No longer just an IT an issue, cybersecurity requires buy-in and engagement across the government enterprise and beyond its walls.
On the morning of March 22, Atlanta came under attack by cyber criminals who took the city government's data and systems hostage, demanding $51,000 in Bitcoin to decrypt the data. The ransomware attack was successful, and portions of the city’s digital infrastructure were compromised. Just a couple of days later, Baltimore’s 911 dispatch system was attacked and taken offline by hackers, seriously imperiling public safety in the community.
These recent attacks are just the latest examples of cyber criminals targeting state and local governments. In fact, just last year, the Islamic State targeted a wide swath of government websites, including those of the Town of Brookhaven on Long Island and the State of Ohio. It hijacked the websites and replaced their governmental content with ISIS propaganda to frighten America’s citizens and deface one of the primary means through which governments communicate with their constituents. These acts, while not devastating in their physical effects, represent a fundamental shift in malefactors' targets and the start of an increasingly disturbing trend.
Previously, attacks on private entities like banks and major companies offered a big payday, while federal government targets represented a particularly strong opportunity to make a broadly heard political statement. But as barriers to entry for would-be cyber criminals decrease and large enterprises improve cybersecurity and information governance and management, bad actors are targeting smaller, more vulnerable targets, hoping for quick success and, increasingly, aiming to frighten their citizens by striking closer to where they live.
These examples should act as a wake-up call for local governments that cybersecurity risk is real and that cyberattacks are coming. While cybersecurity was once a mere line item on an IT manager’s budget, the scope of the risk has expanded so much and so rapidly that risk management requires the broader engagement of all the stakeholders, most importantly policymakers and elected officials. If government IT managers and cybersecurity experts want to create a strong cybersecurity posture for their organizations, they must seek meaningful buy-in from nontechnical leadership and decision-makers.
In the private sector, this shift has already begun. The Securities and Exchange Commission, for example, has issued guidance that boards of directors actively engage with their companies’ cybersecurity postures and that corporate directors bear a derivative liability for a cyber attack. The stakes are growing, and engagement by nontechnical leadership at the most senior levels is commencing. Without these same external regulatory and legal pressures, it falls upon the shoulders of government IT and information security personnel to stimulate and foster this engagement. This is, most certainly, no easy task.
The process must begin by understanding why local governments have come into the crosshairs of cyber malefactors. Local governments tend to be more broadly distributed and, correspondingly, less well funded than their federal analogues. Nonetheless, they control access to critical data and systems, from the personal and financial information of government employees and local residents to the control of many facets of local infrastructure, which are essential to a locality's safety and economic functioning. Thus, attacks on local governments are slowly rising in prominence and frequency. The stakes are high, and now is the time for policymakers at every level to take decisive action -- before a real crisis compels it.
To begin this process, it is important to understand the spectrum of threats posed by bad actors. According to the 2017 Verizon Data Breach Incident Report, public entities are the third most targeted sector (behind financial and health care services), and 81 percent of reported public-sector breaches were caused by cyber espionage, insider threats and other technical errors. Simply put, as a public entity, government IT managers must defend against serious threats from outside agents and from within (whether through internal malefactors, negligence or incompetence), which requires time, attention and resources. However, it is equally essential IT managers work with nontechnical stakeholders and decision-makers to develop and obtain buy-in for the comprehensive policies and procedures necessary to achieve a robust security posture.
Just as important as the sources of threats, is the potential severity of their first and second-order effects. Cyber attacks can result in the compromise of sensitive, private data and in losing access to important systems. A less common mode of attack is an assault on the integrity of the data held by the government. If, for example, a locality has adopted digitally based tax collection systems, an attack on the integrity of the tax records can lead to a complete inability of the government to effectively and equitably manage these systems without a costly, complicated and time-consuming response process. These modes of attack are becoming more common and can be even more severe than other, more prevalent and well-known modes of attack.
As systems become increasingly automated and networked, essential aspects of the infrastructure, controlled by local governments or affiliated or subsidiary entities can also become targets, with the potential for truly terrifying consequences. The scale and scope of these attacks can be unprecedented and, if successful, will require the response of countless stakeholders at every level of government, not to mention the potentially immense costs required to bring systems back to full operational capacity. Additionally, the damage to public trust can inhibit the proper functioning of government for an extended period. It is important that nontechnical stakeholders properly understand the risks and consequences of a cyber attack. While certainly not the only method for gathering buy-in, frank discussions can certainly drive home the gravity of the issue.
While cybersecurity has long been on the radar of local governments, the current threat environment has moved the issue to the fore. Simply put, local governments cannot cling to the hope that they will not find themselves in the crosshairs of sophisticated threat actors. Case after case demonstrates that these actors have expanded their focus, targeting a wider variety of potential targets, including state and local governments. Understanding the risks discussed above is critical for nontechnical stakeholders who play a role in shaping the cybersecurity posture of local institutions and securing their communities. Fortunately, local governments can tap into invaluable resources and partnerships for substantial expertise without having to develop or hire all of the necessary expertise in house.
Cybersecurity is no longer an issue owned purely by IT and security professionals. Rather it is a dynamic iterative process that requires buy-in and engagement across the organization and beyond its walls. Only once all the stakeholders in a local government are engaged can the institutions and the broader community truly be secure.