Changing cyber access on state and local levels [Commentary]

In March, HR 1344, also known as the State Cyber Resiliency Act, was introduced by a bipartisan group of legislators. That piece of legislation focused on providing grants to state and local governments to fund efforts to improve cyber defenses and cyber incident response. For some time now, cybersecurity has been a top priority of state and local government cybersecurity professionals. More recently, it has become a top priority for state and local chief information officers and has even made it to governors’ desks.

This bill was created to assist state and local governments with funding to improve their cyber defenses. Sen. Mark Warner, D-Va., recently was quoted in a news release as saying: “Despite the velocity of the threat, 80% of states lack funding to develop sufficient cybersecurity.”

Some cybersecurity practitioners are quick to point out that while the funding will certainly help improve state and local cyber defenses and response, there is another issue that should be addressed. While no figures are available, many (some say most) governors and state and local CIOs and chief information security officers (or equivalents) do not hold current security clearances.

Receiving sensitive and sometimes classified cyber intelligence is critical to addressing the growing cyberthreats that target state and local government systems. Some cleared cybersecurity professionals are quick to point out that given the current backlog in conducting the background investigations (some say it is 18 months long), the last thing we need is to increase that workload.

Others have gone so far as to suggest a new clearance level — below secret and above confidential. This level would be specific for governors, state CIOs and CISOs, as well as cover some elected officials of large local governments. One went so far as to put the classification as the threat data for this new clearance level as undisclosed.

Perhaps it is time to address both issues — the backlog of investigations, and how best to keep state and some local government officials, who have a need to know, informed about cyberthreats.