Over two steamy days in August 2003, New York City’s crippled power grid paralyzed the Big Apple and invoked chilling reminders of the Sept. 11 terrorist attacks two years earlier. Elevators froze in skyscrapers, hotel guests with inactive key cards were locked from rooms, and commuters were forced to abandon the subway and resort to walking, hitchhiking and cajoling rides in gridlocked streets. Flights were canceled and even bus service was interrupted. The neon lights of Times Square went dim as the Brooklyn Bridge transformed into a slow-moving expressway for weary pedestrians.
The outage was part of a much larger blackout that impacted an estimated 50 million people in Canada and eight states across the Eastern seaboard and Midwest. The cause was later determined to be overloaded transmission lines compounded by human error -- and not a rogue band of hacktivists or shadowy cyberterrorists. But the incident underscored a key vulnerability that makes the nation’s power grid a marquee target for cyberintruders bent on exploiting existing weaknesses: its reliance on IT systems and networks. The 2003 blackout could happen again, experts say. Only this time, a cyberattack would be responsible for crippling the nation’s infrastructure and leaving states, cities and whole regions in the dark with no Internet, phone service or electricity. Even worse, financial institutions, water supplies and public transit could be attacked since all are penetrable via the Internet.
The specter of an electronic assault on New York’s power supply is so worrisome that the White House conducted a private simulation in March for U.S. senators that mimicked the 2003 blackout in an effort to highlight vulnerabilities and muster support for the passage of comprehensive cybersecurity legislation (the bill stalled in the Senate in August). Homeland Security Secretary Janet Napolitano, FBI Director Robert Mueller and White House counterterrorism adviser John Brennan were among the participants.
While the focus on physical threats is an emerging cyberterror issue, state and local computer networks have long been high-value targets. “State governments have the most comprehensive information about citizens, from birth all the way to death,” says Srini Subramanian, principal with Deloitte & Touche and leader of the firm’s state cybersecurity initiative. Over the last 15 years, states have migrated much of that information online, a move that offers convenience but adds risk, notes Subramanian, co-author of a 2010 study with the National Association of State Chief Information Officers (NASCIO) on cyberpreparedness.
As Internet-based perils grow in sophistication and frequency, critics complain that Congress and the Obama administration are not providing sufficient leadership and resources to states and localities. “Federal regulations and guidance around this are disharmonized,” says Doug Robinson, executive director of NASCIO, noting that each federal agency issues unique requirements detailing the handling of its data, making compliance tedious for states. He adds: “No one in the federal government is saying, ‘We ought to get together and coordinate all this so we’re not inflicting so much pain on the states that are executing our federal programs.’” Robinson and other state advocates say they welcome assistance and guidance from Washington that doesn’t come with strings, like unfunded mandates and preemption of state laws.
States are now racing to fill the perceived regulatory void. Forty-six states have enacted data protection laws designed to safeguard personal information. According to NASCIO, 41 states have adopted or expect to adopt strategic plans designed to better coordinate Internet security efforts. Among them is Michigan, which adopted its plan last October -- during National Cybersecurity Awareness Month -- with strong backing from Gov. Rick Snyder, who formerly served as president, chairman and interim CEO of Gateway computers. Snyder treats cyberprotection as a top priority and “economic development opportunity,” says Dan Lohrmann, the state’s first chief security officer. Under the initiative, Michigan is poised to launch the first state-level “cyber-range” to train its employees in next-generation defensive technologies.
For state executives tasked with thwarting electronic intrusions, the obstacles are daunting. “States are constantly running to catch up to the nature of the threats,” Robinson says. Each day, state networks face electronic assaults that can number in the tens of thousands, even millions. Breach attempts take the form of malware, viruses, denial-of-service attacks and network probes searching for weak links such as easy-to-guess passwords. Perpetrators run the gamut from corrupt employees, crime syndicates and activists to rogue nations and terrorists. They use technology to cloak identities and whereabouts, and if based overseas, are potentially beyond the reach of U.S. law enforcement.
Increased reliance on third-party contractors and vendors expose states to new dangers if partners are not fully compliant with security protocols. The ubiquity of ever-changing personal technology, from smartphones to tablets to laptops, makes it difficult to plug all security holes. Regular training, monitoring and vigilance are required to keep pace with hackers. State security officers can’t just worry about data theft. They must plan for the unthinkable: so-called blended attacks that combine conventional warfare or terrorism with coordinated cyberintrusions, and are potentially lethal. And there’s the challenge of raising and maintaining awareness about largely invisible threats that crisscross borders and datelines.
