Local governments in the U.S., like schools and hospitals, are particularly enticing “soft targets” – organizations that lack the resources to defend themselves against routine cyberattacks, let alone a lengthy cyber conflict. For those attacking such targets, the goal is not necessarily financial reward but disrupting society at the local level.
From issuing business licenses and building permits and collecting taxes to providing emergency services, clean water and waste disposal, the services provided by local governments entail an intimate and ongoing daily relationship with citizens and businesses alike. Disrupting their operations disrupts the heart of U.S. society by shaking confidence in local government and potentially endangering citizens.
Local governments have suffered successful cyberattacks in recent years. These include attacks on targets ranging from 911 call centers to public school systems. The consequences of a successful cyberattack against local government can be devastating.
I and other researchers at University of Maryland, Baltimore County have studied the cybersecurity preparedness of the United States’ over 90,000 local government entities. As part of our analysis, working with the International City/County Management Association, we polled local government chief security officers about their cybersecurity preparedness. The results are both expected and alarming.
Among other things, the survey revealed that nearly one-third of U.S. local governments would be unable to tell if they were under attack in cyberspace. This is unsettling; nearly one-third of local governments that did know whether they were under attack reported being attacked hourly, and nearly half at least daily.
Lack of sound IT practices, let alone effective cybersecurity measures, can make successful cyberattacks even more debilitating. Almost half of U.S. local governments reported that their IT policies and procedures were not in line with industry best practices.
In many ways, local governments are no different from private companies in terms of the cybersecurity threats, vulnerabilities and management problems they face. In addition to those shared cybersecurity challenges, where local governments particularly struggle is in hiring and retaining the necessary numbers of qualified IT and cybersecurity staff with wages and workplace cultures that can compare with those of the private sector or federal government.
Additionally, unlike private companies, local governments by their nature are limited by the need to comply with state policies, the political considerations of elected officials and the usual perils of government bureaucracy such as balancing public safety with the community’s needs and corporate interests. Challenges like these can hamper effective preparation for, and responses to, cybersecurity problems – especially when it comes to funding. In addition, much of the technology local communities rely on, such as power and water distribution, are subject to the dictates of the private sector, which has its own set of sometimes competing interests.
Large local governments are better positioned to address cybersecurity concerns than smaller local governments. Unfortunately, like other soft targets in cyberspace, small local governments are much more constrained. This places them at greater risk of successful cyberattacks, including attacks that otherwise might have been prevented. But the necessary, best-practice cybersecurity improvements that smaller cities and towns need often compete with the many other demands on a local community’s limited funds and staff attention.
There’s no quick or foolproof fix to eliminate all cybersecurity problems, but one of the most important steps local governments can take is clear: Implement basic cybersecurity. Emulating the National Institute of Standards and Technology’s national cybersecurity framework or other industry accepted best practices is a good start.
I believe government officials, especially at the local level, should develop and apply the necessary resources and innovative technologies and practices to manage their cybersecurity risks effectively. Otherwise, they should be prepared to face the technical, financial and political consequences of failing to do so. [Abridged]