Over the past few months, ransomware attacks abounded, ranging from the Colonial pipeline, the meat industry and, most recently, the software vendor Kaseya. State and local organizations — including the Baltimore school districts, the NYPD fingerprint database and the State of Texas — face their own barrage of malicious cyberattacks and often have fewer resources for protecting themselves. With the federal government preoccupied with the fallout from SolarWinds, state and local officials are oftentimes forced to defend their systems on their own when an attack finally occurs.
Because state and local organizations are especially vulnerable to the challenges in cyberspace, they need tailored guidance if they want to become more cyber-secure. To better capture the cyberattack landscape and provide concrete recommendations for state and local organizations, my colleagues and I at the R Street Institute published a report, “Enhancing State and Local Cybersecurity Responses.” After analyzing state incident reports, interviewing various practitioners and experts and examining response and organizational models, we have gathered a list of best practices for state and local government organizations.
Our first recommendation is the perennial plea to increase state and local government resources for personnel and funding. Although one of the duties of the Cybersecurity and Infrastructure Security Agency is to help coordinate federal resources with state and local government, it’s underfunded, outmatched and exhausted.
States, meanwhile, spend less than 3% of their IT budgets on cybersecurity, according to a 2020 report from the National Association of State Chief Information Officers, and only 36% of states have dedicated cybersecurity appropriations. The IT budget itself is often only about 2% of overall funding. With cyberattacks costing states anywhere from $665,000 to $40.53 million in recovery costs, a cyber budget that’s just two percent of two percent is simply insufficient in today’s digital age.
Luckily, state and local governments can bolster their cybersecurity knowledge by setting up systems that draw upon resources from the private sector. Several states have begun creating volunteer programs to help strengthen their cyber capacity: Michigan’s Cyber Civilian Corps, Wisconsin’s Cyber Disruption Teams and Ohio’s Cyber Reserve are all dedicated to recruiting the necessary talent to respond quickly during a cyber incident at minimal cost.
Having commercial cybersecurity aid for sharing knowledge and tools between state and local workers — before the event of a potential cyberattack — can drastically improve existing protocols. Such practices of sharing information can also strengthen cyberdefense measures as they encourage a diversity of approaches.
Officials at each state and local government should also establish a cyberattack response plan and a planning framework. Making each section of the plan as detailed as possible can increase cybersecurity capabilities for prevention and response in manageable, incremental steps.
In April alone, state and local officials have had to deal with a staggering 31 publicized ransomware attacks worldwide, according to the cybersecurity firm BlackFog. But educating state and local organizations to establish better contingency planning structures, by following best practices based on past experiences, can make the challenges ahead more manageable.
State and local governments can become better prepared by drawing lessons from each other. The better the information-sharing systems are between the state and local levels, the better organizations can develop organic cyber response approaches and capabilities for more resilient structures.
Franklin Lee is a special projects assistant for cybersecurity and emerging threats at the R Street Institute. Previously, Franklin worked as a paralegal for Lutheran Social Services of New York and as an immigration know your rights trainer, funded by the Mayor’s Office of Immigrant Affairs.