"State of the States on Cybersecurity - Francesca Spidalieri, Pell Center"

ADVERTISEMENT
ADVERTISEMENT

Download "State of the States on Cybersecurity - Francesca Spidalieri, Pell Center"

Download PDF

Fill PDF online

Rate (4.4 / 5) 34 votes
November 2015
STATE OF THE STATES
ON CYBERSECURITY
CALIFORNIA | MARYLAND | MICHIGAN | NEW JERSEY
NEW YORK | TEXAS | VIRGINIA | WASHINGTON
F
s
rancesca
pidalieri
s
F
enior
ellow
© 2015
November 2015
STATE OF THE STATES
ON CYBERSECURITY
CALIFORNIA | MARYLAND | MICHIGAN | NEW JERSEY
NEW YORK | TEXAS | VIRGINIA | WASHINGTON
F
s
rancesca
pidalieri
s
F
enior
ellow
© 2015
About the Author
Francesca Spidalieri is the Senior Fellow for Cyber Leadership at the Pell Center for International Relations
and Public Policy at Salve Regina University, where she leads the Cyber Leadership Research Project and
the Rhode Island Corporate Cybersecurity Initiative (RICCI). Francesca has been appointed by Governor
Gina Raimondo to the Rhode Island Cybersecurity Commission, and serves also as subject-matter expert
for the Potomac Institute for Policy Studies’ Cyber Readiness Index Project, the Center for Internet Security’s
Roles & Controls Panel, and the Ponemon Institute. Her academic research and publications have focused on
cyber-strategic leadership, cyber risk management, cyber education and awareness, cybersecurity workforce
development, and the professionalization of the cybersecurity industry. She regularly speaks at cyber-
related events nationwide and lectures on cybersecurity issues at Salve Regina University and other local
organizations.
She holds a B.A. in Political Science and International Relations from the University of Milan, Italy; an M.A.
in International Affairs and Security Studies from the Fletcher School at Tufts University; and has completed
additional coursework in cybersecurity at the U.S. Naval War College’s Center for Cyber Conflict Studies.
The author would like to thank Melissa E. Hathaway for her insights, encouragement, and collaboration, which
were essential in creating this study. Special gratitude is also owed to Gabrielle Lefrancois and Myca San
Miguel for providing background research and graphic support.
I
r
& P
P
nternatIonal
elatIons
ublIc
olIcy
STATE OF THE STATES ON
CYBERSECURITY
Francesca Spidalieri
I
nformation communication technologies (ICTs), and the Internet in particular, have become critical to
economic growth and social development in the 21st century. Over the last 40 years—and especially in the
last 15—governments and businesses have embraced the Internet and ICTs for several reasons, including:
generating income and employment; increasing productivity and efficiency; improving information-sharing;
fostering e-learning; enhancing workforce skills; driving innovation; and facilitating government activities.
1
Many essential services, from the delivery of electronic payments to next-generation power grids to air traffic
control systems, have become digitized and reliant on ICTs. With that trajectory, there can be little doubt that
government and business reliance on the Internet will continue to increase in the years ahead. The Internet’s
ability to deliver positive economic growth and social progress, however, can only be sustained if its core
infrastructure is accessible, available, affordable, secure, interoperable, resilient, and stable.
2
As a result of our increased dependence on the Internet and ICTs, cybersecurity has emerged as one of the
most critical issues facing governments, businesses, and individuals in the 21st century. But our reliance on
this complex infrastructure has come with a price: by embracing the Internet so widely, we have exposed
ourselves to a range of nefarious cyber activities by a spectrum of hackers, criminals, and terrorists from state
and non-state actors. Governments and businesses alike have been victims of cyber thefts, cyber crime, and
cyber disruption (e.g. denial-of-service attacks). Despite recent heightened attention and increased levels of
security investments in cybersecurity, the number of cyber incidents, their associated costs, and their impact
on people’s lives continue to rise. As computing and communications technologies become more entrenched
in the global economy and as we enter the era of the “Internet of Everything” (IoE), incentives to compromise
the security of these systems will rise as well.
Against this background, it is critical to understand that the individual states of the United States, like national
governments, have a responsibility to secure their critical infrastructure—including electric power grids,
air traffic control systems, financial systems, and communication networks—as well as the data that has
been entrusted to them by their citizens. At a minimum, states must ensure that their citizens can rely on
safe and secure Internet connectivity. Indeed, much can be done at the state level to: reduce exposure to
cyber risks; promote best practice security solutions to ensure the confidentiality, integrity, and availability of
information assets; increase resilience; develop business continuity plans in the event of a cyber incident;
and build a culture of security. The predominant method to combat cyber risks today is to pursue the latest
