The left and right hands of cybersecurity

Notwithstanding all the tough talk about defeating terrorism, the expression "good enough for government work" is, unfortunately, relevant when it comes to cybersecurity. Indeed, a recent report released by the National Association of State Chief Information Officers chastises the Department of Homeland Security for not coordinating better with state and local authorities when it comes to combating cyberthreats.

Let's begin this discussion with a basic premise: The federal government is supposed to help state and local authorities combat terrorism.

You can read it in black and white: Section 7(c) of the Homeland Security Presidential Directive (HSPD) enunciates that it is United States policy "to enhance the protection of our Nation's critical infrastructure and key resources against terrorist acts that could...undermine State and local government capacities to maintain order and to deliver minimum essential public services." And Section 15 of the HSPD designates emergency services, the majority of which are provided by state and local authorities, as included among the most critical infrastructure.

To the extent cybersecurity is a real issue, then the left hand plainly needs to know what the right hand is doing.

With this premise in mind, the NASCIO's Information Security Committee conducted a survey of strategic cybersecurity issues. Its goal was to assess the nature of the relationship between state and local authorities and the programs and resources provided by Homeland Security. The committee concluded that much more needs to be done by Homeland Security to assist state and local governments.

First, it found that state and local governments would welcome a closer working relationship with Homeland Security, rather than the current private-sector approach now in place, which it characterized as "more detached."

Further, it recommended that a cybersecurity assessment be added to the current State Homeland Security Assessment and Strategy process to ensure that cybersecurity is adequately addressed for state and local sectors. This would help even if cybersecurity efforts are not funded to the levels desired by state and local authorities.

Third, the survey turned up a need to develop and maintain best practices and consistent methodologies and tools; conduct risk assessments; establish continuity of operations planning; and institute training for state and local governments.

Fourth, Homeland Security, as a direct provider of alerting services, needs to cure its reputation for lack of timeliness. In fact, "more emphasis needs to be placed on external-directed attacks, and internal ineptitude and maliciousness," according to the report. There needs to be "better coordination and allocation of effort among the multiple entities with a stake in the game, so to speak."

Finally, further academic programs and educational opportunities need to be made available to state and local players.

To the extent cybersecurity is a real issue, the left hand plainly needs to know what the right hand is doing. Above all, both hands need to be working together. Let's hope that best efforts are made by Homeland Security to reach out to and assist state and local authorities in safeguarding the Internet.