Graphic of interconnected locks symbolizing cybersecurity


Greenville, North Carolina; Torrance, California; New Orleans, Louisiana; and 22 cities in Texas were among hundreds of local government organizations that reported cyberattacks in just 2019 and 2020. Over the past decade, American local governments have increasingly become targets of cybercriminals and victims of ransomware  attacks.

Cybersecurity has become synonymous with disaster resilience, and local government managers must place an emphasis on preparing for cyberattacks against their organizations. This report analyzes the current landscape of cybersecurity in local government and is based on an extensive review of the literature since 2000; data from previously conducted surveys (2016, 2018, and 2020); and conversations with chief information security officers (CISOs) and other information technology (IT) officials from local governments in the United States.

According to the cybersecurity firm Emsisoft, in 2019, the United States experienced “…an unprecedented and unrelenting barrage of ransomware attacks that impacted at least 966 government agencies, educational establishments, and healthcare providers at a potential cost in excess of $7.5 billion.”1 Prominently included among organizations hit by ransomware attacks were 113 local and state governments and agencies. During the first two quarters of 2020, another 60 federal, state, and local governments and agencies were hit by ransomware attacks.2 These statistics include only ransomware attacks, but we know from prior research that local governments are under constant or nearly constant cyberattack from many directions.3

Attacks include such vectors as email, phishing, spear phishing, brute force, zero day and denial, and distributed denial of service. See Table 1 for brief descriptions of these types of attacks and Appendix 2 for more information. Cybercriminals can and do use all of these vectors to attack local government IT systems, hold them for ransom, exfiltrate data, and otherwise do damage.

Table 1: Key Cyberattack Definitions

Malware: Malicious software installed that can encrypt data and files, block user access, exfiltrate data and files, etc.
Ransomware: Type of malware that encrypts sensitive data and files to then demand a ransom to unlock the encrypted information.  
Phishing: A form of social engineering in which cybercriminals “go fishing” for victims by sending emails, seemingly from trusted parties, with promises, opportunities, or threats to deceive victims.
Spear phishing: Spear phishing is a more sophisticated form of phishing in which the cybercriminal uses just enough information to make the victim believe the email came from someone known to the victim or another trusted source.
Brute force: An attack method where an attacker uses a tool such as software to continuously “bang away” to gain access to a victim’s computer, network, or IT system.
Zero-day: An attacker’s identification of a weakness in a network or IT system, such as utilizing defects in outdated software versions.
Denial of Service (DoS): An attack that sends massive volumes of traffic to overwhelm an organization’s website or server.
Distributed Denial of Service (DDoS): A type of DoS attack that uses multiple computers simultaneously to shut down a website or server to all users.

See Appendix 2 for expanded descriptions.

The cost of cyberattacks is enormous, and it increases every year. A 2016 report estimated that cybercrime would have a worldwide annual cost of $6 trillion by 2021, a significant increase over the $3 trillion in 2015. “This represents the greatest transfer of economic wealth in history, risks the incentives for innovation and investment, and will be more profitable than the global trade of all major illegal drugs combined.”4 Another source estimates that by 2025, cybercrime will cost the world economy $10.5 trillion and be equivalent to the third largest economy in the world after the United States and China. In the United States, two well-publicized cases of local government breaches—Atlanta, Georgia, in 2018, and Baltimore, Maryland, in 2019—cost those cities $15 million and $18 million, respectively. For more information, see the case studies of
these attacks later in this report.

Why Are Local Governments Targeted?

The first factor is the sheer number of American local governments—90,075 units, of which 38,779 are general purpose governments, including 3,031 county governments, 19,475 municipal governments, and 16,253 town or township governments.5 Except for the smallest of them, these governments have critical IT systems and cumulatively spend billions of dollars each year to support them. In 2019, Government Technology magazine estimated state and local government spending on IT for that calendar year at $107.6 billion.6

Second, America’s local governments store considerable amounts of sensitive information, especially personally identifiable information (PII) such as names, addresses, driver’s license numbers, credit card numbers, social security numbers, and medical information. In addition, they have contractual, billing, and financial information of the governments themselves. This information is valuable to cybercriminals because they can sell the data or hold it for ransom, and obtaining it is often the purpose of cyberattacks. Over the past few years, numerous local governments have reported the loss of PII and other sensitive data through data breaches and information exfiltration. As local governments move into the world of smart cyber physical systems in such domains as traffic, wastewater, electricity, etc., they place those and related systems at greater risk of physical harm and damage resulting from breaches, to say nothing of the impact on public trust.

Third, cybercriminals are very good at what they do. In recent years, the availability of low cost but effective hacking tools that require little technical knowledge has made it is relatively easy to get into the business of cybercrime, thus increasing the number and types of cybercriminals. This means that even inexperienced hackers can break into well-defended IT systems.7 Poorly defended systems (research that colleagues and I conducted has shown that local governments systems, on average, are not well defended) are even easier to breach.8 Cyberattacks are deployed by a variety of actors, including external actors (both individuals and organizations), malicious insiders, nation states, hacktivists, and terrorists. Perhaps the clearest contemporary example of this is the well-documented ongoing Russian government interference in U.S. elections.

Fourth, local governments operate under financial constraints, sometimes severe ones, that limit their ability to acquire and implement state of the practice cybersecurity technology, policies, and practices. Financial limitations also mean that most, if not all, local governments cannot compete with the private sector in hiring and retaining qualified cybersecurity staff. The top three barriers to effective cybersecurity reported in a 2016 nationwide survey were inability to pay competitive salaries to cybersecurity employees (58.6%); insufficient number of cybersecurity staff (53.1%); and lack of funds (52.8%). All three involved funding or lack thereof.9

Last, the Internet of Things (IoT), a global phenomenon that permits electronic devices of various kinds to connect to the internet for various purposes, has introduced new vulnerabilities and risks for local governments. This is especially true of local governments endeavoring to create “smart cities” by deploying internet-connected devices to provide, monitor, or manage such services as public transit, solid waste collection, traffic lights, traffic congestion management, water meter reading, potable water provision, security cameras, and many more. By one estimate, in 2018, there were seven billion IoT devices worldwide, 26.7 billion in 2019, 31 billion in 2020, and a projected 75 billion by 2025.10 

For local governments, the spread of IoT devices greatly increases the “attack surface” that makes them vulnerable to cyberattacks. Moreover, the devices may be numerous and heterogeneous, with different manufacturers, capabilities, and interfaces. The result is a system that is inherently difficult to monitor and update as new security vulnerabilities are discovered. Other risks are that the devices can be disabled, have their sensor data stolen or modified, or have their activator functions used inappropriately to cause damage.

For these and perhaps other reasons, it is critical that local governments, especially their top elected and appointed officials, understand:

  • The cyberthreats that their governments face.
  • The actions they should take to protect their information assets from attack and to mitigate the damage after successful attacks.
  • The gaps between the actual cybersecurity practices of local governments and the cybersecurity threats that they face.
  • The barriers that their governments encounter when deploying cybersecurity.

Local officials must also provide their support for their cybersecurity technology, practices, policies, and staff needed to ensure that the highest levels of cybersecurity are maintained throughout their organizations.


This section presents findings from a survey conducted in 2020 among a cohort of CISOs in 14 mainly larger U.S. local governments with a population range of 220,000 to 3,979,576: Boston, Massachusetts; Chicago, Illinois; Dallas, Texas; Detroit, Michigan; Fairfax County, Virginia; Los Angeles, California; Memphis, Tennessee; Nashville, Tennessee; San Francisco, California; and Seattle, Washington. Four of the responding governments did not choose to divulge their names. 

The survey asked a series of questions on the structure of cybersecurity operations, types of attacks and attackers, cybersecurity policies, barriers to trainings, awareness, and support within local governments. (See Appendix 1 for the full list of questions.)

This author expressly thanks the members of the recently formed Coalition of City CISOs for their support of and participation in this survey.11 A CISO is defined here as the main employee responsible for the organization’s cybersecurity practices and policies. Depending on the size of the local government, this can be in a position entirely dedicated to cybersecurity or could be an IT or other staff member with cybersecurity as only one of their duties.

This section also compares findings from the 2020 survey with the results of two nationwide local government cybersecurity surveys (conducted in 2016 and 2018). The section unfolds as follows: First, it presents basic information about the responding governments’ cybersecurity operations. Second, it discusses cybersecurity attacks and attackers. Third, it addresses cybersecurity policies, barriers to cybersecurity, cybersecurity training, and awareness of and support for cybersecurity among various parties in these governments.

The Structure of Cybersecurity Operations


The great majority of local governments in the 2020 survey (71.4%) responded that their CISO or other officials responsible for cybersecurity reported to the chief information officer (CIO), while 14.3% reported to the chief technology officer (CTO) or the city or county manager, respectively. This is not surprising since CISOs are often viewed as subordinate to top IT officials, such as CIOs and information technology directors (ITDs). There is an emerging trend, mainly within the corporate world, for CISOs to be elevated to positions equivalent to CIOs and to report directly to the CEO. According to a 2018 survey conducted by PWC, 40% of firms worldwide said that their CISOs reported directly to the CEO.12

While this trend has yet to make much headway among local governments, there are good arguments for having the CISO report directly to the top elected and/or appointed official. This would elevate the importance of cybersecurity throughout the organization and improve the CISO’s ability to communicate directly with the top officials in the local government.

