5 Reasons Cybersecurity Should Be a Top Priority

Ever since Internet usage started taking off in the 1990s, elected officials have pushed for more efficiency in delivering services to citizens via the Web. After more than a decade of technological innovation, governments now offer extensive online capabilities in every state — most available 24x7x365.

What's clear is that citizens like government websites. According to the 2010 Pew Internet and American Life survey, "Fully 82 percent of Internet users (representing 61 percent of all American adults) looked for information or completed a transaction on a government websites." And with the rapid adoption of smart phones and other high-speed mobile devices - along with constantly improving broadband networks and new consolidations and partnerships among public-sector agencies — governments are offering information and services online like never before.

But with these opportunities comes new risk. "Our computing systems cannot just be secure — they should be unfailingly trustworthy," Microsoft founder Bill Gates told a World Economic Forum several years ago. "We should be able to rely on them as we in the developed world rely on electricity or a telephone service today."

Unfortunately, cyber crime is growing faster than e-government. As of October 1, 2010, privacyrights.org has chronicled 1,749 data breaches made public since 2005 that resulted in more than 510 million records being compromised.

Could our significant investments in information, communications and technology improvements be derailed? Yes, but we can't let it happen. What's at stake is more than just protecting government networks or websites. Neglect regarding cyber security can:

1) Undermine the reputation of both the government and elected officials;
2) Force unacceptable expenditures associated with the cost of cleaning up after security breaches;
3) Cripple governments' abilities to respond to a wide variety of homeland security emergency situations or recover from natural or man-made threats;
4) Disable elected officials' ability to govern.

Right now, newly state and local government administrations are setting priorities for their first 100 days in office. And for the next four years, they must keep trustworthy computing high on their "to do" lists. It is imperative that our digital infrastructure not only survive, but thrive, to enable increased government efficiency and innovation.

Here are five things that new governors and other senior elected officials need to do:

1) Empower a trusted Chief Information Security Officer (CISO) to lead this effort. Using the state Homeland Security Advisors/Coordinators as a model, each governor should create a CISO with real clout, someone who can work across local/state/federal lines.

2) Build a comprehensive cyber security plan modeled after the Federal Cybersecurity Initiative (currently mandated for all federal agencies). This plan should encompass traditional law enforcement partnerships as well include cyber issues within new state and local fusion centers.

3) Establish clear command and control for all cyber security incidents. Cyber emergency management situations should follow the processes directed in the National Incident Management System. Local, state and federal efforts need to be coordinated and escalated as appropriate in cross-boundary situations.

4) Enable more trusted transactions online. Accelerate innovation by building the foundation for digital identity management. Start by reviewing the "National Strategy for Trusted Identities in Cyberspace." Work with groups like the National Association of State CIOs and the National Governors Association on federated digital identity efforts.

5) Think "people, process and technology" when implementing cyber security solutions. The majority of cyber solutions require cultural change. A robust training program is needed within government and for students, parents, educators and all segments of society. Elected officials have an opportunity to lead by example when it comes to Internet safety.

One final thought: When it comes to cyber risk, you can never outsource the responsibility. Getting private-sector help makes sense, but the government will always answer to the public when business functions are not available. Therefore, it all starts with making cyber security a priority. Building trust online will both reduce risk and enable innovation.

(Excerpts from this item appeared in a sidebar to "Data Lockdown," in the December 2010 issue of Governing.)