As seen from evidence presented throughout this book, local governments do a poor job of managing and practicing cybersecurity (see especially Chapters 5 and 6). Of course, this is not true of all local governments, but it is of too many. Many, if not most large, well-funded local governments understand the need for appropriate levels of cybersecurity and do their best to provide it by adequately budgeting and staffing this function. However, most local governments, at least in the US, are small and unlikely to meet this challenge effectively.¹

Unfortunately, small- and even mid-sized local governments typically have greater financial constraints than their larger cousins, and they cannot or will not fund and staff cybersecurity adequately. As a result of these and other factors, too many of them experience adverse cybersecurity events that might otherwise have been preventable. This is not to say that larger local governments do not experience such events, but those governments are typically better prepared to prevent and recover from cyberattacks.

13.1 Important Highlights from This Book

Adverse cybersecurity events, typically cyberattacks, incidents, and breaches (especially the latter) often result in the loss of data (e.g., PII but data of all sorts stored by local governments), shutdowns of critical public services, loss of money (either directly from theft or indirectly through the cost of recovery), public embarrassment, and more. In some cases, these events take entire local governments or significant elements of them offline for months at a time. The examples of Atlanta and Baltimore (discussed in Chapter 1) are but two illustrations of the fate that regularly befalls unprepared local governments. As the evidence shows, too many of these governments are largely unable to effectively protect their IT systems in what is the wild, wild west of cybersecurity.

This is why cybersecurity – defined in Chapter 2 – and the protection of information technology systems is essential for local governments. Without appropriate levels of cybersecurity, bad things will certainly happen. With it, local governments will still be the targets of cyberattacks but would be better positioned to prevent them from succeeding and better equipped to recover if attacks should succeed.

In order to develop and maintain acceptable and industry-standard levels of cybersecurity, buy-in from the very top of local governments is needed. An all-too-common finding from the academic and professional literature is that too often top officials pay lip service, if that, to cybersecurity. Instead, chief elected officials, members of local legislative bodies, and top appointed managers must have a basic understanding of cybersecurity, unequivocally support and, within budgetary constraints, adequately fund it. This book addressed what local officials should know about cybersecurity (Chapter 3) and questions they should ask themselves and their cybersecurity staff about it (Chapter 11). Local officials would do well to consider reviewing these chapters (and others) from time to time.

Policies that are either essential or desirable to local government cybersecurity were discussed in Chapter 7, which made clear that without the adoption, implementation, and regular review of all of the essential cybersecurity policies, local governments put themselves at unnecessary risk. Imagine, for example, a local government without an acceptable use policy (AUP). How will officials, staff, vendors, and other end users know what to do and what not to do? Intuition? Via osmosis? These are clearly not good options and inevitably will lead to problems. Hence, this chapter strongly recommends that local governments adopt a suite of policies that govern cybersecurity expectations, controls requirements, and standards of conduct for users.

Chapter 8 established that people are the “root of the problem” in local government cybersecurity. Yes, people make mistakes, don’t follow rules, and can be malicious – all of which can lead to cybersecurity problems. At the same time, people can be great assets to local government cybersecurity. If properly trained and managed, they can be an important line of defense by identifying and reporting anomalies that they observe in local IT systems, emails that seem suspicious, and otherwise help foster a culture of cybersecurity awareness, if not cognizance, at all levels of local government.

The NIST Cybersecurity Framework is addressed and, hopefully, demystified in Chapter 9. This framework is important because it provides guidance to all organizations, including local governments regarding steps that should be taken to establish and maintain strong and effective cybersecurity programs. Local governments looking for a solid and industry-accepted approach toward cybersecurity program development should charge their cybersecurity leadership and teams with emulating those guidelines to implement the highest levels of cybersecurity possible.

Cybersecurity law, which is rarely covered in books providing information and guidance to organizations about cybersecurity, was addressed in Chapter 10. Laws and regulations govern how local governments must protect their information systems and sensitive data. Local government cybersecurity programs must consider compliance obligations imposed by federal law and regulations, state law, and even some international regulations like the EU’s GDPR. Although the wide variety of the various laws and regulations can seem overwhelming to non-lawyers, local governments can help ensure higher levels of cybersecurity protection by following them.

In order to do their jobs effectively as leaders of local governments, top elected and appointed officials need to know questions about their governments’ cybersecurity that they should ask themselves and their cybersecurity teams. Chapter 11 discussed several such questions and also made the case that asking such questions should never be a one-off activity. Rather, top officials should engage in ongoing conversations with their cybersecurity experts on a range of important cybersecurity issues facing their local government organizations.

Looking ahead, Chapter 12 suggested what the future of cybersecurity holds for local governments. Just as in the present day, both offensive and defensive cybersecurity tools, techniques, and procedures will continue to evolve, and local governments must stay informed about how this evolution affects them. Local governments must also be agile and flexible enough to respond to changes in the threat landscape presented by the constant evolution of internet technologies in order to provide the most effective cybersecurity possible to their organizations.

