3.2.1 Under Constant Attack

Local governments are under constant attack or nearly constant cyberattack. More than one-quarter of the respondents to our 2016 survey (27 percent) said that they were attacked hourly and 19 percent said at least daily (totaling 47 percent). Unfortunately, nearly one in three (29 percent) said that they did not know how frequently their governments were under cyberattack (Norris et al., 2019). Over half (57 percent) of respondents to the 2020 survey said constantly, followed by 29 percent who said hourly, totaling 89 percent (Norris, 2021). So, all local government officials should assume that their information systems are under constant attack. As a result, these officials must make cybersecurity a high priority, fund cybersecurity adequately, and ensure their cybersecurity technology, policies, practices, and personnel are prepared to identify and repel attacks.

3.2.2 Attacks Will Succeed

Inevitably, some attacks will succeed. There is a saying in the field that it is not if an organization will be breached, but when, and the saying is largely true. It is also true that organizations frequently do not know if they had been breached. In the 2016 survey, 62 percent said they did not know if they had been breached. Half of the governments in the 2020 survey had been breached at least once in the previous year and of those, 21 percent had been breached more than once (7 percent more than three times).

All data breaches are cybersecurity incidents, but not all cybersecurity incidents are breaches.

The news media frequently report major cybersecurity incidents, and this is where ordinary Americans get most of their information about successful attacks, largely because there are few federal or state requirements for organizations to publicly report being breached. The biggest report in 2020 concerned the Russian hack in late December of the software company SolarWinds. That incident affected the company’s customers around the globe including several federal agencies. Similarly, in 2021 a different group of Russian hackers breached the software firm Kaseya and between 1000 and 1500 customers were affected.

Breaches are increasingly common, even breaches of what are thought to be well-protected organizations. So, all local government officials should assume that at some point their governments will be breached and should make sure that they have up-to-date plans to deal with the breach, to ensure the continuity of essential operations during the breach, and to recover from it.

3.2.3 Types of Attacks

Local government officials should be aware of the principal types of cyberattacks that they are likely to face. Although there are numerous types of cyberattacks, this chapter discusses eight of the more common types of attacks.

Malware: Malware is not a type of attack but it is often something that attackers use once they have penetrated a victim’s IT system. They install malware. Malware is malicious software (hence, malware) that can do one of several things (all bad) such as encrypting data and files, blocking user access to systems or components of systems, exfiltrating data and files, and more. Fileless malware makes it possible to deliver malware through legitimate programs in order to infect a computer (McAfee, n.d.). Ransomware is a form of malware that is increasingly used in cyberattacks. Significant local government examples include Atlanta, Georgia, and Baltimore, Maryland, as discussed in Chapter 1.

Ransomware: Ransomware is an especially nefarious form of malware. It is typically delivered via social engineering, most often in phishing or spear phishing emails. Once the malware has penetrated an organization’s IT system, the objective is to find and encrypt sensitive data and files and lock down or seriously degrade an organization’s entire IT infrastructure – thus likely paralyzing and preventing it from conducting its regular business. In the case of local governments, ransomware prevents them from providing essential services to their residents and businesses. The cybercriminals then demand a ransom, usually in the form of Bitcoin or some other cryptocurrency to release the system and its files and data. The threat is that if the organization does not pay the ransom, the cybercriminal will leave the data and files encrypted or the entire system locked down, or in some cases publicly release the information. The FBI received 2474 complaints about ransomware attacks in 2020 costing an estimated $29 million in losses (Riley, 2021).

“Social engineering is a manipulation technique that exploits human error to gain private information, access, or valuables. In cybercrime, these ‘human hacking’ scams tend to lure unsuspecting users into exposing data, spreading malware infections, or giving access to restricted systems” (Kaspersky, 2021). Here is a real-life example of social engineering:

A few years ago, Don received a suspicious email from a trusted source. He contacted the source who said she had been hacked and not to trust or accept any emails from that email address. This went on for a couple of years before the attacker finally gave up. Don’s personal rule is never open an attachment or click on a URL that he is not 100 percent certain is legitimate. Don and his son have a code word that they use when sending emails to one another that contain attachments or URLs. If the code word appears in the email, they know that the material is safe and legitimate, otherwise it isn’t.

