The Democratic staff of the House Homeland Security Committee released a report today entitled “Falling Short in Securing Cyberspace on the State and Local Level.” The report derives its analysis from a survey conducted by the National Association of State Chief Informational Officers (NASCIO) and the Metropolitan Information Exchange (MIX).
The recommendations in the report and the survey have a common theme of “DHS should do more to help state and local governments with cybersecurity.” Specific recommendations focus on areas such as DHS outreach to state and locals, training programs, and the coordination of alerts. Some of these recommendations (e.g. better coordination of alert systems) are solid, but on many others, my gut reaction is “why is this a federal responsibility?”
Take the issue of training as an example. The NASCIO report recommends that DHS be more active about providing training opportunities to state and local cybersecurity officials, and even goes as far as suggesting that DHS create fellowships for state and local officials to go to the NCSD for six months:
Twenty (77%) of state CISOs indicated that they would consider sending employees to federally funded, short-term (e.g., 180 day) fellowships in Washington, DC with the National Cyber Security Division (NCSD) where they could learn more about NCSDâ€™s mission and capabilities.
Naturally state and local officials are going to be in favor of this idea if they don’t have to pay for it. But should the federal government really pay to train state employees on cybersecurity? Is there a compelling national value to providing federal training in this area, or should the federal role simply be limited to standard-setting, and allowing the states to fund their own training if needed? I’d have to say the latter.
The House Democratic report also notes that most of the state and local CIOs surveyed were not familiar with the DHS National Infrastructure Protection Plan, and suggests that DHS should have done more to enhance awareness of it:
For instance, when asked about their awareness of the Interim National Infrastructure Protection Plan (Interim NIPP), a majority of state officials were not â€œfamiliarâ€ with the plan, though the NIPP is the base plan for protecting the nationâ€™s federal, state, and local cyber infrastructure. The Department must do a better job of marketing and promoting these documents directly to the state and local information security officers…
Is this really DHS’s fault? Don’t these local officials have some responsibility to find out on their own initiative about what’s going on at DHS? The NIPP is not exactly a secret; as CQ noted last month, the latest version of it received 5,000 public comments in December.
The Department’s cybersecurity efforts need to improve in many ways, as I’ve noted previously. But on some of the critiques in these reports, I’m not convinced.