Throughout this book, several themes should be apparent. First, local governments are under constant or nearly constant cyberattack and the number of attacks is increasing. For example, between 2019 and 2020, ransomware attacks in the US alone increased by more than twofold (Nakashima, 2021). There is no expectation that this trend will reverse itself anytime soon.

Second, many cyberattacks succeed. As this book, and many cybersecurity practitioners routinely warn, it is not if your local government will be successfully attacked…it is when. Indeed, even the most well-defended information systems are likely to experience periodic attacks, breaches, or other cybersecurity incidents. What makes things worse, however, is that most local governments do not practice or manage cybersecurity well. As this book’s third major observation, poor cybersecurity practice and management is almost certainly true, at least at this writing, of most organizations. But local government officials should take no solace here, for it is the very organizations for which their top officials are responsible that practice and manage cybersecurity poorly, not some business small or large, that makes today’s cybersecurity headlines.

One of and perhaps the most important reason that local governments do not manage and practice cybersecurity well is that too often top elected and appointed officials are not sufficiently invested in cybersecurity. This is the fourth major lesson of this book. As Atlanta’s mayor said after her city’s ransomware attack in in 2019, cybersecurity had not been a priority. Cybersecurity does not become a priority until after a breach. Even then, the lesson does not always take, as the example of Baltimore’s back-to-back breaches in 2018 and 2019 demonstrates.

Fifth, the top barrier to cybersecurity across organizations, including local governments, is lack of funding. This is not entirely unexpected: why would one expect this not to be the case considering that top officials are not sufficiently invested in it, and these officials control their local governments’ purse strings? Adequate funding is essential to provide adequate cybersecurity staffing, technology, training, policies, and procedures – everything that is needed to ensure appropriate levels of cybersecurity and better cybersecurity outcomes.

The sixth and final significant lesson from this book is that too many local governments are one generation or more behind current best cybersecurity practices. Again, the 2016 survey found that just over half of local governments reported their cybersecurity technology was at the best practice. Further, as the data from Chapter 6 shows, the number of local governments reporting current best practices being used for cybersecurity policies and procedures were even worse. This places local governments at greater, often much greater, risk than necessary and that their officials and residents should tolerate.

13.2 Important Recommendations

These and other findings presented throughout this book lead to recommendations that, if adopted and implemented, can assist local governments manage and practice cybersecurity much more effectively. Many of these recommendations have been made throughout this book but are sufficiently important to warrant repeating.

Perhaps most important, top elected and appointed officials must be fully supportive of and committed to effective cybersecurity for their local governments. The evidence shows that too many top officials are not engaged in and committed to cybersecurity. As mentioned earlier, if these officials are not committed to cybersecurity, those rank-and-file employees beneath them will understandably wonder, “If they don’t care, why should I?”

So what can be done to ensure buy-in from top officials? One important step is for local governments to formally elevate their top IT and cybersecurity officials (typically CIOs and CISOs) to positions within the top management team in the organization. These technology leaders should be regarded as key advisors to the city or county manager, the mayor or county executive, and other top officials, and should be tasked to brief these officials as well as local legislative bodies regularly on cybersecurity matters.

Of course, no cybersecurity program can just materialize on its own. It must be adequately funded and staffed. Regardless of a local government’s budgetary situation and regardless of whether top officials say they support cybersecurity, if those officials do not provide adequate funding and staffing, it is more likely than not that bad cybersecurity outcomes will occur. Adequate investment in cybersecurity is essential to ensure adequate cybersecurity staffing, technology, policies, and practices. Without it, local governments are at unnecessary risk for adverse cybersecurity outcomes. So: fund it and staff it, for actions speak louder than words.

Local governments must provide cybersecurity awareness training for all parties, regardless of their rank or job title, and the training must be mandatory. Training must begin when new employees are hired and new elected officials join the local government. Training must be offered periodically throughout employees’ and officials’ careers in the organization. Training must also be tightly connected with accountability measures so that when (not if) a member of the organization, for example, violates rules set forth in the AUP, whether accidentally or intentionally, that party should face appropriate counseling. Should violations continue, more serious accountability measures should be instituted, such as loss of user privileges or, in the case of employees (though likely not elected officials), termination of employment.

The 2016 survey found that barely a third of local government cybersecurity policies reflected industry best practices. This constitutes cybersecurity malpractice and must be rectified. If local governments’ cybersecurity policies are not at least representative of current best practice, once again, those government are at unnecessary risk of adverse cybersecurity events. Policies (and their enforcement within organizations) are every bit as important as cybersecurity technology and practices. Policies also establish the foundation of, and expectations for, a cybersecurity program. Best cybersecurity practices can be found in documents and advice provided by organizations such as NIST, CISA, local government membership and professional organizations, and other local governments. Wherever they are located, the important point is that local government officials should demand (and fund) the adoption of cybersecurity best practices throughout their organizations.

