Feb 05 2019

What States and Cities Should Consider in Response to Cybersecurity Incidents

Strong education and training programs, capable partnerships and robust communication with stakeholders become key during a cyberincident.

Last year, U.S. cities faced an unprecedented level of cyberattacks. Both Atlanta and Baltimore battled ransomware, for example, which knocked Atlanta’s court system offline and took down Baltimore’s 311 and 911 dispatch systems.

Not too long before those attacks, the University of Maryland partnered with the International City/County Management Association in a first-ever survey of cybersecurity among local governments. In that survey, 44 percent of respondents said they faced cyberattacks daily, according to the researchers.

This prompts the question: What can state and local governments do to respond to a cyberincident during the attack? Most governments are unable to effectively respond because few elected officials are aware of the need for cybersecurity, the researchers say. As such, knowledgeable government executives must educate officials.

The researchers add, “If local officials are going to do a better job protecting their information assets, they’ll first need to know a lot more about what’s actually happening.”

“No top local officials, whether elected or appointed, should be unaware of basic cybersecurity information, like whether their systems have been attacked or breached, or who’s attacking their systems and why,” the researchers say.

VIDEO: These are the cybersecurity threats that keep CISOs up at night. 

Cybersecurity Response Requires Strong Relationships 

If state and local agencies don’t know what’s happening, they lack the power to respond to cyberincidents in real time. 

In a report, “Cyber Crisis Management: Readiness, Response and Recovery,” Deloitte emphasizes that an organization must be ready for short- and long-term response efforts to cyberincidents.

“Management’s response can either contain or escalate an incident; indeed, a poor response can even create a crisis. Vigorous, coordinated responses to incidents limit lost time, money and customers, as well as damage to reputation and the costs of recovery. Management must be prepared to communicate, as needed, across all media, including social media, in ways that assure stakeholders that the organization’s response is equal to the situation,” the report says.

Cyberincident response programs require coordination in six key areas, says Deloitte: governance, strategy, technology, business operations, risk and compliance, and remediation.

“Most organizations will lack the resources to develop and maintain all necessary incident and crisis response capabilities in-house. The expertise required, the evolving risk landscape, and the resources of cybercriminals render it impractical for most organizations to go it alone. Thus, an outsourced or co-sourced approach with a provider of managed cybersecurity and response services may be the best option for most organizations,” Deloitte advises.

For example, a 24/7 monitoring service can warn of cyberthreats early or sense patterns of activity indicating attacks on government computer systems.


Incident Response Actions for State and Local Government Agencies

In a blog post, security software maker Thycotic outlined steps for responding to an attack such as ransomware, noting, “With cyberthreats, it’s a matter of when and not if you’re going to be impacted. Some attacks are within your control, and some aren’t, so you need to be prepared for what to do when you do become a victim.” Understanding the nature of the threat can help identify any hack or compromise before it becomes a major incident. 

The National Association of State CIOs offers a Cyber Disruption Response Planning Guide.

The NASCIO guide emphasizes the importance of building partnerships in the private sector to expand response capabilities and calls for response authority to be vested with the government CISO. Marshalling these resources in the wake of a cyberattack will require strong communications support, the guide says.

“Communication is possibly the most critical element of a cyber disruption response plan,” the NASCIO guide says.

The guide continues to call communication “critical to initial notifications, assessment and ongoing monitoring” as to the impact of a cyberattack as well as coordination to deal with response. For a good example of this, Maryland strengthens communications specifically with training exercises, as described in its Cybersecurity Incident Response Policy.

This article is part of StateTech's CITizen blog series. Please join the discussion on Twitter by using the #StateLocalIT hashtag.


Cecilie_Arcurs/Getty Images

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT