Cyber security and the states

October is cyber security awareness month. But for those who face the multitude of threats posed by cyber criminals and hackers, cyber security is hardly a one-month-a-year issue. Deloitte’s JR Reagan and Lt. Gen. Harry Raduege talk with CivSource about how states are addressing this growing area of concern.

From our nation’s electricity grid, and telecommunications network, to our personal bank accounts and everyday e-mail, the Internet pervades our lives. And in as many ways as we use the Web, there are ways to exploit that contact. But over the last six years, there has been a growing, more concerted effort by state and federal government officials to draw awareness and educate the public on threats looming in cyberspace, say Deloitte’s JR Reagan and Lt. General D. Harry Raduege, who spoke to CivSource last week in an interview.

“Prior to 2003 there wasn’t a pointed focus for governments to rally around the issue of cyber security,” Mr. Reagan, Principle at Deloitte Consulting, said. Having this awareness is “a way to reset, and renew, and look at what we’re doing in this space every year.” And according to Lt. Gen. Raduege, who chairs the Deloitte Center for Cyber Innovation, there’s a lot to rally around.

“Cyber is transforming the world – in the ways we live, work and prosper – from Wall Street to Main Street,” Lt. Gen. Raduege said. Threats such as cyber espionage, identity theft, denial of service (DoS) attacks, data theft and regular home computer users have suffered attacks ranging from simple pranks, to acts of extortion, to coordinated acts of cyber war, he said. “There are lots of threats in cyberspace.”

Unfortunately, most state and local governments are more vulnerable to cyber threats than federal or private sector organizations, Lt. Gen. Raduege and Mr. Reagan say. State and local governments wrestle with three primary issues, which make them more susceptible to attacks, says Mr. Reagan: Data, infrastructure, and identification management.

“State and local governments are a treasure-trove of data, but they also have the weakest infrastructure,” Reagan said. “And ID management underpins everything.” ID management is particularly troublesome because knowing who is doing what on the network is vital for everything a state and local government or university does, from public heath to motor vehicle departments. “Online services make it easier to register a car, but you also have to protect IDs and the personal information that comes with ID validation,” Lt. Gen. Raduege agreed.

And to make matters worse, Lt. Gen. Raduege continued, state and local governments suffer from a complete lack of resources to combat cyber threats. “States are facing such extraordinary problems with resources and trying to put money on the most pressing issues,” he said. “There’s quite a broad range of threats – trying to place limited resources, in terms of people, time and money, is a real challenge.”

“Quite a few states are taking measured responses,” Mr. Reagan commented, “There have been ‘good’ or ‘best in class’ approaches” but most public organizations at the state level treat cyber security as “more of an afterthought – it’s not treated with the same criticality as data in the financial sector, for instance.”

Still, as the sixth annual National Cybersecurity Awareness Month gets underway, Mr. Reagan and Lt. Gen. Raduege point out that states are making progress and learning to manage the risks presented by cyber crime. Through the National Association of State Chief Information Officers (NASCIO), states are collaborating and sharing best practices, discussing where priorities need to be.

A number of states have organized cyber conferences and work with NASCIO, Mr. Reagan pointed out, sharing information among each other and learning about security best practices from different industries, like health care or finance.

One such example of cross-industry comparison involves the American Public Human Services Association, or APHSA, according to Gen. Raduege, who spoke to them earlier this year on the subject. “Health services is such a broad category, but as we move toward digital ID and digital health records, they become a very target rich environment for cyber criminals and ID theft – and [health IT security] is probably one of the top issues for the states.”

At the end of the day, though, trying to minimize the damage done by cyber criminals through awareness, and prioritization is an essential first step.

“Risk management is a key component,” Lt. Gen. Raduege said. “States almost have to assume there are evil forces that are going to try and gain access or steal information from you. So managing that risk, being able to protect the ‘crown jewels’ of your organization, is essential.”