Cyber security is not a top priority for state governments, and they are not well prepared to deal with cyber threats. In fact, cyber security ranks at the bottom of 31 critical areas in terms of readiness, according to a report issued by the Federal Emergency Management Agency (FEMA). Though we tend (I tend) to see the world in terms of information security, because it’s what we do, the findings are not a cause for alarm. Not yet.
This was the first year that cyber security was included among the critical areas. Only 42% of the 56 states and territories surveyed say they are where they want to be in terms of dealing with cyber threats, according to the National Preparedness Report by FEMA. Public health and medical services (78%) were at the top of the list.
One in 10 states/territories say that cyber attacks would cause the greatest strain on their ability to respond effectively. Earthquakes, at 18% were tops.
As a security guy, I might wring my hands over this, but, sitting on my porch, thinking of my family and my house, I want to know that my state government is well prepared to coordinate with federal agencies (which I would hope at this point are in shape better than FEMA was when it that hardly set an example for preparedness in the immediate wake of Hurricane Katrina in 2005) to deliver emergency medical services if disaster strikes. Of course states should be prepared to deal with potential cyber threats to critical infrastructure. Of course data protection and the ability to deliver computer-dependent services (covers a lot, both online and in terms of network support for office-based services).
But I would be far more concerned if medical services were not at the top of the list. Government has a lot more experience dealing with hurricanes, earthquakes and fires than it does with cyber attacks. It should be prepared to deliver essential services when that type of disaster hits. Cyber security is the new kid on the block. We think of 2005 as the old days, when “spyware” and cyber crime were just starting to bubble up as serious concerns. We expect government to know the playbook when a hurricane hits.
Cyber threats are less tangible, a little less “real” if you will. Not nearly as likely to be a high priority. Nor are states as likely to have the experience and expertise in house to significantly improve their preparedness. And outside security consulting is expensive. And little federal money has been available to help states improve cyber security, according to an article on the FEMA report in Government Computer News.
That being said, it’s 2012. Cyber security is a maturing, if not yet mature discipline. States cannot plead ignorance, and they will be accountable when bad things happen that put their constituents at risk. On the one hand 42% is actually a lot better than I would have expected, given that cyber security is a relatively new concern. But I am skeptical, bordering on cynical, that what most states consider well-prepared would pass muster in a high-risk enterprise.