The survey also asked if the CISOs had total control over their local governments’ cybersecurity. Nearly two-thirds (64.3%) said they had total responsibility while just over one-third (35.7%) said it was divided. It then asked, if responsibility is divided, among what offices (see Table 2). The division of cybersecurity responsibility was somewhat different among these local governments. In 7.1%, each department had a cybersecurity official who “matrixes” to the CISO. In 21.4%, certain agencies or departments are responsible for their own cybersecurity. And in 7.1%, IT is divided into two groups, and the leaders of each report to the CIO. One government’s CISO had responsibility for cybersecurity but reported that “…my counterpart is able to appeal my recommendations.”

Table 2. Responses to the Question, “If responsibility is divided, among what offices?”

  • My team is the only cybersecurity team within [my city]. However, we have a decentralized IT organization and I do not have cybersecurity authority over other technology groups (i.e., [names units over which CISO has no control]).
  • Sister agencies are independent. [Provides short list of them.]
  •  IT is split into two groups. While I have all of Cyber, both groups report to the CIO. Therefore, my counterpart is able to appeal my recommendations.
  • There are some operational components to cybersecurity [names a couple] that are held by certain departments [names three].
  • Each department has a department information security officer who matrixes to the city CISO.

Organizations, including local governments, generally structure their cybersecurity in one of three ways: centralized, decentralized, and federated. In a centralized system, there is a single office or department for cybersecurity for the entire organization. In a decentralized system, each department is responsible for its own cybersecurity. In a federated model, there is a mix in which the CISO is responsible for some elements of cybersecurity and individual departments are responsible for others.13 

Dividing cybersecurity responsibility is generally considered a poor practice because it means that the CISO is not totally in charge of this function, and therefore cannot set the rules for all units and end users, and is not able to hold all units and end users accountable for their cyber behavior. One of the CISOs in the survey indicated that he had to work with over 50 units in his local government that had individual cybersecurity authority. If one unit does not properly set cybersecurity policy and practice, the whole organization can be at risk. Such a structure makes it unnecessarily difficult to manage cybersecurity.


Cybersecurity in local governments involves, among other things, managing in-house staff, cybersecurity contractors, and end users. The numbers of in-house staff reported from the 2020 survey varied considerably with 7.1% reporting no cybersecurity staff and 7.1% with 24 in-house staff. The number of cybersecurity staff was not proportional to local government population, although larger governments tended to have more cybersecurity staff. Among the jurisdictions in the sample with populations from 220,000 to just under 700,000, the number of in-house cybersecurity staff ranged from zero to 12. Among the group with populations between 700,000 and less than one million, their range was similar from 0 to 14. Among the jurisdictions greater than one million, one had seven, one had nine, one had 12, and one had 24.

The situation with cybersecurity contractors was rather different from that of in-house staff, with half of the governments reporting that they had no contractors. Among the jurisdictions with populations between 220,000 and 700,000, two had zero cybersecurity contractors, two had one, one had two and one had six. Three jurisdictions between 700,000 and a million had zero contractors, and one had four. Among those with populations greater than 1 million, two had zero, one had four and one had eight. Overall, the data suggest that, with one or two exceptions, these local governments do not have sufficient cybersecurity personnel to properly maintain high levels of cybersecurity.

Next, the survey inquired about the number of end users in these governments. The range of was from 2,200 to 45,000. As might be expected, these numbers generally corresponded to the size of the local government, with larger governments having more and smaller ones having fewer end users, although there is not a precise match.

For current purposes, what is perhaps most important is not the number of end users but the percent of end users that fall under the CISO’s responsibility. In all but 21.4% of local governments, 100% of end users fell under the responsibility of the CISO. A total of 7.1% reported 25%, 7.1% responded 60% and 75%, while 7.1% did not report.     

The fact that all end users do not fall under the responsibility of the CISO means that these cities’ cybersecurity is more at risk than it should be. This is because end users of a government’s IT system who are not under the CISO’s responsibility do not have to follow the same rules as those under such responsibility (indeed, they may operate under different rules altogether); they are not required to take the same training; and they cannot be held accountable for their cybersecurity actions as can end users under the CISO’s responsibility.


As previous studies have shown, lack of adequate funding is a major barrier to achieving high levels of cybersecurity.14 The 2020 Deloitte-NASCIO Cybersecurity Study (based on a survey of state CISOs) found the same among state governments. Three of the top five barriers involved funding: lack of funding, lack of cybersecurity staff and lack of dedicated budget.15 Consequently, the survey asked about the level of cybersecurity spending. According to the same report, most states spend under 3% of their IT budgets on cybersecurity, which is far less than financial institutions and federal agencies. By contrast, according to Gartner, average spending by U.S. businesses on cybersecurity is between 5% and 8% of companies’ IT budgets.  Moreover, only about one-third of states have formally established cybersecurity budgets.16

Among the local governments in the 2020 survey, the average spending was 4.09% of the IT budget, and the range was between zero and 10.0%. A total of 57.1% of these governments spent less on cybersecurity (as a percent of their IT budgets) than Gartner found among U.S. businesses, while 35.7% were within or greater than Gartner’s estimate. A total of 42.9% spent less than NASCIO found among state governments while 57.1% spent more. These responses tend to confirm that funding for cybersecurity is inadequate or not on par for at least some of these local governments. This is not surprising because studies of IT and government, e-government and cybersecurity among local governments have consistently produced similar results. As local governments across the nation have learned the hard way, inadequate spending on cybersecurity often results in the predictable—breaches and the high cost associated with them.  


Last, the survey inquired about whether and to what extent local governments outsourced cybersecurity. Half of the respondents said that their governments outsourced cybersecurity partially, and half said they did not outsource at all. None outsourced cybersecurity completely. The functions that were partially outsourced are found in Table 3. These findings are somewhat consistent with findings from the 2016 survey where 60.5% did not outsource, 31.3% outsourced partially, and 8.2% outsourced totally. In their 2018 survey, Hatcher, et al., found that 50.9% outsourced at least some of their cybersecurity functions, while 38.8% did not and 10.3% did not know.17 Of those that outsourced, 35.7% outsourced all cybersecurity.

Table 3. Responses to the Question, “If you outsource cybersecurity, what principal functions are outsourced?”

  • PCI scanning and penetration testing.
  • We use contractors and a number of vendor tools to monitor the network.
  • 24/7 monitoring of cyber threats.
  • 24/7 monitoring of our IPS.
  • IT operation; SOC (security operation center).
  • Some is outsourced [no list provided].
  • Some monitoring and vulnerability scanning.

Given the passage of time since those surveys, one might have expected greater adoption of outsourcing in the 2020 survey, especially among a sample of local governments that consists mostly of large to among the largest U.S. local governments, where presumably the need for cybersecurity is greater and budgetary resources are also greater. One might also have expected that larger jurisdictions that devote relatively small numbers of in-house staff to cybersecurity would have taken greater advantage of outsourcing. Neither of these results were evident from the survey.

Outsourcing is seen by many observers as an important way to improve cybersecurity in organizations, especially in smaller ones with limited cybersecurity staffing and funding capabilities. A total of 85% of participants in a recent Deloitte survey said that they had “…some level of reliance on vendors and managed service providers to provide cybersecurity operations, with 66% of those outsourcing between 21% and 66% of cybersecurity operations.18 

Local governments can contract with cybersecurity vendors for some or all of their cybersecurity needs and, in doing so, have access to the skills, expertise, and experience of literally hundreds of cybersecurity professionals or more. As the chief security officer in a Maryland county noted: “Google has 2,000 security engineers…I’ve got four.”19  Outsourcing also transfers some or much of the responsibility for securing critical data and information from the local government to the vendor. However, one source notes that many CISOs are “uncomfortable” having their data handled by anyone or organization outside of their organization, and therefore, this may account for the rather slow adoption of outsourcing.20 

Attacks and Attackers


This section discusses attacks and attackers against U.S. local governments. The first question concerned the frequency of cyberattacks. Both the 2016 survey and earlier research found that local governments are under constant or nearly constant attack.21 Those findings are largely confirmed in this survey. Just over half of respondents said constantly, more than a quarter said hourly, and 14.3% said daily. Unlike the 2016 survey, none of the governments in the 2020 survey said that they did not know how frequently they were under cyberattack. This finding represents a welcome improvement, although may be attributed to the small sample size. If local governments (or any organizations, for that matter) do not know whether they are under cyberattack, they have opened the door to cyberattacks. All local governments must implement
technologies and policies, such as those outlined later under the “cybersecurity policies” section, that allows them to be continually aware of their cyber environment and the risks they face.

The survey then asked whether these governments had experienced “incidents” or “breaches” during the previous year, using Verizon’s definition of those terms.22 An incident is “an event that compromises the confidentiality, integrity or availability of an information asset.” A breach is “an incident that resulted in confirmed disclosure (not just exposure) to an unauthorized party.” Only 7.1% of the governments reported no incidents in the past year and 7.1% did not know; 21.4% of governments responded they had one incident; 14.3% said two incidents; 28.6% said three incidents; and 21.4% said more than five incidents. These responses confirm that the bad guys not only attack often, but that they also get through local governments’ defenses, and confirm that local governments need sufficient resources to better protect their information assets.

