Ajoint policy declaration of AT&T and the National Cyber Security Alliance published a guide to encourage the development of long-term strategies aimed at increasing cybersecurity awareness among elected officials.

They commissioned the Governing Institute (dedicated to helping public sector leaders govern more effectively through research, decision support and executive education) to survey 103 US state legislators and their staff to understand how lawmakers view their role in this sector.

The results were published at http://www.governing.com/cyberfinds They show that awareness is growing.  The majority of respondents declared that protecting state networks were a priority, however, the findings also show that awareness is not always transforming itself into “actionable” items. The most common thread they discovered is that government leaders and lawmakers need to show greater engagement in cybersecurity (from direct experience in the field we can see similar results in Europe.)

Certainly, technology is a concern but the issues are not technologically based. As they point out cyber threats represent serous business risk to government operations. Legislators have a central role to play in addressing these risks ranging from budgeting for adequate security resources. Most legislators view cybersecurity as extremely important, but their research shows that few of them are directly involved in the issue. Less than 20 percent of survey respondents said they sit on a committee that has cybersecurity as part of its mandate, yet more than 80 percent agreed that protecting government networks is a “critical priority.”

Why the “disconnect”? Probably most importantly relatively few state and local legislative bodies have dedicated cybersecurity committees. As a consequence, few lawmakers simply don’t have an opportunity to join. Unfortunately, the paucity of such committees indicates a lack of meaningful interaction between lawmakers and security professionals.

But awareness in the long run must translate into action—and that’s where lawmakers still have work to do. One respondent cited several pieces of data that are not encouraging. First, a majority of respondents (63%) were unaware of the size of cybersecurity investments being made by their states. “This lack of awareness is troubling because it’s critical that state networks have good cybersecurity technology in place and invest in upgrading older legacy systems that may be more difficult to secure,” he says. In addition, half of respondents said their states don’t have adequate cybersecurity personnel. And a similar number admitted they have gaps in expertise and struggle with attracting and retaining cybersecurity talent.

More than one-third of legislators in the survey don’t know who develops their state’s cybersecurity strategy? Since strategy makes a fundamental statement, as they note in the survey report, about how states will protect their citizens’ most valuable and sensitive data—and that’s an assertion “senior officials need to own”.

Survey results around cybersecurity awareness indicate that a growing number of legislators grasp the seriousness of the threat to government networks and data. Almost
70 percent of respondents acknowledged that attacks are inevitable, and more than 90 percent say malicious hackers are getting smarter.

Government is more reliant on computer systems than ever before and are amassing vast amounts of citizen data and information.  Being able to understand better the value of state assets and the protection of those assets all forms the basis of developing a governmental cybersecurity strategy. The risks of cyber attacks to state run information systems have never been greater. Better informed government officials that are engaged and proactive will be essential for make “smart” decisions about cybersecurity issues – assets to protect,  adequate funding, and appropriate training.

“Understanding the Cyber Threat – A Policy Guide for Legislators”

John Forrester