FYI.

This story is over 5 years old.

Tech

Mississippi and Idaho Have the Strongest Cybersecurity in the US, Report Says

They did it by turning to people smarter than politicians.

​When it comes to cybersecurity policy, there are two state governments that are head and shoulders above the rest of the country. But you might be surprised when you find out which two states are leading the pack: Mississippi and Idaho. The secret to their success? They developed policy based on the knowledge of people who actually know a little something about computers instead of politicians.

Cybersecurity for governments has been a hot topic on Capitol Hill lately. Last month, the President announced an execu​tive order to improve communication between the government and private sector in sniffing out cyber terrorism threats. A brand new​ agency to combat cyber threats also debuted.

Advertisement

It makes sense that policy makers are trying to strengthen cybersecurity at the state level as well. Every state other than Alaska has published an IT security plan, so a couple of infosec experts at the Brookings Institution decided to comb through these plans and analyze how strong and comprehensive they were. Researchers Gregory Dawson and Kevin C. Desouza published their preliminary findings on the Brookings blog, but told me they have a more extensive report in the works.

Their analysis f​ound many policies were far too weak and, in some cases like Vermont and Utah, plans for addressing cybersecurity threats were virtually nonexistent.

"If these states are addressing cybersecurity, we did not find evidence of it in their latest IT strategic plan,"  Dawson and Desouza wrote in their report. "Given the omnipresence of cybersecurity, we were surprised."

Most of the states fell under the category of "aware, but lacking in detail" such as Maryland, which had an IT policy that acknowledged "a significant surge in cyber security activities, especially in the areas of planning, infrastructure hardening, and platform/network/application assessment and testing," but didn't actually lay out a plan to address this surge.

But Idaho and Mississippi are all-star states when it comes to cybersecurity, the review found, with Dawson and Desouza calling the states "truly outstanding." Why the high praise? Both states had IT security plans that laid out clear, state-specific strategies to ensure cyber security by partnering with people who know more about it than policymakers.

Advertisement

Mississippi, for example, has p​lans to implement the framework of the National Institute of Standards and Technology through establishing the controls the group ​outlines in its publications, as well as recommendations from the National Governors Association's Call to Action for Cybersecurity and the Top 20 Critical Security Controls maintained by the Council on Cybersecurity.

"Given the large and evident risks associated with securing an enterprise network in a federated state government environment, it is essential that security be applied throughout the enterprise," Mississippi's IT master plan reads.

The plan has a two pages devoted to strategies for beefing up the state's cybersecurity and also includes some plans to protect mobile security.

​Idaho's plan takes a similar tact, adopting the NIST's protocols while also updating aging equipment.

"Such an approach is the most cost efficient and effective way to enact standards and policies for cybersecurity. While we are not asserting that all states should adopt NIST's proposals, we are concerned that locally developed standards may be inferior," Dawson and Desouza write. "States, unlike private sector firms, have the advantage of not being in competition with other states and so can adopt and leverage these standards to provide better cybersecurity to the citizenry. Failure to do so is likely to stall effective cybersecurity and leave states open for cyber threats."

It seems the best way for states to shine when it comes to cybersecurity policy is to stop trying to solve the problem on their own and just listen to the people who know what the hell they're talking about, at least according to a couple of experts at Brookings.