Half of the local governments in the 2020 survey had not experienced breaches in the past year. However, the remainder had experienced between one and more than three breaches. Once again there is confirmation that the bad guys are really good at what they do and that local governments need to improve their ability to protect their information assets. The number of governments (21.4%) that experienced multiple breaches is troubling, especially among a set of governments with mostly large populations and more resources opportunities to protect their information assets.

Local governments are not only under constant or nearly constant attack, but the frequency of attacks is increasing. The 2016 survey found that about one third of local governments (32.5%) experienced the same number of attacks in the past year, compared to slightly over one-third (34.4%) that experienced about the same number. Nearly all governments responding to this survey (92.9%) said attacks had become more frequent over the past year, and only 7.1% said that they had remained about the same. This suggests, at least for this subset of local governments, a significant increase in the number of attacks, which is consistent with reporting across all or nearly all sectors of the economy. Cyberattacks are steadily increasing.


A question in the 2020 survey asked whether local governments could determine the types of attackers they were facing. The 2016 survey asked a similar question and found that 41.6% of governments could determine their attackers and 58.4% could not. Information from the 2020 survey shows a substantial increase in those that can determine their attackers’ identities. Two-thirds could determine their attackers’ identities, while 28.6% could not and one was unsure. Separately, one responding CISO said: “Attribution is not a critical factor to us. In most cases, we can take educated guesses, but we do not dedicate cycles to attribution.” The increase in the fraction of governments that are able to identify attackers noted in this survey could be the result of this particular sample of local governments, and therefore, may not be representative of the broader population of local governments, especially smaller ones.

The local governments in the 2020 survey said that they were most often attacked by external actors-organizations (35.7%), followed by hacktivists/spammers (21.4%), nation states (14.3%), 7.1% external actors-individuals, and 14.3% did not provide answers. This is somewhat similar to findings from the 2016 survey in which 71.0% said external actors/organizations, 60.7% external actors/individuals, and 29.0% nation states. It also tracks well with other sources regarding types of attackers over time.

The survey next asked if the pattern of attacks had changed over the past year. A total of 71.4% respondents said it had remained the same, while 28.6% said it had changed. The changes observed by the latter were increased sophistication of spear and whale phishing, increased phishing, a focus on ransomware and breach of vendors, and use of commodity malware and attacks tied to the social justice movement (see Table 4). That so many local governments in the 2020 survey responded “remained the same” is somewhat surprising given the dramatic increase in ransomware attacks recently, as well as an increasing emphasis that attackers have placed on breaching third parties in order to get to their ultimate attack destinations.    

Table 4. Responses to the Question, “If the pattern has changed, please describe the changes.”

  • Phishing emails are the biggest threat, and the biggest change is more targeted and sophisticated spear phishing and whale phishing.
  • Focus on ransomware and breach of vendors.
  • More sophisticated use of commodity malware. Increase in attacks tied to social justice movement.
  • Broader attempt at phishing has occurred.

The local governments in the 2020 survey experienced phishing and spear phishing the most among all attack vectors in the past year. This was followed by zero-day brute force and other (35.7% each), Distributed Denial of Service or DDoS (21.4%), and Denial of Service or DOS (7.1%).

The most frequent cyberattack purposes that these governments identified were: (1) ransom, (2) theft of money, (3) theft of PII; (4) theft of confidential records, and (5) hacktivism. A total of 21.4% of governments did not know (which is somewhat surprising and not fully consistent with what one might expect from a sample of mainly large governments). The increase in ransomware attacks is consistent with national data as noted earlier. Four of the top five attack purposes identified by the 2016 survey were somewhat similar to the information gained from the 2020 survey, although not in the same order: (1) ransom—59.4%, (2) mischief—37.6% (in last place in 2020), (3) PII—27.7%, (4) hacktivism—27.7%, and (5) theft of money—20.8% (much more prominent in 2020). When asked if the attack purposes had changed during the previous year, 78.6% of respondents said no, 7.1% said yes, and 14.3% did not know. One respondent who said yes added that the change was a “rise in attacks recently tied to the social justice movement.”

Case Studies

Now we examine two examples of cities that experienced breaches to their IT systems and faced ransomware demands: Atlanta, Georgia; and Baltimore, Maryland. Their experiences are typical of what can happen to local governments of every type and size that do not place a high priority on cybersecurity and follow through with adequate funding and staffing.

Atlanta, Georgia

Population: 506, 811
Area: 133 sq. miles
Median Family Income: $59,948
Poverty Rate: 20.8%
City Budget: $661.4 million

Atlanta saw its computer system taken over by a ransomware attack that was discovered on March 22, 2018, but potentially had been going on longer. Atlanta’s attackers, whom the U.S. Justice Department said were two Iranians, used ransomware known as SamSam in a “brute force” attack against the city’s IT system.23 In such an attack, the hacker repeatedly runs passwords against elements of an IT system until it finds a match and, finding one, inserts the malware into the system. Such attacks can occur over weeks or even months. Whatever method is employed, hackers often succeed, get into a target’s system, remain there until caught, and do their damage.

The city initially reported that the attack had taken down the municipal court system, the city’s email, water and traffic ticket payment systems, and wi-fi at Hartsfield-Jackson International Airport.24 Dashboard camera videos from police cars were destroyed.25 Later, officials discovered that financial, customer relationship management, and service desk systems had been affected along with the data associated with them, and several years’ worth of officials’ and employees’ correspondence had been lost.26 The hackers demanded a ransom in Bitcoin equal to about $51,000, but the city chose not to pay and instead began to remove the virus and get the system back up and running. No small task, it turned out.

In April, the city shelled out $2.7 million for contracts with cybersecurity and communications firms to assist in the recovery effort.27 Later, the city estimated recovery costs at $9.5 million, and later still, the full cost of the recovery, not including lost city productivity, was estimated to be $17 million.28,29 By June 2018, about one-third of software programs the city relied on were partly or completely unusable. And, as much as a year later, work was still ongoing to fully restore the city’s systems and data and also to establish a solid cybersecurity program.30

What went so wrong in Atlanta? The answer appears to be at once simple and complex. The simple answer is found in three reports on the city IT system from the city auditor. These reports—dated 2010, 2014, and January 2018—found numerous weaknesses and vulnerabilities in the system, including up to 2,000 “severe vulnerabilities” found by monthly vulnerability scans. Many of the vulnerabilities were over a year old and the report found “no evidence of mitigation of the underlying issues.”31 The January report also found evidence of “ad hoc and undocumented [security] processes,” and almost 100 servers using a version of Windows that Microsoft no longer supported.32 These findings strongly suggest that Atlanta’s IT department was guilty of cybersecurity malpractice. Indeed, one cybersecurity expert suggested as much by saying that negligence was likely involved.33

The complex part, which partially excuses the IT department, is found in the then-new mayor’s acknowledgement that cybersecurity had not been a city priority. The auditor’s reports had not gained traction with city elected officials or top management or their findings would have resulted in efforts to fix the broken system. Doing this, however, is not simple, especially in local governments. Cybersecurity is expensive and competes with many other needs, both real and perceived. To complicate matters, local governments never have enough money to meet all needs and must prioritize, especially in times of severe recession (such as the Great Recession that began in December 2007). This is where politics (or making choices in order to govern) gets into the game. And politicians almost always favor funding of “visible” programs like education and public safety over “invisible” things like cybersecurity—until there is a breach with its corresponding cost and chaos.

Lessons Learned

The city of Atlanta had done a respectable job analyzing their IT systems for vulnerabilities through periodic audits that generated reports detailing how and where to strengthen their systems. However, these reports were left largely on the shelf, without enough action taken to close identified gaps in their cybersecurity. Without taking advantage of this knowledge and taking steps to address their IT cybersecurity issues, they left themselves and their community at risk and ultimately paid the price. Some steps a local government can take to elevate the cybersecurity issues in their community may include:

  • After conducting an audit, create an action plan in response to an audit’s findings, including prioritized short- and long-term goals on how to address known vulnerabilities.
  • Assign staff time to each goal and create progress reports to distribute to top staff and elected officials.
  • Update and appeal to top management and elected officials through presentations detailing priority goals, resources needed, and examples of the consequences of inaction from comparable organizations that had been subject to cyberattacks.

