The U.S. government could do several things to help states improve their response to cyberattacks, including increased funding for technology training programs, cybersecurity experts told a House of Representatives committee Tuesday.
States have difficulty hiring top cybersecurity employees, said Steven Spano, president and COO of the Center for Internet Security. Cybersecurity workers are a "high-demand, low-density asset," the former Air Force general told two subcommittees of the House Homeland Security Committee.
Meanwhile, states are uncertain about their ability to respond to cyberattacks, lawmakers noted. For four years in a row, states have ranked their ability to respond to cyberattacks at the bottom of a list of emergency response competencies when surveyed by the Federal Emergency Management Agency, noted Representative Dan Donovan, a New York Republican.
"I am worried that it's only a matter of time before the hackers are successful" in compromising the electric grid, the water system, or some other essential service, added Representative Donald Payne, a New Jersey Democrat.
Part of the problem for states is a lack of funding, said Mark Raymond, CIO for the state of Connecticut and vice president National Association of State Chief Information Officers.
Most states spend just 1 percent to 2 percent of their IT budgets on cybersecurity, while the federal government spends about 15 percent, Raymond said.
Like Spano, Raymond noted the difficulty of hiring cybersecurity professionals, with states competing with private industry for the best people. Cybersecurity workers are the "most difficult to recruit and retain for states," he said. "State government salary rates and pay structures are the biggest challenges in bringing on IT talent."
Neither Spano nor Raymond gave lawmakers statistics about open cybersecurity positions in state governments.
Another area of concern is cyberthreat information sharing, witnesses said. While sharing between the federal government and states has improved in recent years, much of that information is classified, said Lieutenant Colonel Daniel Cooney, assistant deputy superintendent in the Office of Counter Terrorism for the New York State Police.
"We cannot share useful contents with many of customers unless the classification is downgraded," he said.