Cyber demand leaves states at risk

State and local governments facing growing threats from hackers have a new problem: finding and then employing the right cybersecurity specialists to fight them.

Local governments are increasingly trying to bulwark their cybersecurity defenses, just as federal officials and businesses around the nation focus new attention on ramping up their own protections.

{mosads}That high demand is a boon for cybersecurity workers but is a disadvantage for cash-poor state, county and city governments, which can’t offer the perks and high salaries of the private sector.

A study released this month by the National Association of State Chief Information Officers found that “insufficient funding, sophisticated threats and shortage of skilled talent threaten security and put state governments at risk.”

“In light of the increasing severity, volume and sophistication of cyber threats, compounded by lagging discovery times and longer restoration periods, states are becoming more vulnerable to cyber attacks,” the organization warned in its report, which was also compiled by Deloitte.

In recent years, governments have been pulling out multiple stops to meet the threats, especially as massive data breaches at businesses from Target to JPMorgan Chase have captured the public’s attention.

Successful hacks against government agencies, such as the 2012 breach of 3.8 million tax records from South Carolina’s Department of Revenue, have had also had an impact.

“Prior to the last two [to] three years [raising awareness] would be more of a challenge, but at this point, most local governments at many counties and states have unfortunately encountered some sort of breach,” said Karon Harden, the director of professional development, education and training at the National Association of Counties.

“It’s a lot less hard to convince them at this point because they do see the realities of what’s happening in local government and at state governments as well,” she added.

The National Governors Association (NGA) has launched a resource center for state governments to share ideas on how best to meet the threat.

“Protecting the nation’s energy system and infrastructure from cyber threats is of vital importance to governors, and the risks appear to be growing,” the NGA said in a report this summer.

Attacks to power networks, dams, pipelines or other critical systems, for instance, could cripple cities and towns. 

Michael Daniel, the White House’s cybersecurity coordinator, earlier this year called local governments “the first line of response when something goes wrong for our people,” and has worked to bring government and corporate officials together to discuss the threat.

Agencies and organizations are also marking Cybersecurity Awareness Month in October with a number of webinars, forums, panel discussions and other events to highlight the risks. Later this week, federal and local officials will meet at Microsoft’s Washington state offices to discuss the role for state and local governments to fight cyber attacks.

But many challenges remain, starting with getting the right people for the job.

Nationwide, there are 300,000 vacant cybersecurity jobs, according to security firm Symantec. Many of those don’t require someone with a four-year degree.

With so many open seats, people looking to get into the field often have their choice of job offers. When the choice comes down to a private company or the government — especially when budgets are getting squeezed — many professionals choose the private sector.

A report from the National Association of State Chief Information Officers worried that state budgets “are still not sufficient to fully implement effective cybersecurity programs,” and said state officials “are struggling to recruit and retain people with the right skills.”

Harden, with the National Association of Counties, echoed the concern.

“Oftentimes, counties may not be able to afford the talent that’s out there if they’re competing against larger private industries,” she said. “It is something that’s difficult for counties.”

Cities, counties, states and other local governments come in a range of sizes, which leaves some better equipped to handle cyber challenges than others.

But no matter how big the agency, one of the biggest risks facing local governments is the same as the one facing companies and federal agents: hackers are getting better and faster all the time. 

“You can look at the public sector; you can look at the private sector, and you can see that there are no sacred cows,” said Derek Johnson, a research analyst at Deltek, which does analysis of government contractors.

“There is no organization that truly feels like they are operating on the same level as the people they are trying to breach their system,” he said. “It’s just a constant struggle to catch up and to meet them at the capabilities that they’re currently using, let alone the capabilities that they’ll be using tomorrow.”