SAN FRANCISCO—If the U.S. government has a long road ahead in its efforts to improve the nation's cyber-security, state and local governments are far worse off—most are just starting out on the path, and many are going in the wrong direction.
A panel of cyber-security experts speaking at the RSA Conference 2017 here on Feb. 16 told attendees that the myriad smaller governments across the United States have major cyber-security problems.
"It is really challenging to figure out whether there is a single optimal model to govern state cyber-security," Eric Goldstein, the branch chief for partnerships and engagement at the U.S. Department of Homeland Security, told attendees. "The diversity of states can be a strength, but it can also be a challenge as states figure out how they are going to handle cyber-security."
A key problem is that states have a great deal of data on citizens—often more than the federal government. But protecting that data is a problem. It is not cost-effective to protect everything equally, so states should give priority to services and protecting data, according to Timothy Blute, program director for the homeland security and public safety division of the National Governor's Association.
"Because government has a fundamental duty to protect its people, this is a public safety problem, as well as an IT problem that governors have to solve," he said.
Education should be a starting point for most smaller government organizations, Karen Jackson, secretary of technology for the Commonwealth of Virginia, told attendees. All employees should be given some level of security training.
"I have 86,000 people on my network every day, so I'm one click away from a really big problem," she said.
While prioritizing cyber-security is one strategy, government agencies also need to find ways to get around resource shortages. Not only is money in short supply, but skilled workers are in demand as well. Virginia, for example, has 36,000 cyber-related positions available in 2017, up from 17,000 a year and a half ago, Jackson said.
And tracking the problem is difficult: Virginia found that its cyber-security jobs do not have common labels among the various agencies, making it difficult to get a handle on the problem.
Overall, communities will likely need to find a different path than federal agencies, but also rely more on each other and national resources.
"You cannot expect, for example, a small rural water utility to successfully respond, mitigate and recover from a sophisticated cyber-attack," DHS' Goldstein said. "I think that all we can hope is that they can be educated to identify the problem and know who to call."
One bright spot: Elections have really ramped up interest in cyber-security among towns and states, according to Jackson.
"Suddenly, a lot of the registrars woke up and said, 'Wow, this is what it is to have a cyber problem,'" she said.