Baltimore, Maryland

Population: 593,490
Area: 80.94 sq. miles
Median Family Income: $50,379
Poverty Rate: 21.2%
City Budget: $3.5 billion

Baltimore has the distinctly undesirable reputation of having been successfully hacked twice in as many years—2018 and 2019. The first hack occurred on March 25, 2018, and involved a ransomware attack on and takedown of the city’s computer assisted dispatch (CAD) system that supports Baltimore’s 911 emergency dispatch and 311 non-emergency phone systems. Fortunately for Baltimore, city IT and cybersecurity staff were able to identify the problem quickly, and according to the city’s CIO, Frank Johnson, “isolate and take offline the affected server, thus mitigating the threat.”34 The system was restored in less than 24 hours. The city later revealed that the hack occurred because staff were working on part of the IT system and had disabled a firewall accidentally and exposed a port (opening to the internet) for 24 hours. The hackers found the opening they needed quickly.35 

Baltimore struggled to learn from this experience. On May 7, 2019, the city discovered that it had been hacked again, and this attack was of far greater consequence and cost. Baltimore’s IT system was infected through a phishing attack by yet-unknown cybercriminals using the Robbinhood ransomware, which had successfully penetrated the city of Greenville, North Carolina, a month earlier.36

The hacker(s) took over nearly all of Baltimore’s IT infrastructure and demanded a ransom of 13 bitcoin (around $76,000) to release the city’s systems and data. The city refused to negotiate, and it took months before the system was fully up and running. During that period, several services were either fully or partially disabled, including water billing (which was not fully functional for several months), property taxes, parking tickets, email, and voicemail. Real property sales were interrupted for several weeks because the city’s system that handles property transfers was offline.37,38 Then, of course, there is the embarrassment factor. In retrospect, few if any lessons had been learned from the 2018 attack. What is worse is that the immediate cause of the 2019 breach could have been easily fixed. According to cybersecurity expert Herb Lin of Stanford University, if Baltimore had installed a patch that Microsoft made available in 2017, the entire episode could have prevented.39 

Additionally, after the 2018 breach, Baltimore had an opportunity to buy cybersecurity insurance in the aftermath of the 911 hack, which it decided against. This is unfortunate for at least two reasons. First, in the process of purchasing the insurance, the city almost certainly would have had to conduct a vulnerability analysis to qualify for the insurance. Such an analysis might have found the weakness that permitted the attack to succeed. Second, the cybersecurity insurance would likely have covered at least some of the estimated $18 million that the attack has cost the city.

What allowed this hack to occur? First, for years the city had underinvested in cybersecurity. The CIO had warned city officials months earlier to purchase cybersecurity insurance and that their IT system was essentially a disaster waiting to happen, as it was underfunded and employees lacked adequate cybersecurity training.40,41 The CIO was fired, some think as a scapegoat, over this incident.

Next, Baltimore’s IT system consisted largely of old technology, improperly managed and underfunded. According to local technology writer Sean Gallagher, Baltimore’s IT system consisted of “a dangerously ill-prepared, kludged together municipal IT system” with a “chaotic jumble of operating systems,” whose IT staff were “overworked, underpaid, and dramatically underfunded.” Gallagher also noted that the “city does not have a full handle on its vulnerability management or patch management or keeping up to date with things.”42 If these observations are true, then it was only a matter of time before a serious breach occurred.

Lessons Learned

Baltimore, among many local governments, let their cybersecurity practices lag behind as their IT systems grew. Failing to learn from their mistakes, they had to bolster their cybersecurity practices after it was too late—and much more expensive. To avoid the pitfall Baltimore found itself in, local governments can consider:

  • Reaching out to local governments in their state that have suffered from a cybersecurity attack and discuss what steps they have taken to learn from and better prepare themselves in the future.
  • Investigating cybersecurity insurance that fits organizational needs before a breach occurs, coupled with an analysis of IT systems and their current vulnerabilities. Organizations such as the Cybersecurity and Infrastructure Security Agency and the Center for Internet Security are good places to start to learn more about insurance options for local governments.
  • Creating a schedule for updating IT systems, with reminders for staff and individual users responsible for installation.
  • Staying aware of the cyberthreats impacting other organizations and looking for ways to actively protect your organization from similar threats.

Case Study Conclusion

What conclusions can be drawn from the from Atlanta and Baltimore experiences? In retrospect, these successful cyberattacks are not terribly surprising. This is, in part, because many local government officials, if not most, do not fully understand the need for cybersecurity, and therefore do not provide adequate funding for cybersecurity.43  This seems to have been abundantly true in Atlanta and Baltimore.

Both cities experienced ransomware attacks, both attacks took down important city services, both were costly in terms of recovery, both cities had a history of under-investing in already vulnerable IT systems, and both attacks brought considerable municipal embarrassment. The primary lessons that should be drawn here are that local government officials must fully understand the need for and provide adequate direction and funding for high levels of cybersecurity. Failure to do so will result in predictably similar and detrimental outcomes.

Along with the reasons discussed earlier, the Atlanta and Baltimore examples should demonstrate clearly why it is crucial that local governments and the officials leading them understand the many cybersecurity threats they face. Failure to do so places their communities at increased risk of experiencing otherwise preventable cybersecurity problems. This understanding should, at a minimum, encompass the following:

  • The cyberthreats that these governments face.
  • The actions they should take to protect their information assets from attack and to mitigate the damage after successful attacks.
  • The gap between those actions and the need for high levels of cybersecurity at the grassroots.
  • The barriers that these governments encounter when deploying cybersecurity.

Understanding these issues will enable local officials not only to see why cybersecurity is crucial to their government’s digital well-being, but will help ensure that cybersecurity has their full support and is adequately funded and properly managed.

Cybersecurity Policies, Barriers to Cyber Training, Awareness, and Support

This section addresses a variety of topics including cybersecurity policies, barriers to cybersecurity, training, and awareness and support, all of which are important to local
governments being able to maintain high levels of cybersecurity.

Cybersecurity Policies

Cybersecurity consultants and the professional literature strongly recommend that organizations equip themselves with and carefully implement a number of cybersecurity policies in order to provide high levels of cybersecurity. Perhaps the best guide to what a good cybersecurity policy should look like is the 2018 National Institute of Standards and Technology (NIST) Cybersecurity Framework. This document describes the principal elements of a cybersecurity policy that, if adopted, will enable organizations, including local governments, to develop and implement cybersecurity policies that work for them and meet their specific needs. It is built around five core functions: identify, protect, detect, respond, and recover, as briefly described by NIST below.

NIST Cybersecurity Framework Core Functions

Identify: Develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities. The activities in the Identify function are foundational for effective use of the framework. Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs. Examples of outcome categories within this function include asset management, business environment, governance, risk assessment, and risk management strategy.

Protect: Develop and implement appropriate safeguards to ensure delivery of critical services. The Protect function supports the ability to limit or contain the impact of a potential cybersecurity event. Examples of outcome categories within this function include identity management and access control, awareness and training, data security, information protection processes and procedures, maintenance, and protective technology.

Detect: Develop and implement appropriate activities to identify the occurrence of a cybersecurity event. The Detect function enables timely discovery of cybersecurity events. Examples of outcome categories within this function include anomalies and events, security continuous monitoring, and detection processes.44 

Respond: Develop and implement appropriate activities to take action regarding a detected cybersecurity incident. The Respond function supports the ability to contain the impact of a potential cybersecurity incident. Examples of outcome categories within this function include response planning, communications, analysis, mitigation, and improvements.

Recover: Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident. The Recover function supports timely recovery to normal operations to reduce the impact from a cybersecurity incident. Examples of outcome categories within this function include recovery planning, improvements, and communications.

National Institute of Standards and Technology. April 16, 2018. Framework for Improving Critical Infrastructure Cybersecurity. Version 1.1. Pages 14–15. Verbatim.

The document is a rather brief, non-technical starting point to begin building your local government’s cybersecurity practices. It should be read by all top officials in local governments and followed by their technology staff in developing the local government’s cybersecurity policies. After each policy is developed, it should be carefully reviewed by top elected and appointed officials and then formally adopted. Policies should be reviewed and updated periodically to adapt to the ever-changing cybersecurity environment. And they should be scrupulously implemented, and all parties in the local government should be held accountable for their cyber behavior accordingly.

Local governments may wonder where to find example cybersecurity policies that they can use to craft their own. Perhaps the best starting point would be other local governments, especially larger governments that are more likely to have adopted policies. This is perhaps the easiest way to begin, and resources like ICMA Connect ( provide a platform to ask for and share examples from other local government organizations. Second, there are consulting and security firms that may share templates and can be hired to help local governments develop such policies. Third, there are online templates that may be of use. Last, some membership organizations may have guidance on how to create cybersecurity policies and cyber staff who might be able to provide advice like state municipal leagues, county
associations, and township organizations.

According to a report from the security firm McAfee, Grand Theft Data, “…people inside organizations caused 43% of data loss, one-half of which was accidental. Improved
cybersecurity policies can help employees…better understand how to maintain the security of data and applications.”45 Cybersecurity policies are important, among other things, because they:

  • Establish cyber roles and responsibilities for all parties in an organization.
  • Describe proper and responsible cybersecurity practice and list actions that are neither proper nor responsible.
  • Set the rules of behavior around several consequential cybersecurity matters, including but not limited to password management, software patching, cyber risk management, incident response planning, use of external (including personal) devices on an organization’s IT system, and policies for vendor and contractor use of an organization’s IT system.

The following section examines whether local governments in the 2020 survey had adopted seven important cybersecurity policies (Table 5) and respondents’ perceptions of the effectiveness of those policies. It also compares adoption rates and perceptions of effectiveness with those reported in the 2016 survey.

Table 5. Seven Important Cybersecurity Policies for Local Governments

  • Formal cybersecurity policy.
  • Password management policy.
  • Policy regarding applying software patches.
  • Cyber risk management plan.
  • Incident response/disaster recovery/business continuity plan.
  • Policy on use of external devices (e.g., cell phones/flash drives).
  • Policy for vendors, contractors, cloud services.

Policy Adoption

Of the local governments surveyed, 78.6% had fully adopted formal cybersecurity policies, which is considerably higher than the 2016 survey, and 21.4% had partially adopted. Similarly, 78.6% of governments had also fully adopted password management policies, slightly higher than those recorded in 2016; 21.4% had partially adopted, and 21.4% had not adopted. A total of 71.4% had fully adopted policies regarding software patches, while 21.4% had partially adopted and 7.1% had not adopted this policy.

