The Sorry “States” of Cybersecurity

In a new FEMA report, U.S. states admit cyber-preparedness needs work 

The Federal Emergency Management Agency (FEMA) has released its annual National Preparedness Report outlining the country’s ability to prevent and recover from natural or man-made disasters. In the report, FEMA polls 56 states and U.S. territories to determine each entity’s level of confidence in 31 key areas of disaster prevention and response.

The survey has traditionally focused on areas of pre-planning, coordination and information sharing in the event of a major natural disaster like a hurricane, flood or earthquake. In recent years, counterterrorism has also been a major focus of the report. In all these areas, the states rank very high and express confidence about their ability to be ready, prompting FEMA to list planning, environmental/health and safety response, mass search and rescue, and operational communications as areas of national strength. 

The 2012 report, however, also introduces a series of cybersecurity-related categories to the poll, and it is in those areas states say much work remains to be done. 

Cybersecurity ranked last overall among the 31 areas of preparedness evaluated by each state, despite the fact that nearly all states have increased their awareness of cyber-defense issues in recent years and consider digital security a priority concern. 

Part of the problem, according to the states and territories polled, is limited access to federal financial support for cybersecurity initiatives. While federal grants to help states improve their physical disaster response capabilities are plentiful, similar grants for virtual defense upgrades are limited. 

FEMA admits the number and severity of recent cyber attacks is increasing rapidly, regardless of the lack of corresponding growth among grant programs. From 2006 to 2010, the U.S. Computer Emergency Readiness Team saw a 650% increase in the number of cyber attacks reported to the agency by states, territories and other government entities. Among those public and private facilities FEMA considers “high priority” for continued operations in the event of a disaster, half report significant external cyber attacks in the last year alone.

To help address the problem, FEMA points to progress being made in the public/private partnerships to share information and resources to combat cyber crime. Two government pilot programs, the Joint Cybersecurity Services and the Defense Industrial Base project are expanding rapidly by enlisting private companies to help secure the sensitive digital assets of the U.S. Department of Defense. 

These efforts, however, are primarily focused on cybersecurity at the federal level, while similar initiatives within individual states and territories have been slow to materialize. 

Unfortunately, FEMA believes it may take a significantly damaging cyber attack to spur both local and federal governments into action to make significant gains in cybersecurity preparedness. The phenomenon is similar to anti-terrorism efforts that became a local and national priority only after the attacks of September 11, 2001.

Source: FEMA 2012 National Preparedness Report