The virtual enemy
It could have come straight from the pages of a movie script: A man in Riverside, Calif., purchases a password that gives him access to the city’s criminal justice system, compromising the release of prisoners. Fortunately, the cyber terrorist was caught and convicted, thanks to a collaboration between local, state and federal agencies. But according to the results of two surveys released in January, that type of governmental partnership is rare. Many believe the U.S. Department of Homeland Security (DHS) is failing to assist state and local governments in fighting cyberterrorism.
The surveys, sent to state and local chief information officers (CIOs), revealed a disconnect between DHS and state and local governments as well as insufficient funding for cyber-security preparedness across all sectors. Both called the Strategic Cybersecurity Survey, they were conducted in tandem by the Lexington, Ky.-based National Association of State Chief Information Officers (NASCIO) and the Metropolitan Information Exchange (MIX). NASCIO represents CIOs and managers from all states and six U.S. territories, and MIX’s members include city and county CIOs from communities with more than 100,000 residents.
The MIX survey concluded that “there is a huge opportunity to improve collaborative cybersecurity efforts among local, state and federal government,” says Janette Pell, CIO for San Luis Obispo County, Calif., and the immediate past president of MIX, under whose leadership the survey was conducted.
The NASCIO survey outlined five strategic and 18 lesser recommendations on ways to improve cybersecurity and relations between state and local CIOs and DHS. Those included calling for a closer working relationship as opposed to the current detached approach; adoption of a cybersecurity component to the department’s annual State Homeland Security Assessment and Strategy Process (SHSAS); promotion of existing programs and development of best practices for risk assessments; continuity of operations planning, training, exercises and contracting alliances; and a localized effort to train a new IT work force.
“There should be a sense of urgency [from DHS] on some of the issues identified in this report,” said NASCIO’s executive director Doug Robinson in a January statement.
Out of the loop
Created in 2002 to improve national security, DHS is responsible for protecting U.S. cyberspace through training, oversight of state and local cyber strategies, and developing emergency recovery plans to address a cyber attack. To accomplish those goals, the department developed several initiatives to share information, encouraged state and local governments to establish IT security programs, and provided $8.6 billion in grants primarily through the Urban Areas Security Initiative (UASI).
While it appears that DHS is providing the necessary resources, the surveys revealed a lack of basic marketing and communication programs. The surveys found that more than half of state officials and 85 percent of local officials have never asked for cybersecurity assistance from DHS, and generally were unfamiliar with many of the department’s top initiatives, including the Interim National Infrastructure Protection Plan (NIPP) — the base plan for protecting the nation’s federal, state and local cyber infrastructure by identifying and prioritizing assets and assessing vulnerabilities.
States are generally more familiar with the department’s U.S. Computer Emergency Readiness Team (US-CERT) and the Multi-State Information Sharing and Analysis Center (MS-ISAC). US-CERT works with federal agencies, industry, the research community, state and local governments and others to release cybersecurity information to the public, while MS-ISAC is a mechanism for sharing important security intelligence and information between the states. However, both surveys indicated an increasing sense of isolation among local CIOs, who overwhelmingly reported they did not use the initiatives because they either had not heard of them or believed them to be duplicative and ineffective.
“Information from DHS is not well distributed to the local level,” says Steve Reneker, CIO for Riverside, Calif. “Local government is independently working on the issues to protect citizens and share information with other jurisdictions, and little is being done at the state and federal levels to bring dollars and technology down to those who need it most.”
For local governments, protecting networks and computer systems is costly and time-consuming. In addition to expanding firewalls and intrusion detection, IT departments are busy installing anti-malware software to protect against pervasive worms and viruses as well as automatic patches for desktops and servers. Those measures are further supported by regular system audits and log checks.
Local governments are protecting the information entrusted to them but admittedly would like some help from the federal government. “The MIX survey results highlighted the fact that local government tends to fend for themselves but would benefit from the opportunity to work more closely with DHS,” Pell says. “I don’t believe we are purposefully left out of discussions. It’s just that local government is that much further away than state government, and there are a lot more agencies to coordinate with. The feds just may not know where to begin.”
Reneker believes that the federal government assumes the information it communicates to states on cyberterrorism issues is passed down to local governments. “The federal government only formally meets with states,” Reneker says. “I think they feel the states are connected with local city and county governments, but most don’t have a process to share technical information about homeland security issues.”
Show me the money
Unfortunately, communication is not the only area that troubles state and local governments. According to the surveys, respondents listed a lack of funding as “one of the biggest obstacles towards achieving security in cyberspace.”
DHS says that, to date, approximately $8.6 billion in grant funding has been provided to states and territories to enhance first-responder capabilities; however, it is unclear if any of that money was earmarked for cybersecurity. Even murkier is the apparent discrepancy between Congress and President Bush’s claims of priority for cybersecurity and the relatively low levels of funding it receives. For instance in 2005, Congress appropriated $870 million to DHS’ Information Analysis and Infrastructure Protection Directorate — responsible for cybersecurity and critical infrastructure protection — but less than 10 percent, $73.3 million, actually was used for cybersecurity.
