State CIOs need more IT security support from DHS

The U.S. Department of Homeland Security (DHS) must improve its support for U.S. state and local governments so they can better protect their IT infrastructures from attackers, two organizations of top IT officials said Wednesday.

Specifically, states and municipal governments would benefit if the DHS worked more closely with them, provided more training and became more responsive, according to the National Association of State Chief Information Officers (NASCIO) and the Metropolitan Information Exchange, (MIX) two organizations that represent top state, city, and county IT officials.

"The state chief information and security officers would gladly accept a closer relationship with the Homeland Security Department," said Denise Moore, CIO of the state of Kansas, in a teleconference with reporters Wednesday.

NASCIO and MIX based their conclusions and recommendations on separate surveys they conducted of high-ranking state and local IT officials, such as CIOs and CSOs. Moore, who is NASCIO's information security committee leader, stressed that the goal of the two organizations isn't to be critical of DHS but rather to provide "constructive advice."

However, the Democratic staff on the House Committee on Homeland Security adopted a much more combative tone in a report it issued based on the survey results. The DHS is "falling short in fulfilling its basic obligations to state and local governments" in matters of IT security, the report reads.

"The federal government is more than simply a point of contact for state and local governments on the issue of cybersecurity and the department must recognize that current efforts as demonstrated by the MIX/NASCIO surveys aren’t up to task," said Rep. Bennie Thompson, a Mississippi Democrat and the committee's ranking member. His prepared remarks were read on his behalf by a staffer during the teleconference.

Neither the DHS nor the office of Rep. Peter King, a New York Republican and chairman of the committee, returned calls seeking comment.

Moore portrayed the current relationship between the DHS and IT officials from state and local governments as "detached" and called for the DHS National Cyber Security Division to do more outreach.

She also called for DHS to better assess "cyber security" needs at the state and local levels, which would boost the likelihood of funding increases.

DHS could also do a better job of promoting its existing IT security programs, best practices, methodologies and tools for things like risk assessment, operations continuity planning and training, Moore said.

Moreover, DHS should focus on supporting state and local CIOs on matters related to criminal attacks perpetrated both by outsiders and insiders, and on problems caused by internal employees' ineptitude, she said. It should de-emphasize support for things like viruses and malware in general, which state and local governments can deal with on their own. "DHS' role as a direct provider of alerting services seems to be duplicative and their reputation for timeliness is also in question," she said.

DHS also could help by promoting education opportunities at the local level on matters of IT security, she said.

Detailed information about the survey results can be found at NASCIO's Web site. A document with the survey findings is here. An appendix with more information is here. The report from the committee's Democratic staff can be found here.

NASCIO represents CIOs, CSOs and other top IT officials from the 50 U.S. states, six U.S. territories and the District of Columbia. MIX groups similar officials who work at the city and county level in the U.S.