security products, tools, and technology plans. While technology is a key component in this effort, it alone is
insufficient—there must be an increased focus on educating and training users as well.
No matter how good
3
any particular technology or plan may be, its efficacy is limited if it is not adopted and implemented effectively
Melissa Hathaway, “Change the Conversation, Change the Venue and Change Our Future,” CIGI Governing the Internet: Chaos,
1
Control or Consensus, May 13, 2013,
https://www.cigionline.org/publications/2013/5/change-conversation-change-venue-and-
change-our-future.
Melissa Hathaway, “Connected Choices: How the Internet Is Challenging Sovereign Decisions,” American Foreign policy Interests 36,
2
no. 5 (November 2014): 301.
3
Francesca Spidalieri and Sean Kern, “Professionalizing Cybersecurity: A Path to Universal Standards and Status,” Pell Center, August
2014, http://pellcenter.org/wp-content/uploads/2014/07/Professionalization-of-Cybersecurity-7-28-14.pdf.
3
P
C
ell
enter
by management teams and used correctly by employees who follow well-defined processes and act in a
concerted way.
To this end, states should work on building partnerships with the larger security community—including federal,
state, and local stakeholders—to coordinate security efforts and equip state employees with the education
and training necessary to understand their specific roles and responsibilities in protecting citizens information
and maintaining the highest ethical standards.
Media headlines in recent years have shown a spike in high-impact cyber incidents in U.S. states—which
have attracted broad public and legislative attention—and as a result, governors in affected states have
had to respond quickly to restore public trust.
Others have taken note and started to focus on improving
4
their state’s cybersecurity posture, finding creative ways to turn cybersecurity challenges into business
opportunities, and attracting the right talent to their states. In 2011, for example, Michigan Governor Rick
Snyder launched the Michigan Cyber Initiative, a blueprint for protecting Michigan’s cybersecurity ecosystem
and making his state a top location for the cybersecurity industry. The same year, former Maryland Governor
Martin O’Malley approved the establishment of the Maryland Commission on Cybersecurity Innovation and
Excellence and harged it with developing comprehensive, coordinated, and rapid response strategies to
help protect the state from cyber incidents and to promote cyber innovation and job creation. Since then,
six other states—California, Idaho, North Dakota, Rhode Island, Virginia, and Texas—have followed suit
and established state specific cybersecurity commissions, councils, or task forces assigned with assessing
cybersecurity infrastructure and activities within the state, recommending ways to enhance the resiliency
of government operations, and promoting the growth of their cybersecurity industry and workforce.
These
5
initiatives from Governors and states reflect the priority and urgency at which coordination, strategy, and
preparation must be implemented.
This report provides a general overview of the current level of “cyber readiness” across different states in
the United States and explores some of the effective mechanisms and activities at the state-level to protect
infrastructure, information, and operations in both the public and private sectors, and to promote cybersecurity
workforce development and business opportunities.
The assessment is based on a modified version of the Cyber Readiness Index 1.0 (CRI), a comprehensive,
comparative, experience-based methodology created to evaluate a country’s maturity and commitment to
cybersecurity.
Countries around the world can use this methodology to clarify responsibility for assuring
6
the availability, integrity, resilience, and defense of their core cyber infrastructure and its increasing
connectedness. States around the U.S. can adopt many of the same cybersecurity measures and activities
detailed in the CRI to prepare and defend from malicious cyber activities and secure their own cyber
infrastructure. The states selected for this analysis have been chosen based on their recognition of the
importance of cybersecurity, chiefly by prioritizing their state’s security and development strategy and through
their commitment to increasing their resilience to cyber threats. Although insufficient funding, lack of senior
level engagement, increasingly sophisticated threats, and shortage of skilled talent continue to plague efforts
across the United States, there are some great examples of states that have devised innovative ways to raise
awareness and implement creative solutions to protect state governments and their constituencies. While this
list is by no means complete, it intends to highlight leading best practices and efforts at the state level to adopt
comprehensive cybersecurity policies and strategies, increase funding and education, and develop programs
to attract and retain qualified talent. As more states come to recognize the importance of cybersecurity and
taking a proactive approach to cyber defense, awareness, education, and workforce development, updates
to this report will monitor, track, and evaluate those developments. It is also our hope that this work catalyzes
