What was once material for Hollywood espionage thrillers is now how real-world hackers commit to disrupt everyday life. From the Office of Personnel Management breach in 2015 to a high-profile attack in March that deeply impacted the city of Atlanta, cyberattacks have become more sophisticated, prolific and consistent, demonstrating just how pervasive cyberthreats are today.
These attacks are not solely focused on individuals or private companies with data-rich environments. The very constructs of our communities and society — our state and local government institutions — are at risk on a daily basis.
The Current Threat Landscape for Local Governments
One may ask why these attacks continue to happen regularly, given the advances of modern technology that are suited to predict and protect against cyberthreats. The answer is simple: there is money to be made by bad actors, and through social engineering, they have learned to manipulate technology users and gain access to government IT infrastructure that is not always built to last.
Moreover, attacks are on the rise: federal agencies were attacked with 14 percent greater frequency in 2017 than 2016. Nearly half of local governments report at least one attempted attack daily, and more than a quarter do not know how often they are attacked, according to a report from the International City/County Management Association (ICMA).
Attacks are diverse as well. Ransomware attacks hold the data and services of cities of various sizes and budgets hostage, from major metropolises to America’s smallest towns.
As midterm elections approach and the debate around election security continues, our election infrastructure remains a target. And as governments continue to leverage developing technologies, such as cloud computing and the Internet of Things (IoT), they face a broader threat landscape that includes distributed denial-of-service attacks, which can effectively lock down agency operations.
The federal government continues battling on several fronts to address cybersecurity, and cities and states — many of them depending on national security standards and federal funding for cybersecurity — must also find ways to reduce risks and improve their cybersecurity hygiene. An end-to-end security strategy, coupled with other cybersecurity best practices, will support these objectives at all levels of government.
Cultivate a Strong, Mature Government Cybersecurity Posture
Cybersecurity is not a platform-specific issue. It must be wrapped into every single layer of government operations, from the applications delivered to users, to the networking they’re delivered through, to the underlying infrastructure itself.
Organizations also can’t approach cybersecurity posture reactively. If we wait to dream up protections against the latest threat made against IT infrastructure, we’ll remain two steps behind attackers who are always finding new opportunities and developing newer threats.
Every government organization at every level should follow a framework or set of standards in order to build a robust security posture. A strong framework helps manage vulnerability in a number of dimensions: endpoints, data centers, user authorization and physical security, just to name a few.
More than half of local governments don’t have a formal cybersecurity framework developed, according to the ICMA report, and nearly 70 percent don’t have a formal cyber risk management plan. This must be prioritized in every community in the country. States are further along: the National Association of State Chief Information Officers (NASCIO) notes that 95 percent of states have adopted a cybersecurity framework based on national standards and guidelines.
In my time as a deputy CIO for state government, our security framework had a dozen dimensions. We recognized the need to intimately understand each of them and to know the maturity of those dimensions, rather than just buying a solution.
Proactive (and Continuing) Education Plays a Key Cybersecurity Role
Another way to counter the persistence of cyberattackers is to persistently train against them. All too often, hackers are invited into an organization by an unwitting employee who clicks on a questionable link or opens an unassuming email that grants access to malicious programming.
By providing employee education and phishing testing, governments can ensure every individual behind a computer understands that they may impact the entire organization by clicking on or responding to the wrong email or bad links on the internet.
Such exercises gauge the degree of the social engineering problem. Some states have found they can reduce phishing exposure by 20 percent by providing this training. According to the NASCIO survey, 88 percent of state CIOs developed security awareness training for workers and contractors in 2017. Conversely, the ICMA reports 30 percent of local governments never train end users or provide cybersecurity awareness training for municipal employees, and half never provide training for elected officials. Organizations at every level should explore training options for their human resources.
Good Cyberhygiene Goes a Long Way
A risk-based management approach applies to every aspect of government operations, including the way governments integrate new technologies. Agencies at the federal, state and local levels are taking strides to modernize legacy technology at varying paces, with many tapping the flexibility afforded by cloud computing, apps and IoT devices.
Regardless of how ambitiously they seek to modernize, agencies must be sure to embed the security frameworks they arrive at throughout their entire infrastructure. Everything from file servers and wireless networks, to desktop computers and employees’ mobile devices (whether they’re work-issued or personal devices), to the applications they enable must share the same security parameters as the rest of the organization, or the agency mission is at risk.
Many security products claim to be a universal solution against cybersecurity threats, but these solutions may amount to little more than bandages if the problem lies within the security strategy itself. In reality, there is no silver-bullet technology that can render a government completely immune to attack, but strong cyberhygiene can go a long way toward building up immunity.