Overall, 57.1% of governments had fully adopted cyber risk management plans, while 21.4% had partially adopted them, and 21.4% had not adopted them. Similarly, 57.1% of governments fully adopted incident response plans/disaster recovery/business continuity plans, while 35.7% had partially adopted them, and 7.1% had not adopted. Almost half (42.9%) had adopted policies on the use of external devices (54.2% in the 2016 survey), while 28.6% had partially adopted them, and 28.6% had not adopted them. Last, 42.9% of governments had adopted policies for vendors and cloud contractors (this figure was 27.6% in 2016), 42.9% had partially adopted, 7.1% had not adopted, and 7.1% did not know.

Overall, these data show that larger percentages of the governments in the 2020 survey had adopted cybersecurity policies than in the 2016 survey, although this is likely attributed to the small number and relatively large population of the sample size in the 2020 survey. This said, too many had adopted too few policies or had adopted them only partially. The latter is not terribly surprising since only 44% of firms worldwide had adopted cybersecurity policies.46

Aside from the full adoption of two important policies, these responses reveal a surprising lack of full policy adoption among the responding governments, especially since these governments are, for the most part, large in size with potentially adequate budgetary resources that follow population size, and trained professionals managing their cybersecurity.

The lack of full adoption, in turn, likely means that these governments are not able to derive the full benefits of these policies, their implementation, ot enforcement. These responses do not enable us to know how much “partial” adoption meant to the respondents, and this could be important in understanding the policies perceived effectiveness.

Policy Effectiveness

Next, the survey asked about the perceived effectiveness of the policies. Almost half (42.9% of respondents said that their password management policies were highly effective (compared to 56.3% in 2016), 21.4% said somewhat, and 7.1% said not very. Overall, 28.6% said their formal cybersecurity policies were highly effective (versus 19.2% in 2016), and 7.1% said not very. Another 28.6% said that their software patching policies were highly effective, 57.1% said somewhat, and 7.1% each said not very and not at all.

A total of 21.4% respondents said that their incident response plans were highly effective (compared to 21.1% in 2016), 64.3% said somewhat, and 7.1% each said not very and not at all. When asked about the effectiveness of their cyber risk management plans, 14.3% said highly effective (versus 19.2% in 2016), 42.9% said somewhat, 28.6% said somewhat, and 14.2% said not at all. A total of 14.3% said their policies on the use of external devices was highly effective (compared to 42.1% in 2016), 57.1% said somewhat, 7.1% said not very, 14.3% said not at all, and 7.1% did not know. Finally, 14.3% said their policies for vendors, etc., were highly effective (versus 36.5% in 2016), half said somewhat, 14.3% said not very, 7.1% said not at all, and 14.3% did not know.

For the most part, responses to the questions of policy effectiveness in both the 2016 survey and 2020 survey do not inspire confidence that the policies are working as needed to achieve their objectives. “Somewhat effective” and “not very effective” responses suggest that the policies (and/or their enforcement) contain gaps that are likely to allow problems of cybersecurity practice and management to occur, potentially serious problems. Consider, for example, the policy on applying software patches where only 28% of respondents said that this policy was highly effective. That suggests that too often software patches are not applied in a timely manner, if at all. The literature tells us that failure to apply software patches as soon as possible after they are released by vendors is a major reason that cybercriminals are able to breach local government IT systems, as illustrated in the Baltimore case study. What these data cannot reveal, however, is why the respondents rated the effectiveness of these policies so low, and further research will be needed to find answers to these questions.

Barriers to Cybersecurity

Previous research has uncovered a number of barriers to local government achievement of high levels of cybersecurity. For example, the 2016 survey found that the top four barriers were inability to pay competitive salaries (58.6%), insufficient number of staff (53.1%), lack of funds (52.8%), and lack of adequately trained staff (46.0%). Notably, all of these barriers are somewhat or totally related to funding. The results of the current survey are reasonably consistent with those of the 2016 survey in that the two top barriers were lack of funds (78.6%) and lack of adequate/adequately trained staff (71.4%). All other listed barriers received 21.4% or fewer responses.

The 2020 survey also asked what three things local governments needed to do or possess to be able to achieve the highest levels of cybersecurity. The top three from the 2016 survey were greater funding (54.7%), better cybersecurity policies (38.3%), and greater cybersecurity awareness among local government employees (35.3%). From the current survey, 57.1% of respondents identified funding and half identified staffing as the top two needs, which are consistent with the top two barriers previously identified. The third need was leadership buy-in, the lack of which is a common complaint among cybersecurity officials. Until local governments affirmatively address these and perhaps other barriers—especially funding, staffing, awareness, and support—they cannot expect to improve their cybersecurity outcomes or more effectively protect their information assets.

Cybersecurity Training

The survey also inquired about what types and frequency of training the governments provided to various officials and staff. The literature tells us that training is essential to achieve an understanding of and support for the need for cybersecurity and also to ensure effective end user cyber hygiene within organizations. Therefore, the survey asked if the governments provided mandatory cybersecurity training (and how frequently) to the mayor/elected county executive, city/county councilmembers, city/county manager/administrators, department heads, and average end users.

A little over three-fourths (78.6%) responded that their governments provided mandatory cybersecurity training annually to the mayor/elected county executive, city/county
councilmembers, department heads, and average end users. Fewer (71.4%) said that they provided annual cybersecurity training to the city/county manager/administrator. Additionally, 7.1% said training is conducted at some other period of time for all of those parties, and 7.1% did not know. Finally, 14.3% of these governments did not provide training to any of these end users.

These findings may indicate a substantial improvement over the 2016 survey where 20–50% did not provide training at all and another 8–14% did not know if training was provided. They are heartening because other research shows that a considerably lower proportion of organizations provide any training at all. For example, in its 2018 survey, PWC found that 48% of corporations worldwide provided cybersecurity training to its employees.47

Kudos to the local governments that provided annual mandatory training, as they are more likely to see improved cyber outcomes. Those that did not provide such training at all or provided it in a time frame greater than at least every three years, are almost guaranteeing that their cyber outcomes will be more difficult and should consider instituting mandatory cybersecurity training or increasing its frequency.

Awareness of and Support for Cybersecurity

The literature also tells us that in order to maintain high levels of cybersecurity, organizations need to ensure that all parties within them are aware of the need for cybersecurity and support it. The 2016 survey found that 61.7% of top managers were moderately/exceptionally aware of the need for cybersecurity; among department managers, 42.3% were moderately/exceptionally aware; and 32.0% of elected executives were moderately/exceptionally aware.

The 2020 survey also asked about the awareness of and support for cybersecurity among these local governments’ mayor/elected county executive, city/county councilmembers, city/county manager/administrator, department heads, and average end users. Respondents did not believe that the officials and staff in their governments were highly aware of the need for cybersecurity. In only one case (mayor/elected county executive) did a majority of respondents (57.1%) believe that incumbents in this office were highly or mostly aware of the need for cybersecurity. And 35.7% of respondents said these office holders were only somewhat/a little aware, and 7.1% said not at all aware.

Perceptions of cybersecurity awareness of the remaining officials and staff were bleak. Half of respondents each said that their city/county manager/administrator was highly/mostly aware, 28.6% said somewhat/a little, 7.1% said not at all, and 14.3% didn’t know. Half responded that department heads were highly/mostly aware, while 42.9% said somewhat/a little and one said not at all. Additionally, 42.9% said that city/county councilmembers were highly/mostly aware; 50% said somewhat/a little and one said not at all. Finally, 42.9% responded that end users were highly/mostly aware, half said somewhat/a little, and 7.1% said not at all.

In theory, awareness of the need for cybersecurity among local government officials and staff should lead them to provide support for it. In the 2016 survey, respondents said that 54.0% of top managers provided strong/full support for cybersecurity. This was followed by 35.0% of elected executives and 33.0% of department managers. The results from 2016 suggest otherwise—that awareness does not necessarily lead to support because in each case respondents said that the amount of support provided by various officials and staff was lower than their degree of awareness.

The 2020 survey paints a different picture than the 2016 findings. Perhaps due to increasing cyberattacks on local governments and heightened awareness due to high profile attacks, such as those seen in Atlanta and Baltimore, its results are more positive, showing that the respondents on the whole felt that most of the parties in their governments provided a good deal of support for cybersecurity. Over three-fourths (78.6%) of respondents said that the mayor/elected county executive was highly/mostly supportive of cybersecurity, 14.3% said somewhat/a little, and 7.1% said not at all. Next, 71.4% respondents said that department heads were highly/mostly supportive, 21.4% said somewhat/a little, and 7.1% said not at all. This was followed by city/county managers/administrators with 57.1% reporting highly/mostly, 21.4% somewhat/a little, one not at all, and 14.3% didn’t know. Average end users came next with 57.1% of respondents saying highly/mostly, 35.7% somewhat/a little, and 7.1% not at all. City/county councilmembers fared the worst when half of respondents said highly/mostly, 42.9% said somewhat/a little, and 7.1% said not at all. In the 2016 survey, one respondent of a small jurisdiction noted “cybersecurity is a moving target and infrastructure can become outdated quickly, so that understanding and support from top-level officials needs to improve.”    