In the early years of ransomware attacks, many organizations paid the ransom to get their systems back because paying ransom is considerably cheaper than paying to restore an IT system. The consensus on whether to pay ransomware has shifted in recent years, although not totally, and organizations increasingly refuse to pay ransom. Today, it is commonly thought that paying ransom is a bad idea because it compensates cybercriminals for their criminality and encourages them to continue ransomware attacks. An article in ProPublica argued that paying ransom “fuels the rise in ransomware attacks” (Dudley, 2019). Also, if these attacks work, as demonstrated by ransom payments, and profit cybercriminals, the criminals will continue attacking.

At its annual meeting in 2019 and, at the urging of then Mayor Jack Young of Baltimore (see Chapter 1) the US Conference of Mayors adopted a resolution urging their members not to pay ransom if their IT systems were victims of a ransomware attack (Duncan, 2019). Also, the US Treasury Department now advises that, under some circumstances, organizations that pay ransom could face major legal penalties. Certainly, federal law enforcement advises against and frowns on paying, and this is increasingly true of state and local law enforcement.

It is never clear that paying ransom will actually result in the cybercriminal releasing the system. Nor is it clear that the criminal won’t change their name and/or IP address and re-attack after payment, since the criminal already know the organization’s vulnerability and willingness to pay. Hence, paying ransom entails some risk, not in the least because in some circumstances, paying ransom can be punished with steep fines (e.g., CISOMAG, 2020; KrebsOnSecurity, 2020).

Some, however, still think it is best to pay the ransom. In the short run and for purely financial reasons, this may appear to be the best choice. But paying ransom must also be understood as very short-sighted and selfish. Yes, paying ransom is cheaper, but the harm it causes by incentivizing cybercriminals is undeniable. Today, the best advice to local governments is DON’T pay ransom. Use the money that you would have paid (and more if needed) to further enhance organizational cybersecurity.

Nevertheless, and against this advice, organizations sometimes feel that there is no choice but to pay the ransom. In May of 2021, the company Colonial Pipeline, which supplies gasoline to much of the US east coast, fell victim to a ransomware attack. Because of the damage that the attack would have caused to the US economy, Colonial paid $4.4 million in ransom. The company’s CEO, Joseph Blount, said that he made the decision to pay for the good of the country. As a result the gasoline shortage lasted days instead of weeks or longer had the cybercriminals made good on their threat and kept Colonial’s data and systems locked up. Still, in Blount’s own words, the decision was “highly controversial” (Bogage, 2021).

Following the Colonial Pipeline hack by just over a month, the software company Kaseya reported that it had been hit by a major ransomware attack, one that resulted from a zero day vulnerability. The attackers demanded $70 million in ransom to release systems and files that they had locked up. Kaseya provides software to about 40,000 customers and, at the time of this writing, it appears that between 1000 and 1500 customers were affected. Kaseya immediately informed its customers of the attack and advised them to disconnect from any Kaseya software they were using (Lerman and De Vynck, 2021).

To prevent ransomware attacks from crippling their IT systems, local governments should, among other things, continually scan their systems for malware, train their employees to never open suspicious emails, and regularly back-up their systems (see Back-up and Restore in Section 3.3.4).

Phishing: Phishing is a form of social engineering in which cybercriminals “go fishing” for victims by sending emails, seemingly from trusted parties, with promises, opportunities, or threats the attackers hope victims will fall for. A common phishing attack, which many people have received (and which dates to the late 1990s) is an email from someone in Nigeria promising the targeted party (aka potential victim or victim) a large amount of money. The attacker asks the victim for their bank account details so that the attacker can transfer the money. Of course, the transfer never happens, and the scammer later steals funds from the victim’s account. There are variations of this attack, some including URLs or attachments in the email that, if the victim clicks on or opens, will give the attacker access to the victim’s computer and all of the information in it.

Spear phishing: Spear phishing is a more sophisticated form of phishing in which the cybercriminal uses just enough information to make the victim believe the email came from someone known to the victim or other trusted source. For example, if the victim follows baseball and is a fan of the Baltimore Orioles baseball team, he or she might receive an email that reads something like: “Hey Don (or Laura or Rick)! Have you seen the latest about the Orioles pitching staff? You’ll want to read this” and includes an attachment or a URL for the recipient to open or click on. The email may also come from what is or looks like a trusted source’s (friend or associate) email address. Given this scenario, many a victim has been tricked into opening the attachment or clicking on the URL. The same result occurs as with phishing – the victim’s computer and all of the information in it are wide open to the attacker. In the 2020 survey, responding CISOs said that phishing and spear phishing were the most common attacks that they experienced.

