As with many other aspects of homeland security, cybersecurity coordination among federal, state, territorial, county, municipal and tribal governments is still very much a work in progress. Based on the National Association of State Chief Information Officer’s (NASCIO) review of the Department of Homeland Security’s draft National Infrastructure Protection Plan (NIPP), I believe we’re at the end of the beginning of this formative process. Focusing on the implications for what DHS calls “the state and local sector,” I see three outstanding issues to be addressed during the next 12 to 18 months.
The first challenge is that cybersecurity must be incorporated into DHS’s State Homeland Security Assessment and Strategy process, which states must complete in order to receive federal homeland security grant dollars. Currently, the term “cybersecurity” does not even appear in the DHS materials. This is inconsistent with the rest of DHS’s documentation, such as the NIPP.
In Kansas, I have a good relationship with our homeland security director, and I’m able to get my requirements considered — if not always funded out of those grant monies. Not every state CIO can say the same, and the level of engagement can rise and fall with changes in leadership because the formal process does not mandate consideration of cybersecurity.
The second challenge is, in just a few years, the outlay of cybersecurity coordination and communication mechanisms has become convoluted. Currently, we have the FBI-sponsored InfraGard chapters, DHS’s Critical Infrastructure Warning Information Network, a Multi-State Information Sharing and Analysis Center, a US-CERT (Computer Emergency Readiness Team) portal and a DisasterHelp.gov portal — among others.
NASCIO is currently participating with the Government Coordinating Council for the IT Sector Coordinating Council. These coordinating councils seem to be the primary coordination mechanisms of DHS’s National Infrastructure Protection Plan. However, none of these channels will prove to be effective if we don’t rationalize their existence in some way.
Finally, we as state tech leaders need to begin thinking about coordinating internally with our subunits and with our neighbors. The state CIO is not usually charged with coordinating with county, municipal or tribal IT executives on cybersecurity, and the Department of Homeland Security can’t do that for us. We know that all disasters are local and so is the response.
Consequently, state homeland security directors should be directing information technology executives at all levels to start looking at our technology outlays. The idea is to determine how we can ensure that our governments “maintain order and deliver minimum essential public services” and emergency services in a time of crisis, per Homeland Security Presidential Directive 7. Hurricane Katrina served notice to all of us.
Last year, NASCIO partnered with the Metropolitan Information Exchange, an association of city and county CIOs, to conduct a survey of state and local cybersecurity preparedness. (The results of that security survey can be found online at www.nascio.org under the “What’s New” section of NASCIO’s Web site at www.nascio.org.)
This represents the first substantial engagement between state and local CIOs at the national level. Now we need to translate that to each state and territory.
That’s why I encourage my peers in other states to reach out to their local partners on this issue and ask local CIOs to do the same.
Denise Moore is the Chief Information Technology Officer of the state of Kansas and was Chair of NASCIO’s 2004-05 Information Security Committee.