[ISN] States need cybersecurity focus

From: InfoSec News (isnat_private)
Date: Tue Mar 25 2003 - 00:27:14 PST

  • Next message: InfoSec News: "[ISN] IT worker burnout gets critical"

    By Dibya Sarkar 
    March 24, 2003
    A new Zeichner Risk Analytics LLC study found 36 state governments
    have failed to prepare, adopt and implement acceptable cybersecurity
    policies, which could have damaging consequences to citizen services,
    communication systems and critical utilities if the nation were to
    undergo cyberattacks.
    But while state governments and organizations such as the National
    Association of Chief Information Officers and National Governors
    Association are aware of the problem and discussing the issue, several
    cybersecurity experts said what's needed is deployment.
    "I think what's important is that states take action," said Richard
    Pethia, director of the CERT Coordination Center at Carnegie Mellon
    University. He said there are plenty of good resources and work on the
    issue, but what's missing is a "commitment to action."
    That's important in light of the increasing threat, he said. CERT says
    more than 82,000 incidents were reported in 2002, about four times
    more than in 2000. Nearly 5,000 vulnerabilities were reported last
    year, up from 1,090 reported in 2000. "There's no end in site to that
    trend," said Pethia, adding that denial-of-service attacks occur every
    John Burke Jr., a Washington, D.C., attorney who serves as general
    counsel to BITS -- the technology arm of the Financial Services
    Roundtable, made up of the top chief executive officers of the largest
    banking institutions -- said if financial systems are compromised "and
    they don't get back online very quickly, we have a serious, serious
    problem. It would seriously shake public confidence."
    Lee Zeichner, president of the consulting company that conducted the
    study released today, said states are generally behind the federal
    government and the private industry in securing their systems.
    "What's missing here is leadership, focus and consistency across the
    states," he said, noting that governors must take the lead.
    Following a yearlong review, the study found that only 14 states and
    the District of Columbia are in full compliance with the
    Gramm-Leach-Bliley Act of 1999, which requires federal agencies and
    states to prepare cybersecurity guidance for financial institutions.  
    Fourteen other states have pending legislation and/or regulations for
    compliance, while 22 states have little or no cybersecurity activity.
    Reasons, Zeichner said, for noncompliance include confusing privacy
    with security guidelines, lack of funds and shifting priorities due to
    the Sept. 11, 2001, terrorist attacks.
    John McCarthy, executive director of the Critical Infrastructure
    Protection Project at George Mason University, said states are dealing
    with competing priorities, such as a greater focus on providing first
    responders with greater information and tools. But as police and fire
    departments become more dependent on technology, there needs to be an
    equally greater emphasis on protecting systems and databases, which
    are easily corruptible.
    The study recommended that:
    * States adopt the National Association of Insurance Commissioners
      nationwide proposal, which provides an approach similar to that of
      states in compliance with the Gramm-Leach-Bailey Act.
    * States create a single, nationwide process for developing
      cybersecurity laws and policies.
    * A single public-private "focal point is badly needed" to coordinate
    The report said the recommendations "do not require extensive funding,
    retooling of state procedures or other drastic action."
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Mar 25 2003 - 02:46:19 PST