States need cybersecurity focus

[InfoSec News <isn () c4i org>]

http://www.fcw.com/geb/articles/2003/0324/web-secure-03-24-03.asp

By Dibya Sarkar 
March 24, 2003

A new Zeichner Risk Analytics LLC study found 36 state governments
have failed to prepare, adopt and implement acceptable cybersecurity
policies, which could have damaging consequences to citizen services,
communication systems and critical utilities if the nation were to
undergo cyberattacks.

But while state governments and organizations such as the National
Association of Chief Information Officers and National Governors
Association are aware of the problem and discussing the issue, several
cybersecurity experts said what's needed is deployment.

"I think what's important is that states take action," said Richard
Pethia, director of the CERT Coordination Center at Carnegie Mellon
University. He said there are plenty of good resources and work on the
issue, but what's missing is a "commitment to action."

That's important in light of the increasing threat, he said. CERT says
more than 82,000 incidents were reported in 2002, about four times
more than in 2000. Nearly 5,000 vulnerabilities were reported last
year, up from 1,090 reported in 2000. "There's no end in site to that
trend," said Pethia, adding that denial-of-service attacks occur every
day.

John Burke Jr., a Washington, D.C., attorney who serves as general
counsel to BITS -- the technology arm of the Financial Services
Roundtable, made up of the top chief executive officers of the largest
banking institutions -- said if financial systems are compromised "and
they don't get back online very quickly, we have a serious, serious
problem. It would seriously shake public confidence."

Lee Zeichner, president of the consulting company that conducted the
study released today, said states are generally behind the federal
government and the private industry in securing their systems.

"What's missing here is leadership, focus and consistency across the
states," he said, noting that governors must take the lead.

Following a yearlong review, the study found that only 14 states and
the District of Columbia are in full compliance with the
Gramm-Leach-Bliley Act of 1999, which requires federal agencies and
states to prepare cybersecurity guidance for financial institutions.  
Fourteen other states have pending legislation and/or regulations for
compliance, while 22 states have little or no cybersecurity activity.

Reasons, Zeichner said, for noncompliance include confusing privacy
with security guidelines, lack of funds and shifting priorities due to
the Sept. 11, 2001, terrorist attacks.

John McCarthy, executive director of the Critical Infrastructure
Protection Project at George Mason University, said states are dealing
with competing priorities, such as a greater focus on providing first
responders with greater information and tools. But as police and fire
departments become more dependent on technology, there needs to be an
equally greater emphasis on protecting systems and databases, which
are easily corruptible.

The study recommended that:

* States adopt the National Association of Insurance Commissioners
  nationwide proposal, which provides an approach similar to that of
  states in compliance with the Gramm-Leach-Bailey Act.

* States create a single, nationwide process for developing
  cybersecurity laws and policies.

* A single public-private "focal point is badly needed" to coordinate
  strategy.

The report said the recommendations "do not require extensive funding,
retooling of state procedures or other drastic action."
 



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.