Cybersecurity has become a growing challenge for all levels of government, especially as digitalization and remote working increases among government agencies
The evolutionary nature of where we work along with the persistence of digital governance has made cybersecurity an ever-increasing concern for all levels of government. Cybersecurity is increasingly viewed as a shared responsibility in order to protect personally identifiable information and for the continuity of government operations.
Cybersecurity attacks on local governments and state agencies predate the pandemic but have only worsened in recent years. The cities of , respectively, which caused major service disruptions and cost more than a combined $30 million dollars to mitigate.
As the pandemic escalated in 2020, 44% of global ransomware attacks specifically . A survey administered by the International City/County Managers Association (ICMA) on cybersecurity noted that 21.4% of local government respondents had experienced in the last calendar year. More than 90% of respondents indicated that attacks within their organization were increasing in frequency.
Pandemic-exposed weak spots
The pandemic peak time in 2020 showed weak spots in cybersecurity as more employees began working virtually, leading to new personal electronic devices accessing networks remotely, and increasing use of digital interface tools like Zoom and Microsoft Teams. A Deloitte report surveying state chief information officers indicated that ; indeed, by the end of 2020, 35 states had more than half of their state workforce working remotely, and nine states had more than 90% of their workforce working remotely.
Unfortunately for cybersecurity protection, those employees quarantined in 2020 and working remotely were less likely to have . Organizations without asynchronous collaboration tools likely saw an increase in the transfer of sensitive documents via email. The pandemic overlapped with the massive growth of the Internet of Things — such as wearable technology and smart devices — and the number of connected devices globally ballooned from seven billion devices in 2018 to 31 billion devices in 2020, creating .
Why local governments are targeted
Local governments capture such as names, addresses, driver’s license numbers, forms of payment, Social Security numbers, and more. This type of data has high value for cyber-criminals to capture, sell, or hold for ransom. With more than 90,000 local government organizations in the United States, the targets are numerous, and even worse, many of those government agencies fend for themselves in regard to their network security. That makes — such as counties, small cities, towns, and educational institutions — particularly vulnerable to cyber-attacks.
Of course, ransom is not the only goal of cyber-attackers. An increasing prevalence of — cybersecurity attacks for political motives — is responsible for 9% of attacks targeting government agencies last year. And a final goal (beyond the expression of political sentiments or financial gain) of cyber-attacks on local governments is to shake the public’s confidence in local systems and endanger citizens. This is even more worrisome because local government systems often manage emergency response operations, traffic flow, and public utilities.
Cybersecurity attacks against local government agencies have long-ranging impacts from mild inconveniences to serious disruptions of day-to-day life. In early 2021, a was launched against nearly two dozen Texas municipalities by a Russia-based crime syndicate, which had gained access through a third-party firm that provides technology services to local government agencies. Minor inconveniences stemming from this attack included vital records being offline and public meeting agendas having to be printed. More problematic: police officers couldn’t retrieve records digitally and municipal payrolls could not be processed. Most alarmingly: one unnamed municipality was forced to operate their water supply system manually for more than a week.
Impacts from attacks against state or local governments can spread widely. For example, a single malware incident in Miller County, Arkansas spread to .
Cybersecurity funding & policy
According to a 2021 ICMA report, the for local governments are: i) the inability to pay competitively for employees; ii) insufficient numbers of cybersecurity staff; and iii) a general lack of funds. As the costs and risks for cybersecurity management increase, local governments would be well-informed to when seeking additional funding. Cybersecurity insurance is another option that local government agencies might think about funding, especially considering that the average public sector cybersecurity incident .
The 2022 requires U.S. government agencies to report cyber-attacks within 72 hours and report ransomware payments within 24 hours. States are also subject to the same attack report criteria. The decentralized , a part of the Infrastructure Investment and Jobs Act and the Department of Homeland Security, has dedicated $185 million in FY 2022 to enhancing cyber-governance and planning, building a cybersecurity workforce, and assessing and evaluating systems and capabilities. A large portion (80%) of allocations to each state must support local entities.
Collaborative state & local solutions
At the state level, Massachusetts has funded cybersecurity programs through their Office of Municipal and School Technology — part of the Executive Office of Technology Services and Security. This program offers and assessments at no cost. End-user training, phishing drills, and other exercises can help mitigate outside attacks and prevent internal user errors that could leave systems vulnerable, especially to phishing attacks, which are reported to be all attack vectors.
New York City and New York State have created a new model of joint operations through their (JSOC), which co-locates city and state cybersecurity personnel in the same command center to enhance collaboration and information-sharing. JSOC offers endpoint detection and response services for five major upstate cities and 50 qualifying New York State counties. In order to qualify for three years of support at no cost, New York municipalities and counties must share their detection logs, which in turn, helps state systems to continually improve and can offer insights and warnings to potential victims.
