Thomas Jarrett, CIO of Delaware and president of the National Association of State CIOs, testified to Congress recently that federal homeland security planning woefully ignores the importance of cybersecurity in state and local preparedness. "While chemical, biological, radiological, nuclear, and explosive WMD threats are addressed in detail, the 'cyber' threats to state governments’ critical information assets are not addressed at all," he said in July 19 testimonry to the Senate subcommittee on federal financial management, government information and international security. NASCIO is proposing, in language offered to Senate staff, that each state CIO should present a cybersecurity preparedness plan as part of the overall homeland security strategy process. "We feel that closing this cybersecurity planning gap in the near term, and especially before the next round of grantmaking gets underway, is the single most important issue facing our sector today," he said. Here's some more of his statement, which is available as a PDF here.
Protecting critical IT infrastructure does not come cheaply. We estimate that [Delaware] spend[s] $5 million annually, or 15% of my annual budget on security. While we understand the necessity, these are state dollars that could be used for other projects to serve Delaware’s citizens. What does the future hold? Unfortunately I have to state that I believe that threats to cybersecurity will only increase and we will face continual attacks and attempts on multiple fronts. State IT officials must continually adjust how and what gets filtered, blocked or monitored. New threats appear almost daily and they can, in a matter of seconds, render services we’ve all come to depend upon like email and web browsing, completely unusable. In the worst case scenario, without proper protection and due diligence, an attack could potentially cripple or completely shut down an entire state government. In the end, we all must understand that all critical infrastructure is the same by its very nature – critical - whether it is a roadway system or a data network. Infrastructure is all about moving people and information, and a state’s network infrastructure is equally as important as its highways, electric power grid, or mass transit system. ... NASCIO applauds last Wednesday's announcement by Secretary Chertoff that he will create an assistant secretary for cybersecurity within the reorganized department. NASCIO has supported the calls for such a position and has endorsed past legislative efforts seeking to create the position. ... We believe that the creation of a higher-profile position for cybersecurity within DHS is an important symbolic statement to the nation as a whole. Now, we need to begin work in each of the critical sectors, including ours. ... The most disturbing thing that has been discovered by NASCIO’s Information Security Committee is the fact that DHS has not included cybersecurity in the state and local planning and preparedness process. In 2003, DHS refined the national program for state-based domestic preparedness (originally developed in 1999) to better meet the realities of the terrorist threat to the United States. ... Each State Administrative Agency (SAA)—the primary point of contact between DHS and state preparedness officials—was provided with a 194-page State Handbook, which provides an overview of the entire strategy and assessment process, which is managed by DHS’s Office for Domestic Preparedness (ODP). A review of the handbook revealed that, while chemical, biological, radiological, nuclear, and explosive (CBRNE) WMD threats are addressed in detail, the “cyber” threats to state governments’ critical information assets are not addressed at all. Thus, the participation of state CIOs in the DHS grant funding process was very uneven, ranging from high levels of involvement to no involvement at all. NASCIO has provided committee staff with language that encourages the Secretary to have Office of Domestic Preparedness (ODP) and NASCIO revise the existing strategy and assessment process to include a cybersecurity preparedness plan from each state CIO. That cybersecurity plan would be submitted to ODP by each state as part of the larger SHSAS process. We feel that closing this cybersecurity planning gap in the near term, and especially before the next round of grantmaking gets underway, is the single most important issue facing our sector today.