For a number of years, ICMA has advocated for local governments to strengthen their defenses against cyber threats. Attacks on local governments show no sign of slowing down, and global events like the war in Ukraine are increasing the risk that national and criminal actors may strike targets of opportunity including local governments.

The “C-Suite” are those executive-level managers typical to organizations of all kinds. In local governments they might include elected mayors and councilmembers and appointed chief administrative officers who provide leadership for the jurisdiction and its operations.

Cybersecurity is not the CIO's or the IT team’s problem alone; it is an enterprise-wide challenge that deserves serious attention from elected and appointed leadership all the way down to the staff level. In particular, local government leaders must start thinking about ransomware as a potential cyber disaster and how the community’s executive team will lead the local response.

Why Should Cybersecurity Be Elevated to a Leadership Level Issue?

Local governments often operate critical infrastructure including water and wastewater treatment systems, and public health and safety operations. Some communities in the United States also operate electrical and other utilities. Traffic systems increasingly rely on sensors and other technology. Attacks on these kinds of systems are not out of the question and have been attempted repeatedly in recent years, and in many cases have succeeded in causing disruptions. Further, local governments sit on mountains of data, and citizens increasingly access city or county services online. Water bills, deeds for real estate transactions, traffic tickets, access to open data sources, and many other functions and services from routine to essential can be impacted for unknown lengths of time.

Second, no local government is immune. Hearing about attacks on such major cities as Atlanta or Baltimore in the United States may come as no surprise; however, attacks have also focused on smaller communities. Numerous small and mid-sized jurisdictions have been hit with cyber attacks, including ransomware and data breaches. In his research conducted for ICMA, University of Maryland, Baltimore County professor Dr. Don Norris offers some suggestions for smaller communities in the United States that may not have the financial or human resources of larger cities.

Cyber Recommendations for Small Communities in the United States

1. If feasible, hire a qualified cybersecurity professional as chief of cybersecurity. If you are unable to hire additional staff, designate an existing role as the CISO.
2. Partner with other local governments, neighboring jurisdictions, or school districts to share cybersecurity costs.
3. Consider outsourcing some or all cybersecurity.
4. Seek help from area colleges and universities.
5. Contact the state or local National Guard to learn what support the latter may be able to provide. There are 59 National Guard cyber units across the nation and its territories, with approximately 4,000 cyber operational personnel that may be available as a resource when planning for and responding to cybersecurity events.
6. Contact national organizations serving local governments that often have useful resources. For example, ICMA publishes works on cybersecurity for local governments and provides training through its Cybersecurity Leadership Academy.
7. Consider participating in the Multi-State Information Sharing and Analysis Center (MS-ISAC), whose mission is “to improve the overall cybersecurity posture of the nation’s state, local, tribal and territorial governments through focused cyber threat prevention, protection, response, and recovery.” Access its list of local government partners here.
8. Consider participating in state and regional organizations that provide cybersecurity support, such as the Michigan Cyber Civilian Corps, the Massachusetts Mass Cyber Center, or the Los Angeles Cyber Lab.

In the aftermath of mega-disasters in the United States during the early 2000s (i.e., 9/11, Hurricane Katrina), local governments took a more serious look at disaster mitigation, resiliency, and continuity of operations planning and preparedness. Today, and going forward, local governments must prepare for this new kind of disaster. As a recent ICMA report on natural and human caused disaster recovery further suggests, the question is not if your community will need to recover from a crisis, but when. This is not to say that every community will face a massive cyber threat, but a local government’s posture should be to act and prepare as if a ransomware or other cyber attack is lurking just over the horizon. Creating a more resilient community now means being ready to respond, restore, and recover from a virtual strike that may not be visible until the damage has been done.

Final Thoughts

In the United States, new resources become available all the time. Most recently, the Infrastructure Investment and Jobs Act included language creating a new cybersecurity grant program for state and  local governments. Key cybersecurity elements of the law include $1 billion for grants to strengthen state and local cyber defenses as well as resources to support public utilities and the energy sector. Additional resources will be available to help public sector and private enterprises respond to a significant cyber attack.

In a book chapter published by the IBM Center for the Business of Government, ICMA Executive Director Marc Ott, member and city manager Lee Feldman, and Tad McGalliard argued that

The smarter city managers of 2040 will lead an interconnected community of sensors, automation, data, IoT, and artificially intelligent technologies that will enable them to visualize issues and challenges in ways that today’s managers cannot. With this level of operational intelligence and seamless interconnectivity comes the parallel risk of systemic failure if cybersecurity is not a core part of local government administration. The cyber terrorist would just as easily disrupt local government services to make a political statement as to demand a ransom. The manager of tomorrow will need to lead from the front to ensure the safety and security of the underlying smart city systems.

The predictions were off by two decades. The time to lead on this issue is now.