Often the funds are sent to law enforcement agencies for first-responder items, not to CIOs needing to upgrade cybersecurity measures. “Public safety will tell you that the monies have gone to training and emergency equipment and not to cyberterrorism,” Reneker says. But according to one survey respondent, “local governments are the first responders [to cybersecurity breaches]” and believes DHS is “too distant from the reality of the environment” to recognize it.
To make matters worse, the federal government recently tightened regulations on which cities can apply for UASI grants. In January 2006, DHS announced that $765 million in direct funding would be provided to “high threat urban areas” for fiscal year 2006. It identified 35 areas encompassing 95 cities with populations of 100,000 or more so that funds would go to the areas with the “greatest need” or “highest risk,” eliminating smaller communities’ access to UASI funds.
“The larger city focus is on ports and the need for special technology for that complicated issue,” Reneker says. “Others need video surveillance and more advanced technology to read license plates, capture facial recognition, drivers license/passport validation, and track and identify terrorists. Clearly the priority is on large population centers and ports, so there is not enough money to even adequately protect [the IT systems in] our local governments.”
That is a significant problem because an increasing portion of local governments’ IT budgets is spent on anti-virus software, firewalls, anti-spam filters, pop-up blockers, intrusion detection and demilitarized zones to secure local area networks, and additional staff to handle issues. “More time and resources now are budgeted annually, and the amount is increasing yearly,” Pell says. “If issues are not handled quickly and effectively, down time can result in productivity loss, revenue collection impacts and impacts on public safety access to information.”
Left with little federal funding, local CIOs rely on taxpayer dollars to support initiatives, and they grapple with a growing cynicism about DHS’ effectiveness. In open-ended questions, one survey respondent said that he “does not believe that the DHS’ role ever will extend to local government other than through making funds available,” while another says he “is not clear on the DHS’ effectiveness in any role” and “has not seen much benefit from them except when it comes to funding boots and suits.”
While states also struggle with shortfalls, it appears the previously identified disconnect between states and DHS is a big factor in their funding issues. According to the NASCIO survey, “Several [state CIOs] mentioned that they had sought funding and some have received it via the state homeland security grants. None indicated receiving a direct grant-in-aid from DHS.”
A step in the right direction
Shortly after Michael Chertoff’s confirmation as Secretary of DHS in February 2005, he announced a plan to “conduct a systematic evaluation of the department’s operations, policies and structures” to maximize its ability to improve national security. That provides a chance to further refine and reinvigorate activity at the state and local levels, according to a statement from Denise Moore, Kansas’ CIO and leader of NASCIO’s Information Security Committee.
Shortly after the release of the sister surveys in early January, the minority staff of the U.S. House Committee on Homeland Security submitted a report to DHS with recommendations based on findings of both the NASCIO and MIX surveys. “I hope that their research will serve as a model and provide a foundation for continued efforts to advance the cause of national cybersecurity preparedness across all of the critical infrastructure sectors,” said Rep. Bennie Thompson, D-Miss., the ranking member of the House Committee on Homeland Security, in a statement following the surveys’ release.
The committee report encourages DHS to find ways to better assist state and local governments in cybersecurity and deems the current relationship between state and local information officers and the federal government as “not acceptable.” It recommends that the agency provide state and local officials better access to its most important cyber documents, offer them high-quality training and assign state and local cyberspace security a high priority in its budget.
While the absence of a disastrous cyber attack may make it difficult to generate support for cybersecurity, the House Committee on Homeland Security report seems to indicate otherwise. Pell says “the fact that the committee was interested in our thoughts was a move in the right direction.”
Another positive step was taken in mid-February when DHS announced the completion of Cyber Storm, the first full-scale, government-led, cybersecurity exercise to examine response, coordination and recovery mechanisms to a simulated cyber attack within federal, state and local governments. A total of 115 public, private and international agencies, organizations and companies were involved in the exercise.
The week-long event tested how DHS would respond to devastating Internet-based attacks from anti-globalization activists, underground hackers and bloggers. Simulated attacks included hackers shutting down electricity in 10 states; online banking and retail sales vital system failures; infected discs mistakenly distributed by software companies; and bloggers releasing misinformation campaigns to undermine public confidence.
Participants used only isolated computers in the basement offices of the Secret Service headquarters in Washington. A full report on the results is expected by this summer.
“Cybersecurity is critical to protecting our nation’s infrastructure because information systems connect so many aspects of our economy and society,” says George Foresman, DHS under secretary for preparedness, in a statement following the exercise. “Preparedness against a cyber attack requires partnership and coordination between all levels of government and the private sector.”
Partnership is the key
The NASCIO survey notes that information infrastructure is under attack all the time. As the fight against cyberterrorism continues, it is clear from the surveys that a few key improvements by DHS — the first being a closer working relationship with state and local governments — could yield long-term benefits not only for state and local sectors, but for the larger national effort.
Lori Burkhammer is a freelance writer based in Washington.