It’s been almost two weeks since the voting stopped, and by most accounts 2020 was the most secure election in modern times. Much credit goes to the Cybersecurity and Infrastructure Security Agency (CISA) and its fearless leader Chris Krebs, who made election security the agency’s number one priority. Credit is also due to Cyber Command for taking an aggressive stance against Russian hackers and moved the fight to their networks.
And while state election officials and IT teams should also be applauded for their efforts to bolster systems ahead of the election, the good outcome should not lull us into a false sense of security — state IT systems remain dangerously vulnerable at a time when they are being relied upon more than ever.
In a report entitled “States at Risk,” the National Association of State Chief Information Officers (NASCIO) and the consulting firm Deloitte paint a dire picture of the state of state IT security, identifying insufficient budgets, inadequate staffing, and the presence of legacy infrastructure as barriers to cybersecurity.
These findings are supported by data from the security ratings firm SecurityScorecard, which found in its recent report that a full three-quarters of states have cyber health ratings of a “C” or below. (Full disclosure: I am an advisor to SecurityScorecard.) These grades are based on observable problems with state IT systems, including unpatched systems and the presence of malware.
Unpatched vulnerabilities and malware infections are simply indications of a more fundamental challenge. For most states, poor cybersecurity is not just the result of insufficient resources to secure systems but stems from outdated IT systems that are all but impossible to secure.
SecurityScorecard found outdated operating systems such as Windows 2000 and ancient browsers including early versions of Internet Explorer across state governments. These systems are not only insecure but indicate state governments are operating with decades-old technology at a time when modern, flexible IT systems are not only critical to cybersecurity but also to service delivery. Efficient operation of government services during a pandemic simply cannot take place on outdated IT infrastructure.
To fix this problem, states require a massive influx of funds to build, secure and sustain modern IT infrastructure, yet they are in no position to make these investments on their own.
NASCIO found that most state governments devote just 1 percent to 3 percent of their IT budgets to cybersecurity — versus over 10 percent for financial institutions and over 15 percent for federal agencies. Closing this gap is not something states can do on their own.
According to the National Conference of State Legislatures, state tax revenues are coming in at as much as 30 percent below pre-COVID levels, and state services are in higher demand than ever. States and localities had planned to invest more than $110 billion in IT projects this year. Much of that investment has been delayed or scrapped altogether.
As Congress looks to rebuild the economy following the pandemic, federal funding to modernize and secure state IT infrastructure should be a top priority.
Given that state coffers have been nearly emptied by the pandemic, federal support is essential. As part of the next round of financial stimulus, Congress must include significant funds to reinvigorate state IT spending to modernize and secure these vital systems.
A bill in Congress, the State and Local IT Modernization Act, would do just that, providing $25 billion to states through the Department of Homeland Security. Congress should move rapidly to turn this bill into law.
If there is any good news, it may be that the poor cybersecurity in state governments appears to be a bipartisan issue. In SecurityScorecard’s assessment, red states on average scored a 76 and blue states scored a 75 on a 100-point scale. The high-tech hubs (and perpetual blue states) of Massachusetts and California both scored a “C.” Reliably red Kentucky and Kansas were two of only three states (along with swing state Michigan) to score an “A.”
Given that politics appears to play no role in determining the cyberhealth of state IT systems, Congress may actually be able to agree on the need to address this problem.
Rob Knake is a Senior Fellow at the Council on Foreign Relations and the former Director for Cybersecurity Policy at the White House.