Other research confirms, however, that top officials in organizations are often not engaged in cybersecurity at high levels. For example, the 2018 PWC survey found that only 44% of corporate boards “... actively participate in their company’s overall cybersecurity strategy.”48 Likewise, cybersecurity expert Charles Cresson Wood has concluded, based on his extensive cybersecurity consulting experience, that regardless of type, size, sector, or other characteristics of organizations, top management is not sufficiently well informed about or committed to cybersecurity. This is partly because cybersecurity competes with (and often loses to) other organizational needs. Nevertheless, Wood argued that top executives and managers should understand and fully support cybersecurity and should not allow information security to be the domain of technologists alone.49 Local government officials should take heed of these findings and endeavor to ensure higher levels of awareness of and support for cybersecurity from all parties in their organizations, especially from top elected and appointed officials.


Local governments that do not provide high levels of cybersecurity place their IT systems, the data stored in those systems, and their very ability to provide critical public services at unnecessary risk. Lack of adequate cybersecurity and/or poor cybersecurity hygiene in organizations often allows cybercriminals to breach their IT systems and cause great harm and cost. Successful cyberattacks can and do result in the loss of or the inability to access (in the case of ransomware attacks) critical data and files, loss of sensitive information (such as PII), loss of money, disruption of public service delivery, high costs to recover and, of course, the embarrassment factor. The examples of Atlanta and Baltimore make this perfectly clear.

Therefore, all local governments, regardless of size, must take whatever actions needed to ensure the highest levels of cybersecurity. But even if they do, the cybercriminals are relentless and very good at what they do, and the risk of being compromised is never gone. Similar to the adages often used in emergency management, there is a common saying in the field that it isn’t whether you will be breached, but only a question of when. Local governments must understand their cyber vulnerabilities, be mindful of the fact that they can easily suffer breaches, be fully prepared to continue operations during a successful cyberattack and have concrete plans for recovery. These practices are commonly known as cyber resilience.

According to MITRE, “Cyber resiliency (also referred to as cyber resilience) is the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on cyber resources.” Local governments considering ways to achieve cyber resiliency might think of doing so in the ways analogous to how they prepare for and recover from natural disasters. Know the types of potential adverse events; know how to deal with them when (not if) they occur; have concrete plans for continuing critical operations; have concrete plans for recovery in place; and practice, practice, practice.

To summarize the key findings of the 2016 survey and 2020 survey, as well as the literature and the practice, the structure of cybersecurity operations among responding local governments was largely unremarkable and generally followed established patterns among organizations. The numbers of cybersecurity staff reporting to these officials varied considerably. While larger governments, on average, had more cybersecurity staff, the relationship was not precise to population and the same can be said for cyber contractors.

The numbers of end users in these governments also varied a great deal, but the numbers were more closely aligned with the governments’ populations. In most jurisdictions, all end users fell under the CIO’s responsibility, but in 21.4%, they did not. Local government budget allocations for cybersecurity varied considerably, between less than 1% to 10%, as a fraction of the IT budget. They averaged 4.09%, which is slightly higher than the average for state governments, but below the private sector. Last, half of these governments outsourced some cybersecurity functions and half did not outsource cybersecurity at all.

Responses to the 2020 survey and others confirm that local governments are under constant or nearly constant cyberattack. Moreover, the frequency of attacks had increased in the past year. Most respondents said that the attackers had not changed over the past year. External actor-organizations were the leading type of attacker and phishing/spear phishing were the leading attack vector. Ransom, theft of money, and theft of PII were the principal attack purposes, which had not changed over the past year. All but one responding government had experienced an “incident” over the past year and half had been breached, including 28.6% that had been breached once and 7.1% each that had been breached twice, three times, and more than three times. This information suggests at least two things. First, the bad guys are good at what they
do, and they do it more frequently every year. Second, even large (presumably with more budgetary resources) local governments are evidently not doing enough to protect their information assets, as can be seen by the number of breaches experienced in the past year by the responding local governments.

Overall, the local governments in the 2020 survey had not done as good a job as needed in the adoption of cybersecurity policies. Only three of the subject policies had been adopted by substantial majorities of these local governments, and the respondents’ perceptions of the effectiveness of the policies bears this out. Fewer than half of respondents said that any policy was highly effective. Anything less than highly effective suggests varying degrees of ineffectiveness—an undesirable cybersecurity outcome.

Consistent with the literatures on IT and local government, local e-government, and local government cybersecurity, respondents to this survey named lack of funding and lack of staff as their top two barriers to effective cybersecurity. Responses from the 2020 survey on local government cybersecurity budgets demonstrate that cybersecurity is substantially under-funded in several of them.

The top needs for achieving cybersecurity were similar to the barriers identified—funding and staffing—but at least some of the respondents added one of considerable interest: leadership buy-in. Solid majorities of these governments required annual cybersecurity training for listed parties. Only 14.3% did not and 7.1% provided training in a different time period. This finding is of great importance because training of local officials and staff is highly recommended as a way to improve cyber hygiene and outcomes in organizations.

Respondents were not sanguine about the level of cybersecurity awareness among most parties in their local governments. Surprisingly, however, majorities of respondents (including large majorities in the cases of the mayor/elected executive and department heads) felt that most parties provided good support for cybersecurity.


Based on the evidence accumulated in this study, the first recommendation is that elected officials and top management of local governments must, within budgetary limitations, provide adequate funding for cybersecurity, including funding for adequate staffing for this important function. Staffing should be a combination of both internal staff and contracting services to best fit local governments specific needs. Failure to adequately fund and staff cybersecurity will almost certainly lead to adverse cyber outcomes (again, think Baltimore and Atlanta), which in turn will lead to unnecessary and significant costs to local governments.

Second, in order to improve cybersecurity outcomes, local governments should fully adopt and implement the policies discussed earlier. In the absence of fully adopted and implemented policies, local governments cannot achieve high levels of cybersecurity and will almost certainly pay the price for failing to do so. These policies should also align with the recommendations of the NIST Framework introduced earlier.

Third, local governments must ensure that their cybersecurity policies are implemented properly and that they are effective. Periodically, they should be revisited, revised, and re-implemented appropriately. They should also be continuously monitored for effectiveness using appropriate methods or metrics.

Most of the local governments in the 2020 survey mandate that top elected officials, councilmembers, top administrators, department heads, and end users take cybersecurity training. However, respondents generally did not rate the results of the training highly. Thus, a fourth recommendation is for these governments to revise their cybersecurity awareness training, especially focusing on cybersecurity awareness and support, as well as appropriate cyber hygiene or behavior. This revision should include updated training on proper work from home conduct.

Fifth, all parties within local governments, including elected officials, top managers, and all employees and contractors, must be held accountable for their cyber actions and behavior. This means, at a minimum, when someone violates policy regarding the use of the local government’s IT system, that individual will lose certain system privileges and receive appropriate “counseling” and further training. In the event of further violations, the individual could lose all privileges and potentially be terminated. (Of course, termination of employment would not apply to elected officials.)

A final recommendation draws on academic and professional literature and is commonly found within the cybersecurity field itself. All local governments should establish and maintain a culture of cybersecurity within their organizations. A culture of cybersecurity means the following, at the minimum: top leadership, including both elected and appointed officials, must fully understand and support cybersecurity and not just at a rhetorical level. They must:

  1. Understand that cybersecurity is not solely the responsibility of the technologists, they have an active role to play in it, and they must embrace that role.
  2. Provide the funding needed for effective cybersecurity.
  3. Practice proper cyber hygiene themselves.
  4. Promote cybersecurity throughout the organization as “job one” for everyone.
  5. Insist that all parties are held appropriately accountable for their cyber actions.

If top officials fail to insist on such a culture and fail to act appropriately in their own cyber responsibilities, those under them will almost certainly think, “If they don’t care about cybersecurity, why should I?” Top leadership buy-in will make all parties in an organization respect the importance of cybersecurity and their own cyber responsibilities and will make it more likely that they will practice proper cyber hygiene, thus improving cyber outcomes throughout the organization.

Recommendations for Small Local Governments

Small local governments often lack the budgetary resources to provide the hardware, software, and personnel needed to establish and maintain high levels of cybersecurity.
Here are a few hints regarding how they can overcome these limitations.

  1. To the extent budgetarily feasible, hire a qualified cybersecurity professional as chief of cybersecurity. If you are unable to hire additional staff, designate an existing role as the CISO.
  2. Partner with other local governments, neighboring jurisdictions, or school districts to share cybersecurity costs.
  3. Consider outsourcing some or all cybersecurity.
  4. Seek help from area colleges and universities.
  5. Contact the state or local National Guard to learn what support the latter may be able to provide. There are 59 National Guard cyber units across the nation and its territories with approximately 4,000 cyber operational personnel that may be available as a resource when planning for and responding to cybersecurity events.50  
  6. Contact national organizations that serve local governments that often have useful resources. For example, ICMA publishes works on cybersecurity for local governments and also provides training through its Cybersecurity Leadership Academy. The National League of Cities publishes a variety of papers on cybersecurity (e.g., “Protecting Our Data: What Cities Should know about Cybersecurity”). The National Association of Counties (NACo) offers webinars on cyber (e.g., “NACo Cyberattack Simulation”). The National Association of State Chief Information Officers (NASCIO) provides useful publications for both state and local government (e.g., “Stronger Together: State and Local Cybersecurity Collaboration”).
  7. Consider participating in the Multi-State Information Sharing and Analysis Center (MS-ISAC), whose mission is “to improve the overall cybersecurity posture of the nation’s state, local, tribal and territorial governments through focused cyber threat prevention, protection, response, and recovery.”51 Access its list of local government partners here.
  8. Consider participating in state and regional organizations that provide cybersecurity support, such as the Michigan Cyber Civilian Corps, the Massachusetts Mass Cyber Center, or the Los Angeles Cyber Lab.

