In 2016, ICMA and the University of Maryland, Baltimore County completed the first national survey on local governments and cybersecurity. Since that time, the cyber threats against local governments have grown. Major shutdowns in Atlanta (2018) and Baltimore (2019) captured news headlines; however, smaller communities have been impacted as well, including 20 towns and districts in Texas (2019), Cape Girardeau, Missouri (January 2020), and many others. No local government is immune from cyber threats.
As these examples demonstrate, the growing threat to local government systems requires leadership level posture that all city, county, township, and village managers should assume, especially in 2020, the year of “what could possibly be next?”
Cyber Scenarios for Local Governments
Local governments today have significant responsibilities in many ongoing and upcoming moments in history that will be analyzed and reviewed for years to come. Those moments present opportunities for cyber attacks to bring further havoc.
Remote Working and Learning
Organizations around the world embarked on a massive teleworking experiment, sending millions of employees to work from their basements and back porches. Similarly, many K-12 classes are being fully or partially offered online. Since the restart of educational delivery in August and September 2020, several districts have faced ransomware attacks including Harford, Connecticut, city schools that had to delay the start of in-person and virtual classes. Now Clark County, Nevada, is dealing with the release of personally identifiable information after refusing to pay a ransom. According to a June 2020 study, a nearly 85% of chief internet security officers suggested that they had “sacrificed cybersecurity to more quickly enable remote work.” More ominously, the report goes on to state, “and that’s only those that admitted it.”
Several sources, including Interpol, have cited an increasing number of COVID-camouflaged domains, campaigns, and misinformation initiatives as avenues for cyber attacks. Local governments have created new websites, data dashboards, and email lists. Contact tracers have been deployed and vast new amounts of data have been created. Furthermore, the clock is ticking on vaccine deployment, which will require additional data and analytical resources. A cyber attack impacting the ongoing response or vaccine rollout would be extremely problematic.
Every year natural and human-caused disasters impact communities and stress the resources of local governments. The ongoing pandemic and civil reset provide additional challenging layers in preparing for and responding to major events. A cyber attack would be an unwanted ingredient in the year of compounding crises.
Elections are governed by federal and state laws and frameworks but in many places, implemented locally. Since the election of 2016, concerns over the cyber resiliency of the nation’s electoral infrastructure have heightened. The U.S. Cybersecurity and Infrastructure Agency (CISA) notes that “Fair and free elections are a hallmark of American democracy. The American people’s confidence in the value of their vote is principally reliant on their confidence in the security and resilience of the infrastructure that makes the nation’s elections possible.” New tools and guidance are being released continuously to support local election implementers.
Suggestions for City and County Leaders and Managers
Even in what may be considered more normal times, the advancement of technology deployments as well as the ongoing threat of cyber attacks against local government organizations, infrastructure, and partnering organizations warrant increased leadership attention by executives in local government management. Some suggestions that ICMA and other authors have put forward include the following.
Understanding the Evolving Nature of Risks and Responses
There is a significantly heightened awareness of cyber threats, and a growing ecosystem of federal and state agencies devoted to combatting them. There is also an increasing amount of guidance, advisories, and regulations that are expanding. For example, on October 1, 2020, the U.S. Department of the Treasury released new guidance on the payment of ransomware that outlines various potential violations of federal law should an entity choose to pay a cyber attacker. According to Parham Eftekhari, senior vice president for the Cybersecurity Collaborative, and new initiative that ICMA has joined: “This guidance from the Treasury Department, coupled with the recent New York state action that fined a company for failing to protect user accounts from cyber attacks, may mark the beginning of a new era where organizations and their leaders will increasingly be held accountable for cybersecurity incidents.“
Embracing Shared Leadership and Responsibility
Cybersecurity will always require specialists that operate and maintain the growing amount of IT and IoT technology controlled by a jurisdiction; however, it is also an obligation even for communities without dedicated IT staff as no community is immune from a cyber attack. For smaller jurisdictions, the heightened threats make now a very good time to think about the potential of working regionally to share IT staff. More than ever it is vital that local government executives understand the opportunities and challenges and play an active leadership and management role. This also includes impressing upon elected officials and all staff that cybersecurity is truly everyone’s responsibility.
Asking the Right Questions
For years, ICMA has offered suggestions on asking your police or fire chief the right questions. With so many challenges ongoing and on the horizon where a cyber event would be deleterious to the community, it’s time for managers to start asking the tough questions of their CIOs and CISOs, other department heads, and elected officials. Are we ready for an event? Do we have a plan? Do we know what to do in case of a successful breach? What investments in infrastructure and training should we make now to avoid catastrophic consequences in the future?
Creating a Culture of Cybersecurity
Internet security experts note that a common vector that launches a cyber attack is a phishing event. Leaders of local government should emulate and support the efforts designed to create a stronger culture of cybersecurity within their organizations, including random testing of employee responses to phishing emails. Part of that culture creation may also include advocating for additional resources to strengthen the jurisdiction’s ability to mitigate and/or respond to a cyber event. And in a world of increasingly mobile/remote work arrangements for employees, review and update policies to reflect additional risks or blind spots.
Plan, Train, Test
In the aftermath of mega-disasters such as 9/11 and Hurricane Katrina, local governments became far more aware of the impacts such events could have on their community. Planning, training, and testing for “when” not “if” became more widespread. In that same spirit, local government leaders need to think about cyber attacks as the kind of threat to their community worthy of a continuity of operations planning, as well as scenario planning, table-top exercises, and case studies during leadership retreats to ensure as much readiness as possible.
October is cybersecurity month, so what better time to think about an assessment of your community’s cyber posture. There are big historical moments underway, such as the pandemic and ongoing calls for greater social justice and racial equity. Other moments like the 2020 election and a hoped-for mass vaccination program are just over the horizon. ICMA is encouraging its members to think about cybersecurity as a leadership issue, if that is not currently in place.
With new cyber threats emerging every day, ICMA has partnered with the National Association of Counties (NACo) to strengthen local governments’ cybersecurity efforts. The Cybersecurity Collaborative will provide ICMA members with access to top tier technology security professionals, information, intelligence, best practices, and other resources to prepare for, prevent, and mitigate cybersecurity threats. Learn more about the Cybersecurity Collaborative.