Brute force: Brute force is not so much an attack as it is a method that cybercriminals use to break into IT systems. The term brute force refers to the way an attacker “bangs away” at a victim’s computer, network, or IT system using specifically designed software to try to guess a password that will enable them to penetrate the system. Once penetration has been achieved, the attacker can then install malware. It was a brute force attack that resulted in the 2018 Atlanta, Georgia breach and the installation of ransomware.

Zero-day: Like brute force, a zero-day exploit is not an attack, but rather an attacker’s identification of a weakness in a network or IT system (typically a previously unknown defect in software that had not been found and patched, such as the Log4Shell vulnerability, identified in late 2021, in the Apache Log4j 2 library, which is used ubiquitously by many applications and platforms). Once the weakness has been identified, the attacker uses it to break into the system and install malware. Zero-day attacks worry cybersecurity teams a great deal because defenses against them have not yet developed yet.

Denial of Service (DoS): A DoS attack occurs when an attacker sends massive volumes of traffic to an organization’s website or server – so much so that the website or server cannot handle the traffic, essentially shutting the server or website down so no one can use it. Sometimes, this can happen for purely innocent reasons, such as when the University of Maryland Baltimore County’s (UMBC) website crashed because of a traffic overload that occurred when its president was interviewed in the CBS news magazine 60 Minutes. DoS attacks can also be totally malicious, for example, to disrupt normal business operations or extort a fee from the victim to stop the attack.

Distributed Denial of Service (DDoS): A DDoS attack is a DoS attack on steroids. It is an attack on a server or website by many different computers simultaneously for the purpose of shutting it down. According to Bloomberg News, the US Department of Health and Human Services was hit by a DDoS attack in March of 2020 and was “part of what people familiar with the incident called a campaign of disruption and disinformation that was aimed at undermining the [HHS] response to the coronavirus pandemic and may have been the work of a foreign actor” (Stein and Jacobs, 2020).

3.2.4 Typical Attackers

There are several common types of cyberattackers. According to the 2016 survey, 71 percent of local governments experienced attacks from external actors-organizations, 60 percent from external actors-individuals, 29 percent from state actors (nations) and 13 percent from malicious insiders. Just over one-third (36 percent) of respondents to the 2020 survey said they had been attacked by external actors-organizations, 14 percent said by external actors/individuals, and 22 percent said by hactivists/spammers. A Ponemon Institute survey of small- and medium-size businesses found that 60 percent of breaches were caused by employee or contractor negligence (2018). Typically, this means lack of malice on the part of employees and contractors, although Verizon found that 34 percent of breaches “involved internal actors,” suggesting actual malice (Verizon, 2019).

Moschovitis lists the following as typical attackers or, in his words, “threat actors” and their motives (Moschovitis, 2018) (see Table 3.1).

Twenty-one years prior to Moschovitis’ table, in October 1997, the President’s Commission on Critical Infrastructure issued a report entitled “Critical Foundations: Protecting America’s Infrastructures.” It contained a graphic that described the threat spectrum from that era. It is included here because comparing the two suggests that the cyber threat landscape has not much has changed in the past two decades. Information warriors of 1997 are little different from cyberspies and cyberterrorists in 2018; terrorists of 1997 are little different from cyberterrorists; institutional hackers of 1997 are little different from online social hackers of 2018; recreational hackers of 1997 are little different from hactivists of 2018; and so on (see Table 3.2).

3.3.1 Potential Vulnerabilities

According to Whitman and Mattord, a vulnerability on a computer system is: “A weakness or fault in the system or protection mechanism that opens it up to attack or damage” (2014, p. 13). NIST defines vulnerability as: “Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source” (NIST, n.d.). Whatever the definition, it is clear that computer systems have vulnerabilities that open them to attack. According to Moschovitis, vulnerabilities are numerous, especially in hardware, software and operating systems. But “a vast number of technical vulnerabilities are known and technical fixes (patches) exist for them. Unfortunately, in many cases these patches have not been applied, rendering systems open to attack” (2018, pp. 33–34). According to one knowledgeable source, there are six categories of vulnerabilities: 1) hardware; 2) software; 3) networks; 4) personnel – e.g., people are the weakest link; 5) physical – e.g., security, power source, natural disaster, etc.; and 6) organizational – e.g., lack of needed plans and policies (Tunggal, 2021).

