NASCIO Joins Chorus of State Groups Seeking Federal Funds

The states need federal funding to help them beef up network security and protect critical information technology resources from attacks by hackers and terrorists, according to a national group of state chief information officers.The National Association of State Chief Information Officers last month unveiled a detailed blueprint for improving IT security and infrastructure protection, which they intend to circulate among federal officials as they lobby for increased funding to support their plan."We anticipate that evolving homeland security efforts will likely include funding to the states for cybersecurity efforts," said Chris Dixon, NASCIO's digital government coordinator. Officials with Lexington, Ky.-based NASCIO did not specify how much federal funding was needed, but they warned that state governments could be forced to delay or cut other IT programs if they do not receive federal assistance.The blueprint also provides a framework for helping states share best practices and information on security threats and vulnerabilities, the latter of which "will come from many different sources," said Rock Regan, NASCIO president and Connecticut CIO.The blueprint, which is in draft form, recommends that states establish security offices, perform assessments and make security an integral part of IT systems planning. The projects that should receive top priority are security certification and validation, disaster recovery and business continuation, according to the blueprint.The key elements of the plan were hammered out by representatives from 34 states during a two-day forum on security and critical infrastructure protection held Nov. 13-14 by NASCIO in Dulles, Va. The final version of the report will be released at the National Electronic Commerce Coordinating Council's annual conference in Las Vegas Dec. 10-12, Regan said. NASCIO is among several organizations calling for the federal government to help fund state and local efforts to improve computer security and take on homeland security initiatives. The National Association of Counties is lobbying the government to provide at least $3 billion annually in anti-terrorism block grant assistance to the nation's more than 3,000 counties.At the same time, the National Governors Association of Washington is planning to ask the Bush administration to establish a discretionary fund that states can tap into for homeland security, said Ann Beauchesne, the association's program director for emergency management.Based on a survey it conducted, NGA estimates states have spent $6 billion to provide sustained security for critical infrastructures, she said. One of NASCIO's next steps will be to enlist the support of the private sector through its corporate leadership council, Regan said. The council includes representatives from many of the top integrators in the state and local government market, such as Accenture Ltd., Hamilton, Bermuda; American Management Systems Inc., Fairfax, Va.; Electronic Data Systems Corp., Plano, Texas; and KPMG Consulting, McLean, Va.The private sector might support state CIOs with strategies for business continuity and disaster recovery through NASCIO-led forums, seminars and other means, said Holli Ploog, chairwoman of NASCIO's corporate leadership council and president of DynCorp Management Resources Inc. of Reston, Va. One of the cornerstones of NASCIO'S cybersecurity plan is the establishment of a national information sharing and analysis center. The center would record and report security breaches across state IT enterprises, provide early warnings to other states of network breaches, offer patches to fix violated systems and act as a clearinghouse for sharing best practices among the states.A state information sharing and analysis center also would allow reports of security breaches and other incidents to be transmitted to the National Infrastructure Protection Center located at FBI headquarters in Washington, which is the federal government's focal point for protecting the nation's critical infrastructures. The center won't duplicate existing efforts, and NASCIO will try to use warning and analysis capabilities that the federal government makes available, Dixon said.The center likely will be funded through a combination of state and federal funds, he said. Federal funding would enable the states to establish the information sharing center "sooner rather than later," he said, referring to the complexity of coordinating the funding for the center among 50 states with different budget cycles. But Dixon declined to provide a per-state cost or a breakdown of the state and federal funding for the information sharing and analysis center.Information security and assessment centers have been established so far for six sectors of the economy, and four more are planned, said Ken Watson, president of Partnership for Critical Infrastructure Security of Washington, a nonprofit organization established to coordinate protection efforts by various infrastructures critical to the U.S. economy. Watson also is manager of the critical information assurance group at Cisco Systems Inc., San Jose, Calif.Establishing an information sharing and analysis center for the states "is consistent with what is being done in other U.S. industries," said John Lainhart, a partner and head of the information assurance practice at PWC Consulting, the management consulting business unit of PricewaterhouseCoopers, New York.