While some states have bolstered security to match the most stringent federal safeguards, others lag due to funding shortfalls and scarce resources. A 2010 NASCIO study found that states only devote 1 to 3 percent of IT budgets to cyberprotection. Data gathered for a 2012 update indicates that those figures slipped to 1 to 2 percent of IT budgets, which mostly stayed flat. “That means it’s probably half or less than what it should be because the states have been under fiscal crisis,” says Robinson. As a result, Deloitte’s Subramanian says, attacks on state governments and agencies are mounting. Two breaches in April that each involved the theft of hundreds of thousands of personal records highlight the trend. Hackers who remain at large infiltrated a Utah server via a state contractor to steal Medicaid records, Social Security numbers and other sensitive information, while in South Carolina, a state employee was arrested for accessing personal information from Medicaid beneficiaries.
For cash-strapped states, mustering the necessary funds for cybersecurity is a challenge when streets and bridges need repair. Cybersecurity programs also become sidelined when states don’t shelter them from political squabbles. In June, a dispute between Florida’s governor and Legislature resulted in the elimination of the state CIO position. “There are different levels of maturity” to state readiness, says Mark Weatherford, deputy undersecretary for cybersecurity at the Department of Homeland Security (DHS) and former chief security officer for California and Colorado. “Does it concern me? Of course it concerns me.” To address the imbalance, he and his team regularly urge governors to elevate cybersecurity as a top priority.
But Weatherford acknowledges that there’s room for improvement at the federal level as well. “We can always do more. There’s not enough money, resources or time to do everything we want to do,” he says. Citing the extensive outreach that his department conducts with governors, security officials and other stakeholders, though, he insists his department is doing all it can to help states. “States are sovereign organizations, and most of them don’t like a lot of oversight by the federal government,” he says.
Weatherford says that federal agencies do, in fact, comply with uniform cybersecurity standards, but acknowledges that each agency issues its own security and privacy requirements. That’s necessary, he says, because agency needs vary widely depending on the sensitivity of their information. “We try to be as consistent as we possibly can in how we work with each of the states,” Weatherford says. Regarding funding, he notes that DHS provides grant money to the Multi-State Information Sharing and Analysis Center, a nonprofit, private-sector group that conducts cybertraining and outreach. Additional federal money that states can devote to cybersecurity is available through FEMA’s homeland security grants program. “If I had more money that I could provide, I would love to be able to do that,” he says. “We in the government are in a resource-constrained environment.”
As states assert their authority, they enter muddy regulatory waters complicated not just by federal mandates, but also international laws and treaties. “Virtually everything is murky in this area and there are very few clear answers,” says Michael Glennon, professor of international law at Tufts University’s Fletcher School and author of a detailed legal analysis of state cyberlaw. States run an ongoing risk of federal preemption. “It’s always within the authority of the Congress to enact preempting legislation,” and “hard to conceive of any area involving cyberoperations that would be seen by the courts to constitute a realm of exclusive state authority,” he says. For now, states have broad jurisdiction because there’s little the federal government has done that could be viewed as preemptive. Still, Glennon says, “That could always change.”
California’s sweeping data protection law, which took effect in 2004, requires companies to bar unauthorized access to the personal information of its residents. “California really took the lead when it comes to data protection and concerns about corporations negligently misplacing or failing to protect sensitive data that they have on file,” Glennon says. “Other states have looked to California as the model for data protection.”
The hodgepodge of state laws and the Internet’s global structure have given rise to legal quirks. A similar Massachusetts law that took effect in 2010 applies to residents wherever they travel, and to stores in other countries that retain the credit card data of Massachusetts residents -- even when purchases are made online. If a Paris hotel keeps computer files on dozens of vacationers from different states, it might be forced to comply with numerous U.S. data protection plans, Glennon says. “Unless all these plans get harmonized through preemptive federal legislation, some entities are going to confront a disincentive for dealing with Americans,” he warns.
With the collapse of federal cybersecurity legislation, lawmakers are sparring over the direction of a fresh legislative push and whether President Obama should issue an executive order to create a new program to protect critical infrastructure. In the meantime, state security officers are left to wonder each day if they’ve done enough to safeguard their networks against the sort of catastrophic breach -- like the 2003 blackout -- that’s guaranteed to stir Washington into action.