Even simpler, cybersecurity can be seen as a suite of three interlinked components: the “hardware” (devices), the “software” (programs and user data), and the “wetware” (human beings.) But unfortunately while the human brain – e.g., the “wetware” – is the most complicated computer in the world, it’s also the most vulnerable and easiest for adversaries to exploit.”Richard Forno speaking at the “The Dark Side of Data: When Information is Weaponized” panel at the SAP NS2 Summit in Tysons Corner, VA (2018).

It is not necessary that local officials know the technology underlying either vulnerabilities themselves or vulnerability management. These officials should however know that vulnerabilities exist (most who know say they are plentiful) and that processes exist for vulnerability management. The first step in vulnerability management is for the cybersecurity staff to create an accurate inventory of information assets. That is, identify every hardware and software element that is part of or connected to the information technology system or that is likely to be connected to it and create a map of the network including all devices. Next, the cybersecurity staff should identify the principal threats to each information asset and create a document that can be considered a Threats-Vulnerabilities-Assets (TVA) worksheet. Then they should conduct a thorough risk assessment (Whitman and Mattord, 2010). Cybersecurity staff should periodically brief top officials on their local government’s vulnerabilities and recommend actions to mitigate as many as possible. Then, with the approval of those officials, take those actions. Needless to say, this is an ongoing process that must be regularly conducted and kept up-to-date.

3.3.2 Email Usage

Today, most organizations use email for both internal and external communication, and many employees at all levels use their organization’s email for personal communication. A 2020 survey, for example, found that about 80 percent of respondents used their employers’ email systems to send and respond to personal emails (Proofpoint, 2020).

As a result, it is important that local governments develop and enforce written policies about the proper use of their email systems (email usage policies), train officials and employees in these policies, and hold all end users, regardless of rank or position, accountable for their email usage. Local governments should also train all officials and staff to understand what they should not do when using email. They should not: open attachments in or click on links provided in emails that are not 100 percent trustworthy; share sensitive information online with anyone; share passwords; allow anyone else to use their email accounts; remain logged in to email, especially when leaving their desktops or laptops unattended; and visit unsecure, disreputable, or unsafe websites.

It is important that software patches be applied to email servers as soon as they are available. Failure to patch vulnerabilities explains the huge breach of the Equifax system in 2017 in which 143 million records were compromised. It was the same story at JPMorgan Chase in 2014, where 43 million records were compromised. And the story goes on. Keeping abreast of events and security solutions such as these is an essential aspect of cybersecurity management.

3.3.3 Social Media Usage

The use of social media by Americans today is widespread. According to the Pew Research Center, large portions of Americans regularly use social media, with 73 percent using YouTube and 69 percent using Facebook (2019). At the same time, however, only about half of businesses have formal social media policies (Digital Information World, 2018). Sometimes people, including local government officials and staff, abuse social media and do so to the detriment of their governments and themselves. Because of the possibility of misuse of social media and to protect themselves from potential consequences of such behavior, local governments need to adopt and strictly implement social media use policies. A key element of social media use policies is accountability. Should end users (regardless of position or title) misuse social media, local governments must have the ability, within the limits of applicable laws, to take action to, for example, retrain such personnel, take away their personal social media privileges at work, and take action up to and including terminating their employment.

3.3.4 Internet Usage

Internet use is even more ubiquitous than social media use (which also constitutes internet use). As a result, local governments should adopt internet usage or acceptable use policies. Alternatively, local governments could combine their internet use policies into their general acceptable use policies.

3.3.5 Passwords

There are a few, rather simple, rules about passwords. The first subsumes all the rest. Make passwords strong. Longer and more complex passwords using letters, numbers, and perhaps special characters are better still. Do not use simple passwords like “password” or “123456” because it is ridiculously easy for the bad guys to crack them. It takes only a few minutes. A 14-digit password consisting of letters only (not in alphabetical order – “dogeatscatfine”), on the other hand, will take a computer 249,000 years to crack. Add more years, many more, if you use letters (lowercase and capital), numbers and symbols. A supercomputer can crack the 14-digit password in just seven days, but to use it will cost you $100,000 to buy the time on the supercomputer (Larg*Net, 2019).

Do not use personal information, such as your spouse or children’s names, your birthplace or birthday, personally important dates, address, high school or college, and names of relatives and pets as passwords. Do not write passwords on a piece of paper that is kept in plain sight or in a desk drawer because it is too easy for someone to view or steal. Instead, and if permitted, use a reputable password manager such as Keeper, LastPass, Dashlane, or Bitwarden to generate and store effective passwords. See (Rubenking and Moore, 2021), for PC Magazine’s top 11 password managers.

