What keeps most state Chief Information Officers (CIOs) awake at night? Cybersecurity issues! And with cyberattacks on public- and private-sector computer systems increasing, many state CIOs worry about how to keep their systems and data safe and secure.
Unfortunately, there’s not a one-size-fits-all cybersecurity solution for states. They use different systems, have wide-ranging budget amounts to address the threat of cyberattacks and varying numbers of technology employees with sometimes limited degrees of skills to take on these problems. That is why the National Conference of State Legislatures (NCSL) is urging the National Institute of Standards and Technology (NIST) not to hamstring states in the institute’s efforts to create guidelines for protecting data and preventing data breaches. NCSL also has expressed concern that the NIST’s efforts might result in the states, many of which already face revenues stretched to the limit, being hit with unfunded federal mandates.
NIST recently issued a request for information (RFI) regarding the state of cybersecurity in the U.S. in both the public and private sectors. The information in the responses will be used to formulate recommendations to strengthen cybersecurity. But in its response to the RFI, NCSL urges federal officials to allow states to make their own policies regarding state cybersecurity because of the different challenges each state faces.
One of the major cybersecurity issues that states face, according to the NCSL, is how to keep up with technological advances with limited financial resources. While state budgets include technology funding, most of those funds are already dedicated to current projects and needs. NCSL urges increasing funds from state legislatures to help states address their needs. NCSL also notes that “state-federal and public-private partnerships are also crucial, where outsourcing resources can help support data analytics and information sharing.”
The states have been pro-active in their approach to preserving the integrity of their data, according to NCSL. Its RFI response credits state lawmakers for their ongoing efforts to combat identity theft, security breaches, spyware, phishing and computer crime. Cited were the state of Washington’s new comprehensive cybercrimes law addressing issues from computer trespassing to electronic data service interference and a new law enacted this year in Florida that created a computer security incident response team. Georgia has created a committee that is charged with studying the needs, issues and problems related to public-sector security procedures, practices and systems.
NCSL urges federal officials, before recommending implementation of any kind of “blanket” actions, to allow the states to “approach cybersecurity as individualized solutions that address the unique threats of their state.”
Among the specifics regarding the states that NCLS recommends before any action is taken by Congress and the current administration are for the federal government to avoid unfunded federal mandates; collaborate with state and local governments to invest in securing state networks; identify and share actionable information based on specific threats to allow an effective state response to known threats; and maintain citizens’ civil liberties and privacy while ensuring the safety and stability of the internet and electronic communications.
As awareness of cybersecurity issues grows in the states, state lawmakers and state technology officials should pay close attention to the responses to the NIST RFI. Recommendation that come out of the responses could have far-reaching effects on state governments.