Cyberattack: Not If, But When

“It’s not a matter of if a [cybersecurity] breach will happen, but when,” said Brenda Decker, Nebraska’s chief information officer. The inevitability of a cybersecurity breach—affecting either a private or public institution—was a common sentiment expressed throughout CSG’s Cybersecurity and Privacy Policy Academy, held May 6-8 in St. Louis. 

There was consensus from private sector representatives like MasterCard, Walmart, Edison Electric Institute and Facebook to state chief information officers and federal officials: both the frequency of cybersecurity threats and their level of sophistication have and will continue to increase. State leaders need to know what they are facing. 

Doug Robinson, executive director of the National Association of State Chief Information Officers, presented information from a 2014 Deloitte-NASCIO survey that asked state information chiefs the major barriers their state faces when addressing cybersecurity. 

“Increasing sophistication of threats is number one,” said Robinson, “followed closely by lack of adequate funding.” 

The survey found that 78.9 percent of state chief information officers thought that the increasing sophistication of threats was a major barrier in preserving state cybersecurity, followed by lack of adequate funding (65.4 percent), inadequate availability of security professionals (61.5 percent) and emerging technologies (61.5 percent). 

Cheri Caddy, director for cybersecurity policy outreach and integration for the White House National Security Council, offered some insights to policy academy attendees from the federal perspective. 

“As President Obama noted recently, it is one of the great paradoxes of our Information Age that the very technologies that empower us to do great good can also be used by adversaries to inflict great harm,” she said.

Caddy agreed that increasingly sophisticated threats are a concern at both the state and federal level.

“Unfortunately, the cyberthreat is growing broader, more sophisticated and more dangerous,” she said.

Caddy said cybersecurity threats call for a new level of collaboration—across all levels of government and across agencies. 

“In the face of this growing threat, we are challenged by a mission that requires a uniquely diverse level of coordination among functions—including technology, law enforcement, defense and intelligence, homeland security, and even first responders—and among all types and sizes of organizations,” said Caddy. 

“The key to meeting the cybersecurity challenge will continue to be maturing coordination among these stakeholders, including sharing cyberthreat information and defining roles and responsibilities for cyber incident response.”

NASCIO’s Cybersecurity Call to Action: Key Questions for State Leaders

  • Does your state government support a “culture of information security” with a governance structure of state leadership and all key stakeholders?

  • Has your state implemented an enterprise cybersecurity framework that includes policies, control objectives, practices, standards and compliance? Is the National Institute of Standards and Technology Cybersecurity Framework a foundation?

  • Has your state invested in information technologies that provide continuous vulnerability management and protect against critical cyberthreats on an ongoing basis?

  • Are security metrics available in your state that accurately measure and report intrusion attempts, penetrations, vulnerabilities and security breaches?

  • Have state employees and contractors been trained for their roles and responsibilities in protecting the state’s cyber assets?