A 2018 report from the National Association of State Chief Information Officers (NASCIO) found one unidentified state undergoing 300 million attacks a day -- up from 150 million two years before. Cybersecurity and risk management is at the top of CIOs' list of 10 priorities for 2019, according to an annual NASCIO survey.
Rhode Island was making it the biggest priority. In 2017, it became one of only two states with a cabinet-level cybersecurity position. (The other is Idaho, according to Meredith Ward, NASCIO's director of policy and research.)
But this pioneering approach wasn’t long-lived in Rhode Island.
Last month, the position was removed from the state’s 2020 budget. High-level officials in the state, including its CIO, are confident that cybersecurity will continue to be a priority, but others worry it will receive less attention.
“Cabinet-level positions reflect priorities,” says John Marion, executive director of Common Cause Rhode Island, which is focused on election security. “Eliminating this independent office has lowered the priority of cybersecurity in Rhode Island state government.”
But Rhode Island’s CIO, Bijay Kumar, says “security is not about one person but the cultural awareness in the organization and having a strong team,” which includes his department, the state police cybercrime operations, the state’s National Guard and the Rhode Island Emergency Management Agency.
During the two-year tenure of Mike Steinmetz, a retired U.S. Navy captain with cybersecurity experience from the defense department, the National Security Agency and private-sector firms, he collaborated with the state’s central IT organization to improve training programs for employees, conduct a risk assessment of the executive branch, implement the state’s first election security initiatives, and complete a 40-page cybersecurity strategy. He departed to work in venture capital in June.
With the loss of Steinmetz, and his position, Rhode Island rejoins the vast majority of states in which the highest-level IT security person reports to the chief information officer -- not the governor.
Should more states consider elevating cybersecurity to a higher position? Would greater attention to cybersecurity come with more prominent placement of cybersecurity experts in government?
“Certainly, the more authoritative the title, the more that will actually get done and the more visibility that will come to the cyber risks,” says Reg Harnish, executive vice president of the Center for Internet Security, which provides cybersecurity expertise to state, local, tribal and territorial governments. “A cabinet with a chief security officer will be more educated about cybersecurity than one without. That’s just logic.”
Both funding and finding cybersecurity experts have been an ongoing challenge.
Between 2016 and 2018, only four states added cybersecurity staff, according to a NASCIO report. Of the CISOs surveyed, 61 percent cited a “competency gap” in their staffs -- up from 56 percent when the question was asked in 2016. The average tenure for both a CIO and a CISO is about 30 months, says Ward.
In each of the biannual cybersecurity reports published by NASCIO since 2010, the top concern raised by chief information security officers has been the lack of cybersecurity budget or funding. Nearly half the states lack a specific budgetary line-item dedicated to cybersecurity. According to the study, states spend an average of 1 to 2 percent of their IT budgets on enterprise cybersecurity. In the private sector, firms spend 28 percent of their IT budgets on it.
Competing with education, health care, public safety, transportation and other needs, cybersecurity has a hard time getting an adequate slice of the pie.
“Often, states are forced to decide between building cybersecurity and fixing crumbling schools or highways,” says Harnish.
With a dizzying array of actions that could and should be taken, states face a quandary of where to spend the limited dollars that help governments wage the fight against cyberattacks. The key, says Harnish, is finding the intersection between what states are required to do, what they should be doing based on assessments of their own situation, and what their capabilities allow them to do.