Why is State Cybersecurity better than Federal Cybersecurity?

Listen to this article

In the absence of cybersecurity regulation and assistance from a federal level, states have started to take up the slack. That means that state-run cybersecurity measures are becoming the standard for organizations and consumers instead of federal laws and solutions.

The biggest state cybersecurity regulations that have been passed were from New York state, mostly to ensure it’s financial institutions like big banks and Wall Street maintain their cybersecurity programs and stay ready for any attacks or malicious actors.

States Take It More Seriously

The topic of cybersecurity is often taken vastly more seriously by states, due in part to the fact that there is a history of states being exploited by hackers. Examples include Alabama, North Carolina, Tennessee, New Jersey, Texas, & many more.

The City of Atlanta was recently the victim of a cybersecurity attack and had over six million people affected causing millions of dollars in damages.

States Set The Way

Most think of the federal government as the biggest player in setting regulations of all types. However, in the case of cybersecurity, states are often creating the models and processes that are being converted by the federal government into its national laws and processes. A good way to think of this is that states are way more agile than the federal government as a whole.

Often times you see federal oversight to be clunky, due in part to the vast difference in how states operate. That’s why the federal government is using what the states are creating, instead of the opposite which is what you most often see in other situations not pertaining to cybersecurity.

States Have More Local Responsibilities

Why are states leading the way? To put it simply, they have more to lose. Many states don’t rely on the federal government when it comes to essential local services. That means that a cyber attack at the state level can affect things like first-responder dispatching, law enforcement, medical services such as hospitals, and other infrastructure elements like power, water, & sewage.

Especially as the world is starting to rely more and more on digital systems & infrastructure, this underlines the desire & reason why states are leading the way when it comes to cybersecurity.

Most states are outright beating the federal government when it comes to continuously improving processes, training their employees on security practices, & funding cybersecurity initiatives. And when you consider the earlier points, that if a state level system is compromised thousands could be without medical attention, utility services, or law enforcement you’ll begin to understand why. Currently, most people don’t depend on solutions and infrastructure from the federal government as much as they depend on state and local systems.

The Federal Government Isn’t Secure To Start With

On the other hand, the federal government continues to have issues with cybersecurity. A recent report from the White House shows that 74% of federal agencies are categorized as either “At Risk” or “High Risk.”

In this report, the White House also outlines that of all the cyber attacks that have been successful at the Federal level, around 38% ended up being unaddressable as they were unable to find out how the attack happened.

Business Accountability & Support

States like New York & California are also leading the way when it comes to penal laws and punishment surrounding cyber terrorism, and other things like phishing.

One of the key points that different states are pushing forward with their independent cybersecurity initiatives is that businesses need to be responsible for any cyber breaches they incur, & to help them fix them. This is especially important once you consider that the average business website comes under attack from hackers no less than 8,000 times a year.

One could say that this is more support at the state level than these businesses get from the federal level. These processes at the state level not only support businesses who have a cyber attack, they also provide incentives for businesses and manufacturers to stay secure in the first place.

This means that at the state level, businesses who fail to update their systems to keep them secure may come to regret it, even more so than they would otherwise due in fact to the state providing lots of pressure from the top down to keep consumers safe.

Voting Happens Locally

There have been lots of discussions when it comes to voting security. And more often than not, the election process for both federal and state and local elections happens at the state level or even the county or district level.

While voting systems do get some measure of support from the federal government, the final responsibility is with the local individuals handling the voting process. This responsibility includes not only maintaining local level voting registries, but also the machines used during elections, and the handling of the data after all votes have been cast.

Separate Challenges

While both state and federal cybersecurity have their own challenges, one thing that overlaps is the lack of sufficient budget resources to tackle said problems. However, states have a huge advantage over the federal government when it comes to WHY they get attacked.

A recent report titled “State Of Cybersecurity In Local, State & Federal Government” and paid for by Hewlett Packard Enterprise was performed and authored by Ponemon Institute set out to learn the challenges IT and IT security practitioners face in keeping various state & local agencies secure from attacks and threats.

The report lists the reasons why state & federal organizations are having issues and outlines that they are vastly different from each other. And it appears that the challenges faces states are much easier to overcome than what the federal government is dealing with. According to the report, the primary reason why Federal agencies can’t keep up with cyberattacks is that they are often dealing with zero-day attacks.

zero-day attack is when a new vulnerability is discovered by malicious actors, meaning that federal vendors and software hasn’t had the ability to implement a solution as the exploit was previously unknown.

However, state bodies most often sight negligent employees and failure to patch known vulnerabilities. When dealing with known vulnerabilities vs. zero-day exploits, one can reason that one solution is much easier to solve than the other. On top of this, the federal government has to deal with attackers from other nation-states, a problem not seen as often by people at the state level.