County & Local

Interest in cybersecurity needs to start at top, new research argues

Local governments' cybersecurity shortcomings can be attributed to elected officials and other top leaders not taking an active interest in protecting networks and data, according to an upcoming journal article.

By Benjamin Freed

December 30, 2019

(Getty Images)

If there’s been one consistent thread in local-government technology in 2019, it’s that towns, cities and counties across the United States are highly vulnerable to cyberattacks that disrupt operations, cut off residents from vital services and even shut down whole agencies. And even though the number of incidents like ransomware continues to tick up every week, many local governments remain unprepared to meet the threats, according a paper scheduled to be published early next year.

The paper is based on what the authors — four professors at the University of Maryland, Baltimore County — say is the first nationwide survey of cybersecurity among local governments, which have borne the brunt of public-sector cyberattacks. And even though nearly half of government organizations that responded said their networks are attacked at least once a day, few manage the risks well, a trend that the researchers attribute to a lack of support from elected officials and other senior officials.

“Due to the frequency of cyberattacks, as well as the probability that at least some attacks will succeed and cause damage, local governments have great responsibility to protect their information assets. This, in turn, requires these governments to manage cybersecurity effectively, something that we show in this paper is largely absent at the American grassroots,” says the article, “Managing Cybersecurity at the Grassroots: Evidence from the First Nationwide Survey of Local Government Cybersecurity,” which is set to be published by the Journal of Urban Affairs, and is a follow-up to an article published last February by the Public Administration Review.

Led by Donald Norris, a UMBC professor emeritus of public policy, the authors began their survey in 2016 by sending surveys to all 3,423 municipal and county governments across the country with populations of at least 25,000. Of those, 406 responded, with most of the surveys being completed by chief information officers, chief information security officers or other IT managers.

But the responses to many questions about the frequency of cyberattacks and breaches, employee cybersecurity training and institutional support for better practices suggest the local-government cybersecurity landscape remains bleak.

Tools and training rise, but little else

The survey found that more governments are adopting common cybersecurity tools. Anti-virus software was in use by 83.5 percent of respondents, while more than 70 percent reported implementing both secure web and email gateways and virtual private networks, though far fewer — 22.7 percent — had adopted multi-factor authentication.

Teaching government employees about these new tools and other facets of cyber hygiene is lacking, however. While the paper’s authors called it “reasonable” that governments offer cybersecurity “awareness” training at least once a year, as 68.8 percent did, they also found that 31.3 percent of governments either did not offer such lessons or did not know if their organizations did. Those figures were similar when confined just to IT security personnel.

Despite some positive outlooks toward adoption of security tools and training, though, the results were “decidedly poor” when it came to local governments’ self-diagnoses of their ability to respond to various types cybersecurity events. Less than half — 48.3 percent — rated their ability to recover from a ransomware attack as “very good” or “excellent”; 41.9 percent said the same for their ability to detect attacks; and just one-quarter gave themselves high marks for preventing the exfiltration of data or sensitive information, which is what happened last week to Pensacola, Florida, where a hacking group that executed a ransomware attack published some of the city’s files online.

“These data suggest that local governments’ ability to respond to adverse cybersecurity events is severely lacking,” the authors write.

Executive interest needed

Ultimately, responsibility for these shortcomings rests at the top, they argue. Elected officials and other top managers, the paper suggests, do not have enough awareness of or support for their organizations’ cybersecurity, and many do not take active roles in those efforts. Slightly more than half of respondents felt they had strong support for cybersecurity from their government’s top appointed manager, but only one-third said the same about their top elected officials.

Those figures contrast with trends in the corporate sector, the article says.

“A common proposition in the cybersecurity field, especially in private sector organizations, is that top executives and board members must be fully engaged in and supportive of cybersecurity,” the authors write. “They should not leave cybersecurity solely or even predominately to technologists.”

But the UMBC professors found that 67.3 percent of elected executives felt “cybersecurity belonged mainly to technologists,” while only 9.3 percent of said they had an important role to play. They cite, as an example, remarks by Atlanta Mayor Keisha Lance Bottoms made after her city was the victim of a massive ransomware attack in March 2018, with Bottoms admitting cybersecurity “had not been a top priority before.”

Meanwhile, funding for cybersecurity remains insufficient. The paper sites a 2018 study released by National Association of State Chief Information Officers, which found that, on average, state governments spend just 1 to 2 percent of their IT budgets on security, though it also acknowledges that there is little research into cybersecurity at the local level.

The authors conclude by calling for government leaders to take more active interests in cybersecurity, though they admit “it would be foolish to think” that executive-level interest is the sole factor in improving the outlook.

“But,” they continue, “without these officials’ understanding and support, it is also hard to imagine that local governments will be able to do a better job of achieving high levels of cybersecurity.”

Until that happens, though, Norris offered a grim assessment, particularly as ransomware attacks continue popping off.

“Regarding ransomware, local governments simply are not up to the task of providing satisfactory cybersecurity — of pretty much any kind, leaving themselves wide open to attacks of various kinds — and the bad guys know it and are taking advantage of it,” he told StateScoop via email. “The bad guys also have learned that ransomware attacks pay off and that business model is working nicely. Consequently, I expect more ransomware attacks to follow, not fewer.”