Two House Homeland Security subcommittees met on Tuesday to discuss how the Department of Homeland Security (DHS) can assist states in preparing for and responding to cyber-attacks. While much of the discussion – led by chairman of the cybersecurity subcommittee, John Ratcliffe – was focused on information sharing and creating partnerships, Ratcliffe also took aim at the Obama administration, claiming that it has made virtually no progress on the National Cyber Incident Response Plan since its first draft was released six years ago. While Chairman Ratcliffe pointed his finger at Obama, claiming that his administration has not taken cyber incident response planning seriously, the blame can also be placed on the states as a the most recent National Preparedness Report found that states are least confident in their cybersecurity capabilities.
While more information sharing between the federal and state levels will certainly help drive communication among separate entities, there was a consensus that the states simply do not have the resources and funding to properly address this problem. The fact that states understand they are losing the fight against cybercrime, yet fail to make any progress is very troubling. However, it appears that the first step needs to be allocating funding specifically for cybersecurity. “Once [the Department of Homeland Security] and Congress allocate funding specifically toward targeting cyber, you’ll start seeing states implementing more of that capability,” said Mark Ghilarducci, director of emergency services in the California governor’s office. Mark Raymond, vice president of the National Association of State Chief Information Officers, further explained that instead of lumping cyber funding in with other critical infrastructure security funding, states need to be able to leverage direct funding for cybersecurity. However, funding is obviously not the only problem that states and the federal government face when it comes to cybersecurity. Participants in the hearing also cited cyber education and cyber hygiene training as necessary areas of improvement as most cyber-attacks and data breaches result from some sort of human error.