Around half of states typically considered battleground states are facing cybersecurity challenges that put them at increased risk of a cybersecurity breach, a study released Thursday found.
IT security group SecurityScorecard evaluated and ranked all U.S. states and territories on their overall cybersecurity posture between September and early October, examining state election-related websites, along with network security, information leaks, endpoint security and other cybersecurity issues.
The company awarded 75 percent of all states and territories a “C” rating or below, including traditional swing states such as Florida, Iowa, Nevada, New Hampshire and Ohio. Of these, 35 percent were awarded a “D” or below, with North Dakota, Puerto Rico and American Samoa awarded the lowest scores.
Kevin Ford, the chief information security officer for the state of North Dakota, pushed back against the company's findings, telling The Hill that his state had significantly stepped up efforts to prioritize cybersecurity over the past several years.
These efforts include legislation signed into law last year that created a unified cybersecurity strategy applying to all sectors of state government including K-12 and higher education efforts, along with the state's K-20W initiative, which is an effort rolled out last year to increase cybersecurity training and resources for teachers, administrators and students.
"North Dakota is seen as a leader in cybersecurity by multiple third parties and has invested significantly in cybersecurity from a unified, statewide approach," Ford told The Hill in an emailed statement. "North Dakota works with dozens of stakeholders across the state to continuously elevate our collective cybersecurity posture."
Only three states — Kentucky, Kansas and Michigan — were awarded an “A” or above, while traditional swing states including Pennsylvania and Wisconsin received “B” scores. Among the U.S. territories, none ranked higher than a “C” rating.
SecurityScorecard noted that the lower the rating, the more susceptible the state was to a major cybersecurity incident, with a state receiving a “D” rating around four times as likely as a state awarded an “A” to experience a data breach.
The company also noted that the cybersecurity posture of many states had declined during the COVID-19 pandemic due to more government employees working from home, thereby expanding the attack surface for hackers due to an influx of less secure networks.
For states with lower scores, the researchers alleged that the security of election infrastructure could be put at risk as part of larger cybersecurity concerns.
“Since 2016, states have undoubtedly made improvements to their IT infrastructure in the wake of interference from foreign threat actors, particularly during the 2016 election,” SecurityScorecard researchers wrote in the report. “But, the pandemic has brought significant challenges to states with many facing hiring freezes and significant budget deficits. States cannot do this alone.”
The company advocated for Congress to provide cybersecurity funding to states to address shortfalls, citing “chronic underinvestment” by many states in this area.
“The voting infrastructure and the upcoming election is only a very small part of a very bigger story: states are in an even more difficult position given the pandemic and they need federal assistance,” SecurityScorecard researchers wrote.
The findings of the company came amid ongoing efforts by federal, state and local officials to shore up election security and ensure voter safety ahead of November.
Top officials have warned that foreign adversaries including Russia, China and Iran are attempting to interfere in the elections process, though the federal effort to combat election security threats has been significantly stepped up since Russian agents interfered in the 2016 presidential election.
The study from SecurityScorecard was released the day after a second study on state cybersecurity concerns was rolled out by the National Association of State Chief Information Officers (NASCIO) and Deloitte.
NASCIO and Deloitte found that the COVID-19 pandemic has significantly increased state cybersecurity problems, mostly due to the shift to remote working and not prioritizing cybersecurity funding at the state level.
The organizations found that less than 40 percent of the 51 U.S. state and territory chief information security officers (CISOs) polled had a dedicated line item for cybersecurity in the budget, and that half of states spend less than 3 percent of their IT budget on cybersecurity.
“The last six months have created new opportunities for cyber threats and amplified existing cybersecurity challenges for state governments,” Meredith Ward, director of policy and research at NASCIO, said in a statement. “The budget and talent challenges experienced in recent years have only grown, and CISOs are now also faced with an acceleration of strategic initiatives to address threats associated with the pandemic."
States have faced increasing cybersecurity challenges over the past two years, in particular from ransomware attacks, with cities including Atlanta, Baltimore and New Orleans spending millions of dollars to recover from these types of attacks that lock up systems.
Members of Congress on both sides of the aisle have recognized the increasing cyber challenges faced by states and localities, introducing numerous pieces of legislation over the past year designed to provide funding and other resources.