Hackers can disrupt local government services, like this library in Willmar, Texas. The town suffered a cyberattack in August 2019.
President Joe Biden on March 21, 2022, warned that Russian cyberattacks on U.S. targets are likely, though the government has not identified a specific threat. Biden urged the private sector: “Harden your cyber defenses immediately.”
It is a costly fact of modern life that organizations from pipelines and shipping companies to hospitals and any number of private companies are vulnerable to cyberattacks, and the threat of cyberattacks from Russia and other nations makes a bad situation worse. Individuals, too, are at risk from the current threat.
Local governments, like schools and hospitals, are particularly enticing “soft targets” – organizations that lack the resources to defend themselves against routine cyberattacks, let alone a lengthy cyber conflict. For those attacking such targets, the goal is not necessarily financial reward but disrupting society at the local level.
From issuing business licenses and building permits and collecting taxes to providing emergency services, clean water and waste disposal, the services provided by local governments entail an intimate and ongoing daily relationship with citizens and businesses alike. Disrupting their operations disrupts the heart of U.S. society by shaking confidence in local government and potentially endangering citizens.
In the crosshairs with hackers
Local governments have suffered successful cyberattacks in recent years. These include attacks on targets ranging from 911 call centers to public school systems. The consequences of a successful cyberattack against local government can be devastating.
A cyberattack on the city of Baltimore disrupted municipal services for weeks in 2019.
I and other researchers at University of Maryland, Baltimore County have studied the cybersecurity preparedness of the United States’ over 90,000 local government entities. As part of our analysis, working with the International City/County Management Association, we polled local government chief security officers about their cybersecurity preparedness. The results are both expected and alarming.
Among other things, the survey revealed that nearly one-third of U.S. local governments would be unable to tell if they were under attack in cyberspace. This is unsettling; nearly one-third of local governments that did know whether they were under attack reported being attacked hourly, and nearly half at least daily.
Lack of sound IT practices, let alone effective cybersecurity measures, can make successful cyberattacks even more debilitating. Almost half of U.S. local governments reported that their IT policies and procedures were not in line with industry best practices.
In many ways, local governments are no different from private companies in terms of the cybersecurity threats, vulnerabilities and management problems they face. In addition to those shared cybersecurity challenges, where local governments particularly struggle is in hiring and retaining the necessary numbers of qualified IT and cybersecurity staff with wages and workplace cultures that can compare with those of the private sector or federal government.
Additionally, unlike private companies, local governments by their nature are limited by the need to comply with state policies, the political considerations of elected officials and the usual perils of government bureaucracy such as balancing public safety with the community’s needs and corporate interests. Challenges like these can hamper effective preparation for, and responses to, cybersecurity problems – especially when it comes to funding. In addition, much of the technology local communities rely on, such as power and water distribution, are subject to the dictates of the private sector, which has its own set of sometimes competing interests.
Large local governments are better positioned to address cybersecurity concerns than smaller local governments. Unfortunately, like other soft targets in cyberspace, small local governments are much more constrained. This places them at greater risk of successful cyberattacks, including attacks that otherwise might have been prevented. But the necessary, best-practice cybersecurity improvements that smaller cities and towns need often compete with the many other demands on a local community’s limited funds and staff attention.
Getting the basics right
Whether they are victimized by a war on the other side of the world, a hacktivist group promoting its message or a criminal group trying to extort payment, local governments in the U.S. are enticing targets. Artificial intelligence hacking tools and vulnerabilities introduced by the spread of smart devices and the growing interest in creating “smart cities” put local governments even more at risk.
There’s no quick or foolproof fix to eliminate all cybersecurity problems, but one of the most important steps local governments can take is clear: Implement basic cybersecurity. Emulating the National Institute of Standards and Technology’s national cybersecurity framework or other industry accepted best practices is a good start.
I believe government officials, especially at the local level, should develop and apply the necessary resources and innovative technologies and practices to manage their cybersecurity risks effectively. Otherwise, they should be prepared to face the technical, financial and political consequences of failing to do so.
Richard Forno has received research funding related to cybersecurity from the National Science Foundation (NSF) and the Department of Defense (DOD) during his academic career, and sits on the advisory board of BlindHash, a cybersecurity startup focusing on remedying the password problem. He is the co-author of Cybersecurity and Local Governments (2022, Wiley).