In Boosting IT Security, Federal Agencies Should Look to States

The federal government has a terrible track record in cybersecurity, with basic safeguards absent and fragmented enforcement. According to an analysis conducted last year by SecurityScorecard (a prominent benchmarking firm), the U.S. government ranks at the bottom of 17 major industries in protecting critical systems. But there’s hope, as state and local systems outshine their federal counterparts while keeping costs to a minimum. By emulating state-led reform efforts, federal policymakers can safeguard stability and keep taxpayer dollars from being wasted.

While many federal agencies have abysmal cyber track records, the Internal Revenue Service may be the worst. As the Taxpayers Protection Alliance has previously documented, the IRS hasn’t moved past the 1960s in technological prowess. According to a September audit conducted by the Department of Treasury Inspector General for Tax Administration, nearly 70 percent of the infrastructure underpinning IRS operations is “beyond its useful life.” For the fiscal year 2016, 107 incidents requiring IRS support were traced back to aged software, with resulting replacement costs totaling $6.6 million.

NASA fares little better in safeguarding the digital domain. An Office of Inspector General report released recently on NASA’s information technology compliance found that, despite $1.4 billion in annual IT funding, NASA remains hopelessly outmanned. The OIG concluded that little has changed since 2013, when IT governance was described as “inefficient, ineffective, and overly complex.” In particular, devices are not adequately encrypted, information system inventories are rarely updated, and astoundingly, known software vulnerabilities have not been patched up.

According to Chris Wysopal, chief technology officer of the cloud-based service firm Veracode, “they (agencies) don’t fix them because there’s no regulation or compliance rules that require it … When we evaluate these agencies, we often find that their internal testing procedures involve nothing more than interviewing the people involved, and not testing the systems themselves.” The term “bottom-line thinking” has been used in criticizing businesses obsessed with profit, but in fact, the opposite approach of checking off items without regard for results is far more destructive.

But comparing public and private systems is too simplistic. While the federal government flounders in its effort to secure basic data holdings, states and localities are forging the way forward in cybersecurity. Incentives are still not nearly as rigorous as in the private sector, but the bottom-line does become more pressing when governments have to keep their books balanced. For example, 79 percent of states held cybersecurity spending growth below 5 percent from 2015 to 2016, according to the most recent Deloitte-NASCIO Cybersecurity Study. In real terms, more than half of states actually saw declines in cybersecurity spending in 2016. Yet almost across the board, states and localities have gotten far better at finding and containing threats. According to the 2016 Nationwide Cyber Security Review conducted by the Multi State Information Sharing & Analysis Center, states and localities improved in risk assessment and risk management strategy.

And, unlike the federal government, these improvements are not just the result of checking off items tangential to actual results. CIS Security shows that on “response function,” defined as “An organization’s ability to quickly and appropriately respond to an incident,” state and local scores jumped up by 5 percent and 3 percent respectively. Interestingly, though, states don’t seem to be investing in procedural verification in itself; the “governance” indicator declined 1 percent last year.

It is easy to over-interpret simplistic scores created by a third-party organization. What have states and localities actually done to shore up cybersecurity while saving taxpayers from needless expenses? Louisiana and Hawaii may hold the answer.

Louisiana remains a leader of consolidation efforts, saving $70 million over the past three years by bringing all IT services under the new Office of Technology Services. And, to avoid cost overruns and dubious spending, OTS funds its operations by billing agencies for IT efforts instead of directly receiving a check from Baton Rouge.

Hawaii has also been a leader in reform efforts, pursuing off-the-shelf IT products instead of pricey, specialized software that doesn’t provide a clear leg-up. Despite all of the wasteful spending that accompanied Medicaid expansion, Hawaii was able to create a new digital integrated eligibility system on time and on budget by rejecting a large customized solution in favor of more conventional products.

State and local cyber efforts are, of course, far from perfect. But the ingenuity and cost saving exhibited by states like Louisiana and Hawaii are a far cry from the malaise at the federal level. Sprawling decentralization in IT networks has only recently been targeted by the new administration’s “modernization initiative,” and boutique security products for even simple data holdings cost taxpayers an arm and a leg.

Much work needs to be done, and the federal government will never be as nimble as states and localities in confronting these gargantuan challenges. But by looking at the best practices of reforming states and devolving data-keeping down to the state level, the federal government can ensure a safe digital domain while saving taxpayers from billions in unnecessary costs.

Ross Marchand is the policy director of the Taxpayers Protection Alliance.

Morning Consult welcomes op-ed submissions on policy, politics and business strategy in our coverage areas. Updated submission guidelines can be found here.

Morning Consult