State CIOs Ask Governors for Stronger Cybersecurity


As state governors grapple with crushing budget deficits and brace for tough cuts to government services, the coalition representing state CIOs is warning statehouses not to allow cybersecurity to fall by the wayside.

The National Association of State CIOs (NASCIO) has launched a "call to action" to evangelize the importance of rigorous security protections for states' IT systems, timed to coincide with the National Governors Association's winter meeting in Washington, D.C., where state executives will meet with President Obama, members of Congress and administration officials.

Kyle Schafer, NASCIO president and West Virginia CIO, noted that his organization is amplifying its cybersecurity message this year with so many first-time governors taking control.

"With 26 new administrations, it's imperative that new governors and other state policy leaders be aware of the cybersecurity threats that states face on a daily basis," Schafer said in a statement. "This call to action is meant to assist state leaders in understanding the threats and developing appropriate process and policy to mitigate risks."

The group noted that states are increasingly turning to the Internet for delivering services and information about government programs, which results in the creation of large digital repositories of sensitive data about citizens. As a vehicle for providing services, the digital platform is alluring for the efficiencies and cost savings it offers, but NASCIO's message to the governors is that even in a time of austere cost cutting, cybersecurity is one area where investment must not be reduced.

"The digital infrastructure that enables state government to both conduct business and protect federal programs administered by the states is under daily attack," NASCIO said in its warning to governors.

"Due to the breadth and scope of the state role in entitlement services, facilitating travel and commerce, regulatory oversight, licensing and citizen services, states gather, process, store and share extensive amounts of personal information."

The group highlighted the findings of a survey it commissioned consulting firm Deloitte to conduct last year, which found that governments are spending less, on average, than their private-sector counterparts on information security, and identifying the new risks that have emerged as third parties play an increasing role in managing outsourced IT systems.

NASCIO's call to action appealed for broader internal awareness to create "culture of security" within state governments, warning of heightened security risks that emerge from more employees working remotely, breakdowns in compliance and the steady diet of coordinated attacks from organized criminal entities.

But the group also pointed to the opportunity that governments have as they continue the shift away from standalone, "stovepiped" IT models to more streamlined, decentralized distribution just as enterprises are doing as they gravitate to cloud-based computing architectures. "Baking security into that model and fully integrating risk assessment will go a very long way to enhance the cybersecurity posture of most state governments," NASCIO said.

An Appeal to the Private Sector

NASCIO's appeal for stronger security at the state level mirrors the increasing concern among federal policymakers about the mounting threats to both public and private systems.

A handful of lawmakers have already signaled their intent to renew the push for comprehensive cybersecurity legislation that would in all likelihood entail a new compliance framework for commercial providers.

Yesterday, Sen. Chuck Schumer (D-N.Y.) held a press conference in Manhattan where he called on heavily trafficked websites such as Facebook, Twitter and Amazon to move to the more secure HTTPS protocol, according to several reports.

Schumer, speaking at a coffee shop, warned of the increasing threats of identity theft and other security dangers users face when they connect to the Internet through Wi-Fi connections in public settings.

"The number of people who use Wi-Fi to access the Internet in coffee shops, bookstores and beyond is growing by leaps and bounds," Schumer said, according to a Reuters report.

"The quickest and easiest way to shut down this one-stop shop for identity theft is for major Web sites to switch to secure HTTPS web addresses instead of the less secure HTTP protocol."

Kenneth Corbin is an associate editor at, the news service of, the network for technology professionals.

Keep up with security news; Follow eSecurityPlanet on Twitter: @eSecurityP.