Finally, note that NIST has changed its guidance regarding changing passwords. Initially, the agency recommended periodic password changes. However, while many organizations continue to do so as a matter of established practice or tradition, NIST no longer recommends frequent or scheduled password changes because these actions can cause more harm than good over time (Horowitz, 2020).

3.3.6 Telework

This book was written during the very height of the COVID-19 pandemic (winter and spring 2021) when organizations of many kinds, including local governments, had moved from in-person attendance for most or all employees to a regime of mostly telework; that is, some to many if not all employees working from home or other remote locations. According to the Canada Centre for Cyber Security [sic], telework poses several cybersecurity risks including:

• Physical access to your computer by unauthorized users which could lead to tampering, breakage, or theft.
• Malicious code being inserted into your device.
• Social engineering whereby threat actors trick you into sharing information or granting access to your device.
• Compromised login credentials, forgetting your password, weak security, etc.
• Compromised communication links through: Eavesdropping – an attacker listens to Wi-Fi or network or records online activity…Theft of service – where an attacker tries to use a teleworker’s internet service or processing power for their own purposes…

(Canada Center for Cyber Security, 2019, verbatim)

To address these and other potential cybersecurity risks that arise from telework, local governments should identify all risks that telework poses, address those risks, and also adopt clear policies that govern all aspects of telework.

3.3.7 Personal Devices

It is quite common today for employees to bring their own electronic devices to work (aka, BYOD or bring your own device). These include flash drives, external hard drives, laptops, tablets, cell phones, etc. Employees may bring them for personal use (e.g., listen to music, watch videos, view social media, contact others by phone, email, and text and more). They may also use their personal devices to connect to their employers’ IT systems. A 2020 survey found that 95 percent of organizations let employees use personal devices at work and that two-thirds of employees used their own devices without regard to company policy (Brook, 2020).

Therefore, it is important that local governments, adopt clear BYOD policies. However, there two are main issues regarding the use of personal devices in the workplace. The first is the use of personal devices for personal use, and the second is whether and how officials and staff may (or may not) connect personal devices to the local government’s IT system. In both cases, local governments need to provide clear rules regulating the use of these devices.

The first issue is rather straightforward. As long as using personal devices for non-work-related activity does not interfere with an official or staff member’s ability to perform the functions under his or her responsibility, arguably this use should be permitted within the local government’s rules. However, use of these devices in ways that materially interfere with one’s job performance or reduces one’s efficiency and effectiveness on the job should probably not be permitted. Whatever the case, local governments should develop rules so all officials and staff know what is permitted and what is not.

3.3.8 The Internet of Things

As discussed in Chapter 1, the Internet of Things (IoT) adds considerably to cybersecurity risks faced by local governments. The more devices that local governments and their officials and employees connect to the internet, especially from their local governments’ IT systems, the greater is their exposure to cyberattack. Hence, local governments should carefully examine this exposure and develop policies to govern which devices, owned by both the local government and its officials and employees, and under what conditions or circumstances, will be allowed to be connected to its IT system and through that connection to the internet.

3.4.1 Cybersecurity Budgets

As this book has already shown, it is very important that local elected and appointed officials provide sufficient funding for cybersecurity, especially for hardware, software, policies, procedures, practices, personnel, and training. Previous research has uncovered a number of barriers to local government achievement of high levels of cybersecurity. For example, the 2016 survey found that the top four barriers were: 1) inability to pay competitive salaries (59 percent); 2) insufficient number of staff (53 percent); 3) lack of funds (53 percent); and 4) lack of adequately trained staff (46 percent). Notably, all of these barriers are somewhat or totally related to funding. The results of the 2020 survey are reasonably consistent with those of the 2016 survey in that the two top barriers were lack of funds (79 percent) and lack of adequate/adequately trained staff (71 percent).

Both surveys asked what three things local governments needed to do or possess to be able to achieve the highest levels of cybersecurity. The top three needs identified in the 2016 survey were: 1) greater funding (55 percent); 2) better cybersecurity policies (38 percent); and 3) greater cybersecurity awareness among local government employees (35 percent). Respondents to the 2020 survey listed funding (57 percent) and staffing (50 percent) as the top two needs, followed by leadership buy-in (29 percent). The lack of leadership buy-in and support is a common complaint among IT cybersecurity officials, and we return to it later in this chapter.