additional research and efforts into the development of effective mechanisms and innovative solutions
Deloitte-NASCIO, “2014 Deloitte-NASCIO Cybersecurity Study: State Governments at Risk: Time to Move Forward,” Deloitte
4
Developmental LLC, October 2014, http://www.nascio.org/publications/documents/Deloitte-NASCIOCybersecurityStudy_2014.pdf.
Office of the Rhode Island Governor, “Raimondo to Promote Cybersecurity Planning, Growth,” Press Releases, May 7, 2015,
http://
5
www.ri.gov/press/view/24764.
Melissa Hathaway, “Cyber Readiness Index 1.0,” Belfer Center for Science and International Affairs, Harvard Kennedy School,
6
November 2013, http://belfercenter.ksg.harvard.edu/files/cyber-readiness-index-1point0.pdf.
4
I
r
& P
P
nternatIonal
elatIons
ublIc
olIcy
for states to protect their cyber assets, improve cyber resilience, and promote cyber industry growth and
workforce development.
Background
National and state governments alike are praising the Internet as a catalyst of economic growth and
development, and championing the benefits of fast, reliable, and affordable communications in terms of GDP
growth, job creation, access to information, and ability to innovate. Few of them, however, are considering
the exposure and costs of less resilient critical services, disruption of service(s), e-crime, identity theft,
intellectual property theft, fraud, and other malicious cyber activities in terms of economic loss and threat to
people’s safety and well being.
As Melissa Hathaway, former cyber advisor in both the Bush and Obama
7
Administrations, stated:
Leaders must recognize that increased Internet connectivity can lead to economic growth,
but only if that Internet connection and the devices connected to it are safe and secure. If
countries, and states alike, do not invest equally in the security of the Internet—and the ICT
infrastructure that underpins it—the promise of economic growth will be transformed into a tax
on growth.
8
In recent years, U.S states have faced a growing number of evolving and sophisticated cyber threats, from
data breaches to tax fraud to political hacktivism. As the 2014 Deloitte-NASCIO Cybersecurity Study reports,
states have been victim of a number of high-profile attacks that “have resulted in the loss of Personally
Identifiable Information (PII) of million of citizens, including Social Security Numbers, payment card records,
dates of birth, driver’s license numbers, and tax data.”
In addition to serving as a repository of such sensitive
9
data about their citizens, states are also increasingly utilizing the Internet to deliver important services,
to maintain critical infrastructure such as public utilities, to share information across states and federal
networks, and to ensure first responders receive the data they need in crisis situations. Unfortunately, states’
increased reliance on this complex infrastructure has also opened the door to a wide range of nefarious cyber
activities, from cyber crimes, to cyber espionage, to data breaches, to other types of cyber incidents, targeting
governments’ IT facilities, networks, and systems. Moreover, although 90 percent of critical infrastructure
is privately owned, state governments—under whose jurisdiction the critical infrastructure is located—are
increasingly responsible for coordinating security efforts to prevent, protect, mitigate, and respond to cyber
incidents, as well as fostering collaboration between the public and private sectors to minimize cyber risks.
As affirmed in the Presidential Policy Directive (PPD) on Critical Infrastructure Security and Resilience, such
activities should be a shared responsibility between all levels of governments and the operators of critical
infrastructure.
10
While some progress has been made to increase states’ cybersecurity preparedness and resilience, there is
still much more work to be done to increase the maturity, readiness, and risk awareness of state governments
and their agencies. The 2013 Nationwide Cyber Security Review—a joint effort between the U.S. Department
of Homeland Security (DHS), the Multi-State Information Sharing and Analysis Center (MS-ISAC), the
National Association of State Chief Information Officers (NASCIO), and the National Association of Counties
(NACo)—found that “states’ progress in cybersecurity preparedness has not kept up with advances in cyber
threats” and that there was “little progress in the overall maturity of security programs in place across state,
local, tribal and territorial (SLTT) governments to defend against the attacks.”
11
Melissa Hathaway et al., “Cyber Readiness Index 2.0 – A Plan for Cyber Readiness: A Baseline and an Index,” Potomac Institute for
7
Policy Studies, (forthcoming).
8
Author’s interview with Melissa Hathaway, President of the Hathaway Global Strategies LLC and Senior Advisor at the Harvard
Kennedy School’s Belfer Center for Science and International Affairs, June 2, 2015.
Deloitte-NASCIO, “2014 Deloitte-NASCIO Cybersecurity Study.”
9
White House, “Presidential Policy Directive (PPD) on Critical Infrastructure Security and Resilience,” February 12, 2013,
https://
10
www.whitehouse.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil.
11
U.S. Department of Homeland Security and Center for Internet Security, “2013 Nationwide Cyber Security Review: Summary
Report,” March 2014.
5