— Ryan Petersen (@RyanPete) January 29, 2013
— Amy Schurr (@AmySchurr) January 29, 2013
— GOVERNING (@GOVERNING) January 29, 2013
After discussing the dangers of cyberthreats for more than a decade, state CIOs want public officials to back up the rhetoric with sufficient IT security spending.
Speaking at Governing’s “Outlook in the States and Localities” conference in Washington, D.C., a panel of government IT leaders agreed that cyber awareness among users and the general public is imperative, but can only go so far. “The problem is not going away,” said Michigan CIO David Behen. “It’s only going to get worse.”
Behen believes he’s fortunate because Gov. Rick Snyder recognizes the risks to the IT infrastructure. Together with Maryland Gov. Martin O’Malley, Snyder leads the National Governor’s Association Resource Center for State Cybersecurity. “We cannot be successful unless the federal government is working hand in hand with state government,” Behen said, pointing to the need for additional investments in cybersecurity and his state’s goal of building an industry.
Speaking of the woes in Alabama, South Carolina and Utah, panel moderator Cathilea Robinett said more cyberattacks against government will be forthcoming. “It’s not a question of if, but of when,” said Robinett, executive vice president of e-Republic. She hears a common refrain of IT security being underfunded and even cases where audits turn up problems that are not fixed because there’s no budget.
Virginia Deputy Secretary of Technology Aaron Mathes said that his state’s outsourcing arrangement with Northrup Grumman leaves that partner responsible for security. Agencies pay for those services in a chargeback arrangement. As the state incrementally raises prices, leaders can go before the legislature and explain, “This is what we need to do and why.”
Robinett mentioned that perhaps an idea promulgated by former Montana CIO Dick Clark could help ensure that cybersecurity receives adequate investments — purchase cyberinsurance policies for states. By treating IT security like any other risk, such as driver’s insurance, the criteria would be there to encourage policy holders to take preventative measures in exchange for lower premiums.