Zero One: States Woo Cybersecurity Pros

Written by Tom Kaneshige
February 16, 2017

States must recruit cybersecurity pros to fend off hackers targeting their valuable data. Virginia is in the vanguard, while others fall behind.

SAN FRANCISCO — On Valentine’s Day, Virginia Gov. Terry McAuliffe, speaking at RSA Conference 2017 in San Francisco, courted cybersecurity pros to live and work in the state known for lovers. His overtures, though, belie a serious problem. State governments lack enough cybersecurity pros to battle hackers who’ve put states in their crosshairs.

“My whole initiative as chairman of the [National Governors Association] is cybersecurity, because we at the state level collectively have more data than the federal government,” McAuliffe said.

State governments store a bounty of valuable data, such as state tax returns, healthcare records and driver’s license information. Add to this Virginia’s vast military installations – The Pentagon in Arlington, CIA in Langley, FBI Academy in Quantico, Naval Air Station Oceana in Virginia Beach – and it’s no surprise Virginia faced some 86 million cyberattacks last year, averaging three every second.

“The attacks are so enormous,” McAuliffe said. “They’re trying to shut down our 911 emergency call centers, they’re [trying to steal] our hospital data.”

Out of necessity, Virginia has taken the vanguard in cybersecurity, but other states are falling behind. South Carolina and Utah, for instance, have already had serious breaches, McAuliffe said.

“We have probably 10 to 15 states in America that have done what they need to do with protocols and have put us in a very good position,” McAuliffe said. “We have about maybe 10 to 15 states that are doing an ok job. The remaining 20 really haven’t done much.”

Unfortunately, cybersecurity laggards impact others, given that states share providers. Hackers can attack a cybersecurity-focused state such as Virginia by going through the backdoor of, say, a healthcare provider that has been infiltrated in a state with poor cybersecurity.

“We are only as strong as our weakest link,” McAuliffe said.

McAuliffe said he would like to see a nationwide framework, even a federal law and policy to protect data. The goal is to raise cybersecurity practices for all 50 states.

“Unfortunately due to, I say, partisan politics, you can’t get the congress to agree, so we’re having to do that at the state level,” McAuliffe said. “That’s frustrating.”

Virginia offers many state programs to attract and nurture cybersecurity talent. For example, Virginia boasts “cyber-camps” for children, a training program for veterans, and student scholarships in exchange for service – “You work for the state a couple of years, I’ll pay for your education,” McAuliffe said. Virginia’s community colleges and universities also offer cybersecurity tracks.

Nevertheless, the hard-fought battle against hackers wages on as Virginia and other states try to grow their cybersecurity ranks. Virginia currently has 36,000 cybersecurity job openings with a starting annual salary of $88,000.

“Just two weeks ago in Virginia, a foreign actor tried to get my personal data from the state,” McAuliffe said, adding, “We had the Anthem breach [in 2015]. Three of my five children had their standard information taken. My secretary of Veterans Affairs, a retired four-star admiral, had his fingerprints, everything taken from him.”

Tom Kaneshige writes the Zero One blog covering digital transformation, big data, AI, marketing tech and the Internet of Things for line-of-business executives. He is based in Silicon Valley. You can reach him at tom.kaneshige@penton.com.