The National Association of State Chief Information Officers (NASCIO) and the Metropolitan Information Exchange (MIX) today jointly released the results of a survey of state and local government information security officers conducted last August.
The surveys indicate that a lot of work remains to be done to improve training, funding and communication efforts at the federal, state and local levels to secure cyberspace, said U.S. Rep. Bennie G. Thompson (D-Miss.) in a statement.
"The department is falling short in fulfilling its basic obligations to state and local governments," Thompson said. "Despite the many working groups, documented strategies and reports, there remains a disconnect" that has left state and local governments ill-prepared for cyberthreats, he said.
NASCIO is a nonpartisan group that represents state chief information officers and managers from the 50 states. Its survey was based on responses from 27 state chief information security officers (CISO). MIX is an association of county and municipal CIOs. Its results were based on responses from 23 local government IT managers.
The purpose of the survey was not to criticize the DHS but to provide "constructive advice" on how to advance the nation's cybersecurity efforts, said Denise Moore, CIO of the state of Kansas at a press conference today.
The MIX survey shows that "there is a huge opportunity to improve collaborative cybersecurity efforts among local, state and federal government," said Janette Pell, CIO of California's San Luis Obispo County, in a statement.
Among the major recommendations of the CISOs surveyed was a call for a closer working relationship between the DHS and state and local governments, compared with the more "detached" relationship that currently exists, Moore said.
Also crucial is a cybersecurity assessment component that should be added to the State Homeland Security Assessment and Strategy processes conducted by the DHS, she said. Such an assessment is important to ensure that state and local governments pay adequate attention to securing cyberspace, she said.
Resources such as multistate information sharing and analysis centers and state Infragards also need to be better used to promote DHS programs and to develop and promulgate best practices and tools for cybersecurity, she said.
The DHS' role as a direct provider of alerting services also is duplicative and not very timely or effective, Moore said. While most state and local cybersecurity organizations are reasonably well-equipped to handle automated threats such as worms and viruses, there is a need for more information and specialized analysis for directed attacks and insider threats, she said.
"I wouldn't say the DHS has dropped the ball as much as it has neglected to make this a priority," Moore said.
As a result, the DHS is rarely the go-to agency on cyberscecurity issues, said Larry Kettlewell, the Kansas CISO.
"We've had a couple of experiences here in Kansas where, frankly, the federal government wasn't my first go-to," entity, Kettlewell said. "My first go-to was more out in the private sector" because of their greater expertise and experience in dealing with cyberthreats, he said. For instance, the state is trying to prepare for the Nyxem worm that is programmed to overwrite all of the files on computers it infects. "Frankly, I'm not looking at that much information from the federal government" on this topic, he said.
The department's continued failure to name an assistant secretary of cybersecurity, and the delay in finalizing a National Infrastructure Protection Plan are also issues of concern, Thompson said. "It is shameful that the top cyber spot in our nation has remained vacant since October 2004," he s
aid.
The sentiments in today's survey echo that of other industry bodies. For instance, the Cyber Security Industry Alliance, an Arlington, Va.-based consortium of technology companies, in December blasted the federal government for failing to act on recommendations made in 2003 to improve cybersecurity.