges. “We don’t expectanything in return except an occasional thank you and feedback about what I cando to improve what I’m giving them,” he said.