Digital government “exploded” in popularity during the COVID-19 pandemic, whether or not cities were prepared to flip themselves into offering online suite of services and information.
But the massive surges in constituents seeking new services online — provided by city staffers working mostly from their own homes — in turn required IT and cybersecurity officials to revisit their strategies.
Whether it was scaling pre-existing security tools to secure thousands of new laptops or extending staff training to defend against phishing scams, officials in multiple cities recounted to StateScoop how they’ve spent the pandemic developing new techniques to defend their networks and protect their users.
‘We should have done this before’
The transition to remote work in Tucson, Arizona, as in most places, required officials like Chief Information Officer Collin Boyce to service — almost overnight — thousands of additional devices and home Wi-Fi networks that were now supporting city staff remotely, rather than in government offices.
On top of achieving “decent functionality” with virtual private networks on city-issued laptops, Tucson digitized “all the paper processes in the city”, as well as electronic signatures, automated workflows and remote virus scanning, Boyce said. That required a new arsenal of tools and architectures to protect against threats like denial-of-service attacks and data loss that “we didn’t have before,” Boyce said.
“Now that we’re talking about this, I realize I’m in the midst of trying to write a new three-to-five year plan, and I’m like ‘You know, we should have done this before,’” Boyce said.
Procuring and implementing those tools were included in the initial cybersecurity strategy that Boyce wrote when he joined the City of Tucson in 2019. But in order to get the city working “from a telecommunications perspective,” everything had to be moved ahead of schedule, helped out by a consulting company that assessed where the city had the most risk.
“We started to ask ourselves questions: Now that we have people working from home, what are the risks, like data loss prevention and data access governance tools, which has some effect on how people use their data,” Boyce said. “We were very careful and systematic on the things that we have to deploy.”
One priority was to install new software to protect the city’s voice-calling architecture so staff could continue to take calls from home. Another shift saw the city’s network team explore automation as a cybersecurity function, ensuring processes like identify authentication and data transfers could happen without human error.
“We’re not outsourcing the technology, but we’re looking for opportunities to augment staff, so automated responses through our security operations center that we’ve partnered with are going to be more important,” Boyce said. “Because as we start to have more tools and they’re built — think of the ADT type system. You have the alarm system but somebody has to monitor it 24/7/365.”
Tech officials in other cities said heavy pre-pandemic investments in digital services paid off by enabling them to simply scale up their existing defenses. Paul Kresser, the chief data officer in Denver, said his city’s cybersecurity staff was largely focused on people, educating about 15,000 workers on how to best secure their new devices and how to configure a VPN. Denver, Kresser said, had invested heavily prior to the pandemic on digital services, so scaling up antivirus protections and other cybersecurity tools wasn’t a huge lift.
“Our security controls should exist and be strong regardless of the current environment, because that environment is constantly changing and we’ve all read about state-sponsored attacks making the headlines,” Kresser said. “So certainly an event like this pandemic just armed those who would wish us harm with new means and tools by which to try to trick people by either falling for phishing scams or other types of malicious activity.”
Orlando, Florida, meanwhile, also had around 200 online services available online before COVID, so the increased demand for digital government was more a matter of scaling existing cybersecurity measures. Rosa Akhtarkhavari, the city’s CIO, credited a “security-by-design” strategy — a procurement method that looks at a product’s internal security measures, the liability language in each vendor contract and constant monitoring once a tool is activated — with Orlando’s smooth transition to a remote city workforce. Akhtarkhavari said the city developed also more “targeted” cyber awareness trainings for some city staff based on their roles, similar to programs in Denver and Tucson.
“Most cities have the same tools, but the secret sauce is how it’s all tied together,” Boyce said. “I’m being careful with that because I think most of us are going to have antivirus, most of us are going to have firewalls, most of us are going to have virus protection and scanning. How we tie it together and do the automation and how we handle the depth of the layers in that; that’s the secret sauce that changes everything.”