Tips on How to Manage Challenges of the Increasing Number of Employees Working from Home

  1. If possible, the local government should have a telework policy requiring employees to work from home using only laptops (and other devices) issued and cleared by the local government. In this case, employees must not use the work-issued laptops for personal purposes.
  2. If this is not possible, the local government should assist employees in making sure that their home computers/networks (and other devices as applicable) are secure.
  3. Local governments must ensure that their IT systems and networks have sufficient bandwidth to accommodate these employees who are working from home for necessary frequent updates, such as those needed for antivirus and system patches. Consider if there are limitations in the network to plan around.
  4. Local governments must ensure that their IT system and networks are secure and are being constantly monitored through detection systems, such as ransomware protection software.
  5. Every party must understand that the cybersecurity rules at work apply when working from home.
  6. Employees need to make sure that whatever devices are being used to work remotely (laptop, desktop, etc.,) are physically secure and cannot be used by others (friends, family, etc.) Employees must keep their laptop physically secure at all times when traveling.
  7. As always, employees should utilize cybersecurity best practices and practice proper cyber hygiene. IT staff should send period reminders and conduct remote spot-checks on random employees to see if they are following instructions when possible.
  8. Employees working from home should understand that they could be targeted by cybercriminals at any time and be especially mindful of phishing and spear phishing attacks and any anomalies that may occur with their home or work-issued computers.

This report appeared in Volume 7.0 of Local Government Review: LGR, published in Public Management magazine.

This report was completed as part of ICMA’s Local Government Research Fellowship program. ICMA Research Fellows are practitioners and academics that conduct action-oriented research addressing important trends, drivers, and issues facing local governments. Their work advances ICMA’s strategic priority to provide thought leadership and resources that support members and other local government stakeholders in creating and sustaining thriving communities throughout the world.

Headshot of author Donald Norris

DONALD F. NORRIS is professor emeritus of public policy at the University of Maryland, Baltimore County (UMBC). He retired from UMBC in 2017 after serving 27 years as director of the Maryland Institute for Policy Analysis and Research and 10 years as director of the UMBC School of Public Policy. Norris was the founding editor-in-chief of the International Journal of Electronic Government Research and he specializes in information technology in government organizations, including e-government and cybersecurity.



Appendix 1: 2020 Survey Questions for CISO Interviews

1. As the official in charge of your local government’s cybersecurity, whom do you report to:
CIO or equivalent
CTO or equivalent
ITD or equivalent
City/county manager/administrator

2. Is your local government’s cybersecurity totally under you (or your office’s) control or is it divided?
Totally my responsibility

2a. If responsibility is divided, among what offices?

3. How many cybersecurity staff (local government employees) report to you (by population group)?

4. How many cybersecurity contractors report to you?*

5. What percentage of end users fall under your responsibility as head of cybersecurity?

6. What percentage of your IT budget is allocated to cybersecurity?

7. Does your local government outsource cybersecurity?
Yes, outsourced completely
Yes, outsourced partially
No, do not outsource at all

7a. If you outsource cybersecurity, what principal functions are outsourced?

8. How often is your local government subject to cyberattack?
Don’t Know

9. How many times has your information system experienced an “incident” in the past year?
Three times
Four times
Five times
More than five times
Don’t know

10. How many times has your IT system or any element of it been breached in the past year?
Three times
More than three times
Don’t know

11. Have cyberattacks gotten more or less frequent over the past year?
More frequent
About the same
Less frequent
Don’t know

12. Are you able to determine the types of attackers?
Don’t know

12a. If you are able to determine the types of attackers, are they (check all that apply):
External actors – organizations
External actors – individuals
Nation states
No answer

13. Has the pattern of attacks changed or remained the same over the past year?
Remained the same
Don’t know

13a. If the pattern has changed, please describe the changes.

14. What are the principal attack vectors (check all that apply)?
Phishing or spearheading
Man in the middle
Zaro day
Brute force

15. Which is/are the most frequent vector(s) you experienced in the past year? If more than one, list in order of frequency.
Brute force
Vendor breaches
Compromised credentials
Insider threats

16. What are the principal purposes of the attacks you experience in the past year (check all that apply)?
Theft of Money
Confidential records
Don’t know

17. Which is/are the most frequent attack purpose(s) you experienced in the past year? If more than one, list in order of frequency.
Data theft/theft/monetary gain
PII/credential theft
Invoice information
No answer

18. Have the purposes of the attacks changed in the past year?
Don’t know

19. Has your local government adopted any of the cybersecurity policies listed below?
Formal cybersecurity policy
Password management policy
Policy regarding applying software patches
Cyber risk management plan
Incident response/disaster recovery/business continuity plan
Policy on use of external devices (e.g., cell phones/flash drives)
Policy for vendors, contractors, cloud services

20. How effective, if at all, are these policies?

21. What are the three top barriers your local government faces in being able to achieve the highest levels of cybersecurity?
Lack of funds
Lack of adequate staff**
Lack of leadership buy-in/support
Lack of collaboration
Procurement process

22. What are the three things your local government needs to do to possess or be able to achieve the highest levels of cybersecurity?
Leadership buy-in/commitment
Continuity of operations/ disaster recovery/ incident response
MFA (Multifactor authentication)
No answer

23. Does your local government require mandatory cybersecurity training for any of the following (mayor/elected county executive, city/county councilmembers, city/county manager/administrator, department heads, average end user) and if so, how often?

Every 2 years
Every 3 years
Other time period
Don’t know

24. In your opinion, how aware are the following parties (mayor/elected county executive, city/county councilmembers, city/county manager/administrator, department heads, average end user) of the need for high levels of cybersecurity?

Somewhat/A Little
Not at all
Don’t know

25. In your opinion, how supportive of the need to maintain high levels of cybersecurity are the following parties (mayor/elected county executive, city/county councilmembers, city/county manager/administrator, department heads, average end user)?

Somewhat/A little
Not at all
Don’t know

Appendix 2: Key Cyberattack Vocabulary and Brief Descriptions

Local government officials should know the principal types of cyberattacks that their governments are likely to face. There are numerous types of cyberattacks, and this appendix discusses eight key vocabulary associated with the most common types of attacks.

Malware: Malware is malicious software installed after an attacker has penetrated a victim’s IT system that can do one of several damaging things, such as encrypting data and files, blocking user access to systems or components of systems, exfiltrating data and files, and more. Significant examples of malware used against local governments include Atlanta, Georgia (2018); and Baltimore, Maryland (2018 and 2019).

Ransomware: Ransomware is an especially nefarious form of malware that is increasingly used in cyberattacks. It is typically delivered via social engineering, most often in phishing or spear phishing emails. Once the malware has penetrated an organization’s IT system, the objective is to find and encrypt sensitive data and files and possibly lock down or seriously degrade an organization’s entire IT infrastructure, likely paralyzing and preventing it from conducting its regular business. In the case of local governments, ransomware prevents them from providing essential serves to their residents and businesses. The cybercriminal then demands a ransom, usually in the form of Bitcoin or some other cryptocurrency, to release the system and its files and data. The threat is that if the organization does not pay the ransom, the cybercriminal will leave the data and files encrypted or the entire system locked down.

In the early years of ransomware attacks, many organizations paid the ransom to get their systems back because paying ransom is considerably cheaper than paying to restore an IT system. The consensus on whether to pay ransomware has shifted in recent years, although not totally, and organizations increasingly refuse to pay ransom. Today, it is commonly thought that paying ransom is a bad idea because it compensates cybercriminals for their criminality and encourages them to continue ransomware attacks. An article in ProPublica argued that paying ransom “…fuels the rise in ransomware attacks.”52 Also, if these attacks work and profit cybercriminals, as demonstrated by ransom payments, the criminals will be incentivized to continue attacking.

At its annual meeting in 2019, and at the urging of then-mayor Jack Young of Baltimore, the U.S. conference of mayors adopted a resolution urging their members not to pay ransom if their IT systems were victims of a ransomware attack.53 Also, the U.S. Treasury Department now advises that, under some circumstances, organizations that pay ransom could face major legal penalties. Certainly, federal law enforcement advises against and frowns on paying, and this is increasingly true of state and local law enforcement.

It is never clear that paying ransom will actually result in the cybercriminal releasing the system. Nor is it clear that the criminal won’t change their name and/or IP address and re-attack after payment since the criminal already knows the organization’s vulnerability and willingness to pay. Hence, paying ransom entails some risk, not in the least because in some circumstances, paying ransom is illegal.54,55 Today, the best advice to local governments is to not pay ransom and instead use the money you would have paid (and more if needed) to further enhance your cybersecurity to prevent breaches.

To prevent ransomware attacks from crippling their IT systems, local governments should continually scan their systems for malware, train their employees to never open
suspicious emails, and regularly back up their systems.

