Yoran: Locals must lead IT security

DHS infrastructure protection

Local officials must take the lead in securing the information infrastructure within their jurisdictions, but the Homeland Security Department is standing by ready to help, according to Amit Yoran, director of the department's National Cyber Security Division.

Cybersecurity is still several steps behind physical security when it comes to the attention and priority of officials at all levels of government, officials stressed at the midyear conference of the National Association of State Chief Information Officers in Chicago. One of the most worrying examples of this is the lack of mention of information infrastructure in grants guidance from DHS' Office of Domestic Preparedness, said Randy Potts, the chief information security officer for Nevada.

"It has been all about boots and suits for a very long time," agreed Aldona Valicenti, the former president of NASCIO and CIO of Kentucky, now with Oracle Corp. She urged Yoran to use his and other's political influence to make cybersecurity more visible in the official language and requirements for homeland security at the federal level.

Some states are already putting cybersecurity among the top issues on their homeland security lists. Indiana has created three task forces for particularly urgent areas within the state: agriculture, transportation and cybersecurity.

The cybersecurity task force has taken a bit longer than the others to get off the ground because of confusion over where the industry viewpoint fits in, said Clifford Ong, homeland security director for Indiana. "We haven't really defined the population or what it is we want to try to do," he said.

However, the state has already dedicated $1 million to an intrusion detection system for all of the state's information networks while the task force gets going, Ong said. The guidance for passing on federal homeland security grant funding to local jurisdictions also includes a requirement that cybersecurity must be involved in the solution, he said.

At the federal level, the NCSD and its parent organization, the Information Analysis and Infrastructure Protection Directorate, are doing what they can to make sure that the physical experts are also thinking about the cyber vulnerabilities and consequences, Yoran said.

Exercises seem to be one of the best ways to foster this type of broader understanding, said Stuart McKee, CIO for the state of Washington. The TopOff exercise conducted in part of that state last year significantly changed the perspective of many officials about the importance of cybersecurity, and that change has lasted, he said.

There are further exercises planed