Even in the face of the growing prevalence of cybersecurity breaches in state governments and reports that say local government officials count security as their top IT concern, state cybersecurity officials are unaware of the basic outlines of their states’ defensive plans, according to a new survey.
Conducted by the Governing Institute and sponsored by AT&T and the National Cyber Security Alliance (NCSA), the survey, “What Legislators Need to Know About Cybersecurity,” found that 80 percent of elected and appointed officials and their staff do not know if their state has an emergency response plan in the event of a cybersecurity attack.
Respondents to the national survey included state elected and appointed officials as well as legislative staff members. The survey focused on officials’ priorities and knowledge related to cybersecurity. Even though most respondents did not know if their state has a plan to respond to a cyberattack, the majority said they feared one.
According to the survey, two-thirds of respondents rated their state’s current level of cyber risk as “moderate to high.” The same number said “It’s a matter of when, not if, the state will be attacked.”
Respondents identified the top three sources of cyberthreats as criminal organizations outside the United States, political “hacktivists” and domestic criminal groups.
“The purpose of the survey was to examine current baseline cybersecurity knowledge of state elected and appointed officials in order to identify educational needs regarding this topic,” Todd Sander, vice president of research at the Governing Institute, said in a statement. “We found that, although legislators know the risks are high, many are not as involved as they could be and significant cybersecurity gaps remain.”
The survey reveals there is a clear disconnect between officials’ concerns about cyberattacks and their involvement in the issue. Indeed, even though 83 percent of respondents consider cybersecurity a priority, “legislators are not as immersed in state cybersecurity efforts as they could and would like to be,” according to the Governing Institute.
In fact, of the state legislators surveyed, only 18 percent are on a committee that makes decisions on cybersecurity issues.
Along with a lack of involvement and awareness among state officials, states’ cybersecurity plans are weakened by factors including “a lack of state funding, qualified personnel, and legislators’ own knowledge about cybersecurity,” the institute reports.
Close to half of respondents (43 percent) said their state has insufficient funding for cybersecurity, and the same percentage said, “There is a general lack of understanding about cybersecurity risks and incidents in their state.” What’s more, 50 percent of those surveyed think their state needs more cybersecurity workers
“More highly engaged state legislative involvement in cybersecurity is critical,” Michael Kaiser, executive director of NCSA, said in a statement. “It’s clear from the study that state legislators want and need a more substantive education in core cybersecurity topics that impact state networks as well as citizens.”
There are some bright spots in the survey, though: 87 percent of respondents want to increase their cybersecurity knowledge. According to the institute, lawmakers are particularly interested in learning the top cybersecurity threats facing state government, how to best protect state networks, the main causes of data breaches and how to respond to them, and how to best protect mobile devices.