Phishing: Phishing is a form of social engineering in which cybercriminals “go fishing” for victims by sending emails, seemingly from trusted parties, with promises, opportunities, or threats the attackers hope victims will fall for. Phishing and spear phishing (below) are perhaps the most common types of cyberattacks in today’s cyber environment. According to one source, early in the COVID-19 pandemic phishing attacks increased 667%.56 A report by the Anti-Phishing Working Group (APWG) showed that phishing attacks increased in an almost linear fashion throughout 2020 and totaled more than 200,000 monthly attacks in the fourth quarter.57

A common phishing attack, which many people have received (and which dates back to the late 1990s), is an email from someone in Nigeria promising the targeted party (the potential victim or victim) a large amount of money. The attacker asks the victim for their bank account details so that the attacker can transfer the money. Of course, the transfer never happens, and the scammer later steals funds from the victim’s account. There are variations of this attack, some including URLs or attachments in the email that, if the victim clicks on or opens, will give the attacker access to the victim’s computer and all of the information in it.

Spear phishing: Spear phishing is a more sophisticated form of phishing in which the cybercriminal uses just enough information to make the victim believe the email came from someone known to the victim or another trusted source. For example, the victim might receive an email with an attachment or URL that appears to be from their colleague or a trusted source that reads something like: “Hey [Name of Recipient]]! Have you seen this announcement from the city council? You’ll want to read this.” Given this scenario, many a victim has been tricked into opening the attachment or clicking on the URL. The same result occurs as with phishing—the victim’s computer and all of the information in it are wide open to the attacker. In the 2020 survey, responding CISOs said that phishing and spear phishing were the most common attacks that they experienced.

Brute force: Brute force is a method that cybercriminals use to break into IT systems. The term brute force refers to the way an attacker “bangs away” at a victim’s computer, network, or IT system using, for example, specifically designed software to guess a password that will enable them to penetrate the system. Once penetration has been achieved, the attacker can then install malware. It was a brute force attack that resulted in the 2018 Atlanta breach and the installation of ransomware.
Zero-day: Like brute force, a zero-day exploit is an attacker’s identification of a weakness in a network or IT system, typically a previously unknown defect in software that had not been found and patched. Once the weakness has been identified, the attacker uses it to break into the system and install malware.

Denial of Service (DoS): A DoS attack occurs when an attacker sends massive volumes of traffic to an organization’s website or server, so much so that the website or server cannot handle the traffic, essentially shutting down the server or website so that no one can use it. This can be done for no malicious reason, such as when the University of Maryland Baltimore County (UMBC) website went down because of a traffic overload that occurred when its president was interviewed on the television show 60 Minutes. DoS attacks can also be totally malicious, for example, to demand money to stop the attack.

Distributed Denial of Service (DDoS): A DDoS attack is a DoS attack on steroids. It is an attack on a server or website by many different computers simultaneously for the purpose of shutting it down to all users. According to Bloomberg News, the U.S. Department of Health and Human Services was hit by a DDoS attack in March 2019 and was “… part of what people familiar with the incident called a campaign of disruption and disinformation that was aimed at undermining the [HHS] response to the coronavirus pandemic and may have been the work of a foreign actor.”58

Endnotes and Resources

  1. Emsisoft Malware Lab a. 2020 (December 12). The State of Ransomware in the US: Report and Statistics 2019.
  2. Emsisoft Malware Lab b. 2020 (July 8). State of Ransomware in the US: Report and Statistics for Q1 and Q2 2020.
  3. Norris, Donald F., Laura Mateczun, Anupam Joshi and Timothy Finin. 2018. Cybersecurity at the grassroots: American local governments and the challenges of Internet security. Journal of Homeland Security and Emergency Management. 15(3): 1-14; and Norris, Donald F., Laura Mateczun, Anupam Joshi and Tim Finin. 2019. Cyberattacks at the grassroots: American local governments and the need for high levels of cybersecurity. Public Administration Review. 76(6): 895-904; Norris, Donald F., Laura Mateczun, Anupam Joshi and Tim Finin. 2021, forthcoming. Managing cybersecurity at the grassroots, Evidence from the first nationwide survey of local government cybersecurity. Journal of Urban Affairs.
  4. Cybersecurity Ventures. 2015. Global Cybercrime Damages Predicted To Reach $6 Trillion Annually By 2021.
  5.  U.S. Census Bureau. 2018. 2017 Census of Governments. Table 2. Local governments by type and state: 2017 [CG1700ORG02].  
  6. Government Technology. 2019. 2019 Spending Forecast for the State and Local IT Market.
  7. Secureworks. 2017. 2017 State of Cybercrime.
  8. Norris, et al., 2019.
  9. Norris, et al., 2019.
  10. Mayyan, Gilad David. 2020 (January 13). The IoT rundown for 2020: Stats, risks, and solutions. SecurityToday.
  11. The author acknowledges support for this survey from the recently established Coalition of City CISOs ( whose members constitute the majority of respondents to the survey.
  12. PWC. 2018. Strengthening Digital Society Against Cyber Shocks: Key Findings from the 2018 Global State of Information Security Survey.
  13. 2020 Deloitte-NASCIO Cybersecurity Study. 2020.
  14. Norris, et al., 2019.
  15. Deloitte-NACIO, 2020.
  16. Nash, Kim S., 2019 (December 30). Tech Chiefs Plan to Boost Cybersecurity Spending.
  17.   Hatcher, et al., 2020.
  18. Deloitte. 2019. The Future of Cyber Survey 2019: Cyber Everywhere. Succeed anywhere.
  19. Norris, et al., 2018.
  20. Deloitte. 2019.
  21. Norris, et al., 2018.
  22. Verizon, 2015.
  23. Colorado Computer Support. 2018. The City of Atlanta Held Hostage by Cybercriminals.
  24. Blinder, Alan, and Perlroth, Nicole. 2018. A Cyberattack Hobbles Atlanta, and Security Experts Shudder.
  25. Freed, Benjamin. 2018. Atlanta was not prepared to respond to a ransomware attack.
  26. Freed, 2018.
  27. Deere, Stephen. 2018. Feds: Iranians led cyberattack against Atlanta, other U.S. entities.
  28. Kearney, Laila. 2018. Atlanta officials reveal worsening effects of cyber attack.
  29. Deere, 2018.
  30. Freed, 2018.
  31. Deere, 2018.
  32. Freed, 2018.
  33. Deere, 2018.
  34. Rector, Kevin. 2018. Baltimore 911 dispatch system hacked, investigation underway, officials confirm.
  35. Rector, 2018.
  36. Duncan, Ian and Zhang, Christine. 2019. Analysis of ransomware used in Baltimore attack indicates hackers needed 'unfettered access' to city computers.
  37. Chokshi, Niraj. 2019. Hackers Are Holding Baltimore Hostage: How They Struck and What’s Next.
  38. Gallagher, Sean. 2019. Baltimore ransomware nightmare could last weeks more, with big consequences.
  39. Ropek, Lucas. 2019. Over a Month On, Baltimore Still Grappling with Hack Fallout.
  40. Duncan and Zhang, 2019.
  41. Gallagher, 2019.
  42. Gallagher, 2019.
  43. Norris, et al., 2019, 2020.
  44. National Institute of Standards and Technology. 2018. Cybersecurity Framework Version 1.1.
  45. McAfee. 2020. How Cybersecurity Policies and Procedures Protect Against Cyberattacks.,data%20breaches%20are%20potentially%20costly.
  46. PWC, 2018.
  47. PWC, 2018.
  48. PWC, 2018.
  49. Wood, Charles C. 2010. Preface. In Whitman, Michael E. and Herbert J. Mattord. 2010. Management of Information Security, 4th ed. Stamford, CT: Cengage Learning.
  50. Olenick, Doug., 2020 (September 15). National Guard Cybersecurity Units Ready to Protect Election. BankInfoSecurity. -to-protect-election-a-14990.
  51. Multi-State Information Sharing and Analysis Center. Home Page.
  52. Dudley, Renee. 2019 (August 17). The extortion economy: how insurance companies are fueling a rise in ransomware attacks.
  53. Duncan, Ian. 2019 (July 10). U.S. mayors group adopts resolution proposed by Baltimore, vowing not to pay ransoms to hackers. Baltimore, MD: Baltimore Sun.
  54. CISOMAG. 2020 (October 5). Paying ransom is now illegal! U.S. Dept of Treasury warns.,to%20cybercriminals%20is%20now%20illegal.&text=Ransomware%20payments%20may%20also%20embolden,future%20attacks%2C%E2%80%9D%20OFAC%20said.
  55. KrebsOnSecurity. 2020 (October 1). Ransomware victims that pay up could incur steep fines from Uncle Sam.
  56. Muncaster, Phil. 2020 (March 26). #COVID19 Drives Phishing Emails Up 667% in Under a Month.
  57. Anti-Phishing Working Group (APWG). 2021 (February 9). Phishing Activity Trends Report 4th Quarter 2020.
  58. Stein, Shira and Jennifer Jacobs. 2019 (March 16) Cyber-attack hits u.s. health agency amid covid-19 outbreak.


New, Reduced Membership Dues

A new, reduced dues rate is available for CAOs/ACAOs, along with additional discounts for those in smaller communities, has been implemented. Learn more and be sure to join or renew today!