Local government and cybersecurity: Working with all the stakeholders

No longer just an IT an issue, cybersecurity requires buy-in and engagement across the government enterprise and beyond its walls.

On the morning of March 22, Atlanta came under attack by cyber criminals who took the city government's data and systems hostage, demanding $51,000 in Bitcoin to decrypt the data. The ransomware attack was successful, and portions of the city’s digital infrastructure were compromised. Just a couple of days later, Baltimore’s 911 dispatch system was attacked and taken offline by hackers, seriously imperiling public safety in the community.

These recent attacks are just the latest examples of cyber criminals targeting state and local governments.  In fact, just last year, the Islamic State targeted a wide swath of government websites, including those of the Town of Brookhaven on Long Island and the State of Ohio. It hijacked the websites and replaced their governmental content with ISIS propaganda to frighten America’s citizens and deface one of the primary means through which governments communicate with their constituents. These acts, while not devastating in their physical effects, represent a fundamental shift in malefactors' targets and the start of an increasingly disturbing trend.

Previously, attacks on private entities like banks and major companies offered a big payday, while federal government targets represented a particularly strong opportunity to make a broadly heard political statement. But as barriers to entry for would-be cyber criminals decrease and large enterprises improve cybersecurity and information governance and management, bad actors are targeting smaller, more vulnerable targets, hoping for quick success and, increasingly, aiming to frighten their citizens by striking closer to where they live.

These examples should act as a wake-up call for local governments that cybersecurity risk is real and that cyberattacks are coming. While cybersecurity was once a mere line item on an IT manager’s budget, the scope of the risk has expanded so much and so rapidly that risk management requires the broader engagement of all the stakeholders, most importantly policymakers and elected officials. If government IT managers and cybersecurity experts want to create a strong cybersecurity posture for their  organizations, they must seek meaningful buy-in from nontechnical leadership and decision-makers.

In the private sector, this shift has already begun. The Securities and Exchange Commission, for example, has issued guidance that boards of directors actively engage with their companies’ cybersecurity postures and that corporate directors bear a derivative liability for a cyber attack. The stakes are growing, and engagement by nontechnical leadership at the most senior levels is commencing. Without these same external regulatory and legal pressures, it falls upon the shoulders of government IT and information security personnel to stimulate and foster this engagement. This is, most certainly, no easy task.

The process must begin by understanding why local governments have come into the crosshairs of cyber malefactors. Local governments tend to be more broadly distributed and, correspondingly, less well funded than their federal analogues. Nonetheless, they control access to critical data and systems, from the personal and financial information of government employees and local residents to the control of many facets of local infrastructure, which are essential to a locality's safety and economic functioning. Thus, attacks on local governments are  slowly rising in prominence and frequency. The stakes are high, and now is the time for policymakers at every level to take decisive action -- before a real crisis compels it.

To begin this process, it is important to understand the spectrum of threats posed by bad actors. According to the 2017 Verizon Data Breach Incident Report, public entities are the third most targeted sector (behind financial and health care services), and 81 percent of reported public-sector breaches were caused by cyber espionage, insider threats and other technical errors. Simply put, as a public entity, government IT managers must defend against serious threats from outside agents and from within (whether through internal malefactors, negligence or incompetence), which requires time, attention and resources. However, it is equally essential IT managers work with nontechnical stakeholders and decision-makers  to develop and obtain buy-in for the comprehensive policies and procedures necessary to achieve a robust security posture.

Just as important as the sources of threats, is the potential severity of their first and second-order effects. Cyber attacks can result in the compromise of sensitive, private data and in losing access to important systems. A less common mode of attack is an assault on the integrity of the data held by the government. If, for example, a locality has adopted digitally based tax collection systems, an attack on the integrity of the tax records can lead to a complete inability of the government to effectively and equitably manage these systems without a costly, complicated and time-consuming response process. These modes of attack are becoming more common and can be even more severe than other, more prevalent and well-known modes of attack.

As systems become increasingly automated and networked, essential aspects of the infrastructure, controlled by local governments or affiliated or subsidiary entities can also become targets, with the potential for truly terrifying consequences. The scale and scope of these attacks can be unprecedented and, if successful, will require the response of countless stakeholders at every level of government, not to mention the potentially immense costs required to bring systems back to full operational capacity. Additionally, the damage to public trust can inhibit the proper functioning of government for an extended period. It is important that nontechnical stakeholders properly understand the risks and consequences of a cyber attack. While certainly not the only method for gathering buy-in, frank discussions can certainly drive home the gravity of the issue.

While cybersecurity has long been on the radar of local governments, the current threat environment has moved the issue to the fore. Simply put, local governments cannot cling to the hope that they will not find themselves in the crosshairs of sophisticated threat actors. Case after case demonstrates that these actors have expanded their focus, targeting a wider variety of potential targets, including state and local governments. Understanding the risks discussed above is critical for nontechnical stakeholders who play a role in shaping the cybersecurity posture of local institutions and securing their communities. Fortunately, local governments can tap into invaluable resources and partnerships for substantial expertise without having to develop or hire all of the necessary expertise in house.

Cybersecurity is no longer an issue owned purely by IT and security professionals. Rather it is a dynamic iterative process that requires buy-in and engagement across the organization and beyond its walls. Only once all the stakeholders in a local government are engaged can the institutions and the broader community truly be secure.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.