The 2020 Deloitte-National Association of State Chief Information Officers (NASCIO) Cybersecurity Study (based on a survey of state CISOs) produced similar findings among state governments (Deloitte-NASCIO, 2020). Three of the top five barriers involved funding: lack of funding, lack of cybersecurity staff, and lack of dedicated budget. Lack of dedicated cybersecurity budgets is also a problem for too many local governments, and local officials should remedy it as soon as possible.

Also, according to the 2020 Deloitte-NASCIO report, most states spend under 3 percent of their IT budgets on cybersecurity, which is far less than financial institutions and federal agencies. By contrast, according to Gartner, average spending by US businesses on cyber across sectors is between 5 and 8 percent of their IT budgets (Nash, 2019, citing a Gartner study). Moreover, only about 36 percent of states have formally established cybersecurity budgets (Deloitte-NASCIO, 2020).

Among the local governments in the 2020 survey, the average spending was 4 percent of the IT budget, and the range was between zero and 10 percent. Fifty-seven percent of these governments spent less on cybersecurity (as a percent of their IT budgets) than Gartner found among US businesses, while 36 percent were within or greater than Gartner’s estimate (Nash, 2019). Forty-three percent spent less than NASCIO found among state governments while 57 percent spent more. These data tend to confirm that funding for cybersecurity is inadequate for at least some (if not most) local governments. This is not surprising because studies of IT and government, e-government, and cybersecurity among local governments have consistently produced similar results.

As local governments across the nation have learned the hard way, inadequate spending on cybersecurity often results in the predictable – breaches and worse. Until local governments affirmatively address these and perhaps other barriers, but especially funding, they cannot expect to improve their cybersecurity outcomes or more effectively protect their information assets.

3.4.2 Centralized v. Decentralized Cybersecurity

If they have not already done so, another way that local governments can reduce their vulnerabilities and improve overall cybersecurity is to consider centralizing their IT systems within a single IT department with a single Chief Information Officer (CIO) and a single Chief Information Security Officer (CISO). The CISO should have responsibility for cyber throughout the organization, and all officials and employees should come under the CISOs purview. However, in some, perhaps many local governments, IT and cybersecurity are decentralized or fragmented (some call this federated) among numerous departments and agencies. The 2020 survey found that nearly two-thirds of responding governments said the CISO had total responsibility for cybersecurity while just over one-third said it was divided (Norris, 2021). One CISO reported that cybersecurity in his local government was divided among more than fifty different departments and agencies.

Under centralized cybersecurity management, cybersecurity in all departments and among all personnel is the responsibility of the CISO. As a result, all personnel receive the same training, operate under and must follow the same rules and policies, and are held accountable for their cyber-hygiene under the same regime. Centralization provides top officials and cyber leaders with a better overall view of the cyber strengths of and challenges to the organization. Centralization is also more efficient because it reduces unnecessary duplication, reduces the number of staff required, and resources can be prioritized more efficiently and effectively across the entire organization. Additionally, centralized procurement means that technology can be standardized and purchasing can benefit from quantity, all of which help to reduce costs and technological and operational complexity. According to a recent Deloitte-NASCIO survey, most state CISOs agreed that centralization will improve cybersecurity. Centralization can also lead to greater agility and efficiency in cybersecurity resource deployment (Deloitte-NASCIO, 2020).

Conversely, decentralized cybersecurity management means that there is likely to be considerable diversity among departments in cyber technology, policies, practices, rules, regulations, and training. This diversity may be thought of as a strength by the diverse units because it grants them a degree (often a large degree) of autonomy. From the perspective of cybersecurity management, however, decentralization also leads to inefficiencies, higher costs, and communication difficulties. Different units may have different levels of risk tolerance and risk management. Decentralization can also result in greater levels of cybersecurity staffing and cost.

There are, of course, local governments in which decentralization is not only the norm but is nearly or completely unavoidable. This is particularly true where there is a high degree of federation within those governments. County commission or supervisor governments are good examples of federated governments because of the number of independently elected officials and thus, departments in them. In Ohio for example, counties have 11 independently elected officials: three county commissioners, an auditor, treasurer, prosecuting attorney, clerk of courts of common pleas, engineer, coroner, recorder, and sheriff. In such governmental structures, each elected official possesses some degree of independence and executive authority, and there is no chief executive officer for the entire government. This makes centralized IT and cybersecurity difficult and may produce inefficiencies, unnecessary duplication, and additional costs.