To confirm those policies and procedures are followed and remain effective in the face of a constantly changing cybersecurity environment, local governments should adopt a philosophy of continuous improvement. At a minimum this means that they will continuously assess and evaluate cybersecurity policies, procedures, practices, and controls for effectiveness. Inculcating a serious commitment to continuous improvement helps to ensure that cybersecurity policies and procedures are current and actually doing what management expects them to be doing. Continuous improvement activities not only help foster a cybersecurity culture, but also develop and share institutional knowledge that can keep cybersecurity policies and procedures current and relevant.

As local governments develop or enhance their cybersecurity postures in the face of nearly constant cyberattacks, they would do well to embrace the concept of resiliency. Just as they have planned to keep the critical functions of government operating during natural disasters or other emergencies, that same approach can be applied to IT systems to ensure they remain functional when under duress as well. This risk-based, systems-oriented planning process, which ideally involves stakeholders from the CIO, CISO, and facilities management teams (among others) can help minimize the impact of a cyberattack on government operations and thus keep the wheels of government turning when they’re needed most.

Remember the CIA triad from Chapter 2. Ensuring and protecting the “Availability” of IT systems is a core function of cybersecurity teams.

Partnering with other local governments in the region, joining information sharing and analysis centers and building relationships with the cybersecurity experts at the FBI and CISA is essential to local governments attaining cybersecurity resiliency. MS-ISAC already has at least 10,706 local governments and local agencies as members and provides exceptional threat information and other resources to help improve local government cybersecurity such as incident response services, a 24/7 security operations center, and education materials like tabletop exercises. Similarly, the FBI and CISA also provide incident response assistance. If relationships with such organizations are established prior to an adverse cybersecurity event taking place, the built trust and familiarity will help the local government respond and recover more quickly.

Finally, all local governments should develop a culture of cybersecurity within their organizations. Among other reasons, the purpose of a culture of cybersecurity is to ensure that good cybersecurity practices (the proverbial “cyber-hygiene”) are prevalent throughout the organization and among all personnel. To be most effective, a culture of cybersecurity starts from and must be maintained by those at the top of the organization. That is, top elected and appointed officials must develop and demonstrate ongoing commitment to cybersecurity through effective policies, management actions, and practice of “cyber-hygiene.” Indeed, cybersecurity is everyone’s responsibility – crafting and inculcating an appropriate awareness of and responsibility for cybersecurity by everyone in the organization can provide a solid, and most importantly, proactive, way of helping minimize potential cybersecurity problems.

13.3 Conclusion

Providing and maintaining effective cybersecurity is important for organizations of all types and sizes in the modern world. It is especially important to local governments because they are public organizations that serve residents, businesses, visitors and presumably others, and that provide vital public services. When local governments are successfully attacked (see the examples of Atlanta and Baltimore – and countless others), their ability to provide those services is not only compromised but can and often is rendered impossible for periods of time. Local governments (and other organizations) can take months to recover from adverse cybersecurity events, which can cost millions of dollars, damage residents and others’ trust in the affected local government, and be a source of considerable embarrassment to local officials.

Consequently, the authors of Cybersecurity and Local Government believe that the top elected and appointed officials in local governments should take quite seriously the findings and recommendations presented in this book. They must adopt and implement the cybersecurity technologies, practices, and policies necessary to achieve the most effective levels of cybersecurity possible for their organizations. Accomplishing this requires political courage and the management chops to identify, assign, and spend the necessary resources to meet this critical local need in an era of ongoing fiscal stringency. At the same time, these officials should remember that local government does not exist in a vacuum and that plenty of free or low-cost resources exist that can help make this process easier, as will learning from, emulating, and collaborating with other government entities at the local, state, or federal levels.

The choice is a serious one for local governments. Admittedly, there are costs involved no matter what decision is taken. Nevertheless, local governments must prepare either to take proactive actions now to improve their cybersecurity, or prepare to face the inevitable technical, operational, financial, and public consequences of failing to do so.

References

1. International City/County Management Association (ICMA) (2013). The Municipal Yearbook 2013 (pp. xii and xv).
2. Miller, B. (2018, December 3). Nearly half of U.S. cities have fewer than 1,000 residents. Government Technology. https://www.govtech.com/data/nearly-half-of-us-cities-have-fewer-than-1000-residents.html
3. Nakashima, E. (2021, September 18). U.S. aims to thwart ransomware attacks by cracking down on crypto payments. Washington Post. http://thewashingtonpost.pressreader.com/epaper/viewer.aspx
4. Toukabri, A. and Medina, L. 2020 (May 21). Latest city and town population estimates of the decade show three-fourths of the nation’s incorporated places have fewer than 5,000 people. U.S. Census Bureau. https://www.census.gov/library/stories/2020/05/america-a-nation-of-small-towns.html