For the past three years, ICMA has touted the need for local governments to strengthen their defenses against cyber threats and attacks. With months yet to go, 2019 is already a stark reminder of the havoc that can ensue when an attack is launched on a locality’s information technology systems. In early May, just over a year after successfully mitigating an attack on its 911 servers, the city of Baltimore discovered it was the victim of another ransomware attack, this one knocking numerous systems offline and grinding routine functions to a halt. While the true cost of the event’s many disruptions and the expenses for restoring the city’s systems likely won’t be known for months, early estimates already reach well into the millions.
By the time of the latest Baltimore incident, about two dozen publicly reported cyber attacks had already occurred against state and local governments in 2019, according to a study by Allen Liska and Recorded Future. And Liska acknowledges there are reasons to believe these types of attacks are undercounted. Regardless, recent attacks in Texas have nearly doubled that total, possibly making 2019 a record year for this growing challenge to city and county governments.
So, what can we learn from this season of evolving cyber threats?
First, no local government is immune. Hearing about attacks on Atlanta (2018), Baltimore (2019), or the LAPD (2019) may come as no surprise; however, the strafing run across Texas this August signals a shift in strategy and should be a wakeup call for city and county managers running communities of all sizes. Local governments sit on mountains of data, and citizens increasingly access city or county services online. Water bills, deeds for real estate transactions, traffic tickets, access to open data sources, and many other functions and services from routine to essential can be impacted for unknown lengths of time in places large and small.
Second, if your community has not invested in cybersecurity, now is a good time to start. If there were a national surgeon general for cybersecurity, the good doctor would tell you that it’s never too early to invest in your community’s cyber defenses. A recent blog post by ICMA’s chief technology and innovation officer and ICMA’s 2016 report on local government cyber policies and programs showcase some of the tools (i.e., periodic staff training, multifactor authentication, cybersecurity insurance) that local governments are leveraging, and not all of them are exorbitantly expensive technologies. Phishing, which has gotten far more sophisticated since the early days when many of us were promised millions in an email from a Nigerian prince, is one place to up your game. Simple trainings to alert staff to the cues and clues of a potential phishing attack may go a long way toward stopping it before the virus uncoils inside your IT network.
Third, in the aftermath of mega-disasters in the early 2000s (i.e., 9/11, Hurricane Katrina), local governments took a more serious look at disaster mitigation, resiliency, and continuity of operations planning and preparedness. Today, and going forward, local governments must prepare for this new kind of disaster. ICMA’s 2016 survey on cybersecurity signaled this need to raise awareness, finding that approximately 1 in 3 local governments didn’t know how frequently their information system was subject to attacks, incidents, or breaches. But among those that did, 60% reported that they were subject to cyberattacks at least daily. So as a recent ICMA report on natural and human caused disaster recovery further suggests, the question is not if your community will need to recover from a crisis, but when. This is not to say that every community will face a massive cyber threat, but a local government’s posture should be to act and prepare as if a ransomware attack is lurking just over the horizon.
Finally, the federal government and many states are elevating cyber threats as a new attack vector on the homeland. Look at the national agencies involved in cybersecurity: the U.S. Department of Homeland Security (DHS) and the FBI, among others. The Cybersecurity and Infrastructure Security Agency Act signed into law in November 2018 created a new federal agency within DHS. In Texas, the Division of Information Resources is leading the recovery effort for its latest multijurisdiction attack, however the state’s Division of Emergency Management and the Texas Military Department (i.e., National Guard) are also involved as they would be in other states as well. At the local level, ICMA has been advocating that cybersecurity is not the CIO and/or the IT team’s problem alone; it is an enterprise-wide challenge that deserves the full attention of elected and appointed leadership. Local government leaders must start thinking about ransomware as a potential cyber-disaster and how the community’s executive team will lead the local response. To help in that regard, ICMA and NACo are offering a new on-line course on cybersecurity leadership that begins in September 2019.
In a book chapter published last year by the IBM Center for the Business of Government, ICMA’s Executive Director Marc Ott, member and city manager Lee Feldman, and Tad McGalliard argued that
The smarter city managers of 2040 will lead an interconnected community of sensors, automation, data, IoT, and artificially intelligent technologies that will enable them to visualize issues and challenges in ways that today’s managers cannot. With this level of operational intelligence and seamless interconnectivity comes the parallel risk of systemic failure if cybersecurity is not a core part of local government administration. The cyber-terrorist would just as easily disrupt local government services to make a political statement as to demand a ransom. The manager of tomorrow will need to lead from the front to ensure the safety and security of the underlying smart city systems.
The predictions were off by two decades. The time to lead on this issue is now.