Although there are pros and cons to fragmented cybersecurity management in local governments, on balance centralization is preferable from the standpoints of control, standardization, efficiency, effectiveness, and cost. Thus, wherever possible, local governments should endeavor to place cybersecurity in the hands of a single CISO who has full responsibility for this function across all departments, officials, and employees.

3.4.3 Cybersecurity Insurance

Adoption of cybersecurity insurance, commonly known as cyber insurance, among organizations, including local governments, is growing in the face of unprecedented numbers of ransomware attacks. The 2016 survey found that less than half (45 percent) of local governments had purchased cybersecurity insurance, although only slightly more than one in four (27 percent) had full coverage. This compares well with a 2018 survey of organizations in North America and Europe that found that 38 percent of organizations had purchased cybersecurity insurance. Nearly half (45 percent) had done so within the past two years (Spiceworks, 2019). In 2019, the Federal Reserve Bank of Chicago reported that 58 percent of large businesses had cyber insurance compared to just 21 percent of small businesses (Granato and Polacek, 2019).

If insuring against ransomware attacks is not enough of a reason for local governments to consider purchasing cybersecurity insurance, there are other benefits as well. For example, in the process of purchasing the insurance, local governments will almost certainly be required by potential insurers to conduct a vulnerability analysis to qualify for the insurance. Such an analysis, if conducted seriously, should help to identify weaknesses that, when corrected, will provide the insured with a stronger cyber defense. Second, cyber insurance will likely cover at least some of the costs of a breach, whether ransomware was involved or not.

Why else might local governments consider cybersecurity insurance? One survey found that 71 percent of respondents purchased cyber insurance as a precautionary measure; 44 percent because of an increased priority the organization placed on cybersecurity and 28 percent said industry regulations (Tsai, 2019). But there are cons as well as pros to buying cyber insurance. One view is that cyber insurance should be considered almost a must in today’s threat environment. Organizations that choose to go without it would probably never go without liability insurance, fire insurance, flood insurance (if in flood-prone areas) and the like. Why would they go without cyber insurance since it provides so many benefits?

There are also downsides to cybersecurity insurance. Perhaps the most important of which is that having cybersecurity insurance provides a false sense of security. The fact of owning cyber insurance does not provide a shield against cyberattacks, but it may lower the bar of cybersecurity precautions. Because cyber insurance shifts financial risk for security events from organizations onto the insurers, it can foster a sense of complacency based on the spurious notion that there is no longer any financial risk to the local government. This is obviously not the case and local governments must continue to be vigilant and provide the highest levels of cybersecurity regardless of whether they have cyber insurance. A second potentially negative aspect of having cybersecurity insurance is that the cost of cyber insurance might be better spent on additional levels or measures of cybersecurity. And given the steady increase in ransomware attacks in the last few years, there is no guarantee that insurance companies will continue providing cybersecurity insurance policies that are affordable and/or do not contain significant exclusions to their coverage.

3.4.4 Back-up and Restore

One of the easiest, cheapest, and best ways that the cybersecurity staff can help protect a local government’s information system from the results of a breach or other adverse cyber event is to conduct regular, complete back-ups of the system, store the back-ups off site, and keep several iterations of back-ups spanning weeks and preferably months. The latter is especially important because the malware may have been installed weeks or months before the breach is discovered and running back-ups with malware does not seem like a good idea under any circumstances. According to Verizon, in 2019, 56 percent of breaches “took months or longer to discover” (Verizon, 2019, p. 5). The now infamous SolarWinds breach occurred as much as nine months before it was found. Backing systems up these days is easier than ever with numerous vendors offering software for automatic back-ups. Chapter 7 discusses system back-ups in more detail.

3.4.5 Cybersecurity Awareness Training and Accountability

Cybersecurity awareness training is essential in all organizations, local governments included. Its purposes are: 1) to educate employees and officials at all levels about the need for high levels of cybersecurity; 2) to create a supportive environment for cybersecurity within the employees and across the organization; and 3) to teach them what to do and what not to do in their daily activities involving the organization’s information technology system (that is commonly called cybersecurity hygiene).

Training alone, however, is not sufficient. It must be accompanied by accountability measures so that if any employee or official fails (intentionally or unintentionally) to follow the cybersecurity rules laid down by the organization (typically developed by the IT director or CISO) and approved by top officials, they will face consequences. Chapter 7 discusses training and accountability in greater detail.

