Local governments need more cyber funding, report finds
Lack of sufficient funding is hindering the ability of local governments to practice good cybersecurity hygiene, according to a report published this week by the nonprofit Center for Internet Security.
The report, the 2023 National Cybersecurity Review, found that 30% of the more than 3,000 local governments surveyed were either “not performing cybersecurity activities or are utilizing informal, ad-hoc processes.”
Researchers found that state agencies performed better with respect to cybersecurity practices — 46% of state governments met a maturity benchmark compared to 35% of local governments, a disparity they attributed in part to the greater technology funding typically enjoyed by state governments.
Local governments often lack the resources, funding or staff to establish adequate cybersecurity policies. The survey notes that 80% of survey participants reported having fewer than five dedicated security employees.
“Local governments tend to have limited resources in areas such as staffing and security budgets,” Tyler Scarlotta, member programs manager at the Center for Internet Security, told StateScoop in an email. “A local government such as a city office or county office may have one dedicated information technology or security employee who is managing a lot of day-to-day tasks and projects. That employee likely does not have a lot of time to dedicate towards formalizing security practices.”
The report found that 70% of both state and local government respondents cited funding as their top security concern, closely followed by an “increasingly sophisticated threat landscape.”
To improve their cybersecurity programs, the survey recommends local governments use federally funded resources, including the Malicious Domain Blocking and Reporting program offered by the Multi-State Information Sharing and Analysis Center or the Cybersecurity and Infrastructure Security Agency’s Cyber Hygiene scanning assessment service.
“Newer grant programs such as the State and Local Cybersecurity Grant Program have assisted public sector entities with potential new funding opportunities in the past few years,” Scarlotta said.
Scarlotta said survey respondents also selected “emerging technologies” as a security concern, and at a higher rate compared to prior years, citing artificial intelligence and risks with third-party applications.
“The public sector has shown improvements regarding incident response planning in the past several years,” Scarlotta said. “This trend could continue into the upcoming year, as organizations formalize and test plans such as these.”
The report says local governments need to implement high-priority security controls to automate risk management and asset management processes, and install more-advanced cyber detection capabilities.
Ransomware continues to threaten state and local governments, which are often the first line of defense for national security assets like ports, water treatment facilities and energy infrastructure, according to a Department of Homeland Security report published last May.
“It is now clear that a reactive posture cannot keep pace with fast-evolving cyber threats and a dynamic technology landscape, and that aspiring just to manage the worst effects of cyber incidents is no longer sufficient to ensure our national security, economic prosperity, and democratic values,” National Cyber Director Harry Coker, Jr. wrote in the DHS report.
