WASHINGTON — As the second Persian Gulf War escalates and terrorist threats loom, a research group says Utah is among only 14 states that have managed to adopt adequate laws and safeguards against cyberattacks.
"This means that 36 states have not prepared, adopted, and fully implemented the security requirements set forth by Congress" in 1999, according to a report released Monday at the National Press Club by Zeichner Risk Analytics, a company that studies risk and security issues for business and government .
That research group put each state in one of three categories: those states in full compliance with orders by Congress to develop policies to protect key computer systems, especially in the financial services sector; states in partial compliance with pending legislation or regulations; and those with little or no cyber-security activity.
Utah was among 14 states plus the District of Columbia that were considered to be in full compliance; 14 states were listed in partial compliance; and 22 states were listed as taking little or no action against cyberthreats.
"As the nation enters the initial phases of the war in Iraq and con-
tinues to fight terrorism in the homeland, state governments must harden local infrastructure, collaborate with the business community, and enhance response capabilities in the event of an infrastructure failure," the report said.
It noted that "state and local government are responsible for essential citizen services, including emergency medical, 911 communications and critical utilities, such as water and electricity."
The research group said it was surprised that so many states have not prepared better policies by now because models have been made available by several federal agencies and groups such as the National Association of Insurance Commissioners. It urged adoption of those models by more states
While progress by states has been generally slow, the report said that business and the federal government have been especially busy developing policies and procedures against cyberattacks, especially in the financial services sector.
The report urged states to pick up efforts saying, "A single, knowledgeable terrorist or malicious hacker can disrupt state and local services at great speeds. The public's trust and confidence rest on government's ability to lead by example and manage infrastructure disruptions."
It added, "The costs and damage from the lack of state-based compliance and leadership is considerable. Insurance companies must use considerable funds tracking cyber-security programs in each state.
"Many insurance companies are licensed to conduct business in all 50 states, so the lack of a uniform national model, with consistent compliance time lines, potentially leads to diverse cyber-security requirements," it said.
"Perhaps most importantly, states are sending the wrong message to the private sector, their citizenship and the federal government," it said. "State government must act as a model for sound security to establish credibility."