3.5.1 Identify and Report

People, regardless of rank or title in local governments, are the biggest cybersecurity problem in organizations because of both human error (common mistakes) and malicious behavior. At the same time, people are important elements of a local government’s cyber defense. This is true for at least two reasons. The first is when they use proper cyber hygiene and the second is when they are cyber alert and know how to identify suspicious cyber activity (e.g., phishing attacks and other scams) and report it. Hence, cybersecurity training needs to focus on both – proper hygiene and threat detection and reporting. What are the common threats, attacks, and attackers; what sorts of cyber activities should arouse end users’ suspicion; what should they do when suspicion is aroused; what should they not do? When employees do not follow training, they are subject to discipline. Those who report suspicious activity should be rewarded, most likely in symbolic ways such as recognition, and other non-monetary rewards.

3.5.2 Cyber hygiene

Hygiene can be defined as: “conditions or practices conducive to maintaining health and preventing disease, especially through cleanliness” (Oxford Languages, 2021). So, staying clean through such things as hand washing, teeth brushing, and bathing promote good hygiene, which promotes good health. Cybersecurity hygiene (or cyber hygiene) is similar in that it promotes good cyber practice, which, in turn, can support high levels of cybersecurity. Good cyber hygiene can also help to inculcate a culture of cybersecurity into organizations. According to Norton: “Cyber-hygiene is about training yourself to think proactively about your cyber security — as you do with your daily personal hygiene — to resist cyber threats and online security issues” (Norton, 2021). And, just like cleanliness, cyber-hygiene should become a habit that stays with you forever. “It involves three basic principles: using products and tools that fit your hygiene needs, performing these hygienic tasks correctly, and establishing a routine” (Norton, 2021). Chapter 7 addresses cyber hygiene in more detail.

3.5.3 Leadership Buy-in and Support

In order for a culture of cybersecurity to develop and flourish within local governments, top leadership buy-in and support (and not just at a rhetorical level) are essential. Top leaders, meaning elected officials and top managers, must: understand that they have an active role to play in their government’s cybersecurity; provide the funding needed for effective cybersecurity; practice proper cyber-hygiene; promote cybersecurity throughout the organization as Job One for everyone; and must insist that all parties are held appropriately accountable for their cyber actions. If top officials fail to insist on such a culture and/or fail to act appropriately in their own cyber responsibility, those under them will almost certainly think: “If they don’t care about cyber, why should I?” Top leadership buy-in and support will make all parties in an organization understand the importance of cybersecurity and their own cyber responsibilities and will make it more likely that they will practice proper cyber-hygiene, thus improving cyber outcomes throughout the local government.

Unfortunately, a common complaint heard from too many cybersecurity and IT practitioners is that there is insufficient top leadership buy-in and support in their local governments. Think Atlanta and Baltimore. Data from the 2016 survey found that most top officials in local governments were not sufficiently aware of the need for cybersecurity, did not provide high levels of support for it, and believed that cyber was more the responsibility of technologists than theirs. Reported cybersecurity awareness improved somewhat in the 2020 survey and support for cybersecurity improved even more. However, in the absence of nearly total cybersecurity awareness and support from these leaders, establishing and maintaining high levels of cybersecurity will be problematic at the least. Without these leaders’ unreserved commitment, local governments are not likely to properly prioritize and adequately fund and staff cybersecurity. This is a common finding across organizations and must change if organizations hope to improve their cybersecurity outcomes.

3.5.4 Culture of Cybersecurity

The concept of creating a culture of cybersecurity began to gain traction among practitioners within the past decade or so (e.g., Deloitte and NASCIO, 2010). Among other things, a culture of cybersecurity means that everyone, regardless of their place on an organization’s hierarchy, is thoroughly committed to cybersecurity, understands the importance of cybersecurity in everything they do, and practices proper cyber-hygiene. They know that Cyber is Job One.

It also means that all parties in local governments fully embrace and support cybersecurity, play important roles in it, including, but not limited to, practicing proper cyber-hygiene and insisting that others in their governments do so as well and holding all accountable when they do not. In a fully developed culture of cybersecurity: cybersecurity overlaps all functions and positions in the organization; there is ongoing mandatory cybersecurity awareness training for everyone; all parties are periodically tested for their cybersecurity hygiene (and retrained and retested as needed); all parties are held accountable for their cyber-hygiene; local governments provide incentives for proper cyber-hygiene and disincentives for its absence; they have strong cybersecurity policies; and security responsibility is written into all job descriptions. Until and unless local governments inculcate a culture of cybersecurity from the top to the bottom of their organizations, maintaining high levels of cybersecurity will be difficult to achieve.