State and Local Government Cybersecurity Risks

Similar to the federal government, state and local governments have cybersecurity threats. While the federal government is in charge of the U.S. as a whole, state and local governments manage cities, towns, tribals, and municipalities. This difference also leads to shifts in the way governments establish cybersecurity. On a state-to-state or city-to-city level, applications may change based on a number of factors. 

What Does Cybersecurity Look Like on the State and Local Level?

State and local governments are vulnerable to cybercriminal activity as “they collect, process, store, and transmit vast amounts of sensitive data.” The wrong hands can weaponize and misuse data.

In 2020, hackers carried out 79 individual ransomware attacks against U.S. government organizations. It cost downtime and recovery of nearly $18.88 billion. Clearly, ransomware is pervasive. The attack suspended “municipal operations, ultimately disrupting infrastructure services for 911 systems, utilities, and payment platforms with state and local governments.” 

Cybercriminals target local governments, which can “threaten to erode the trust that residents have in critical institutions.” The increasing reliance on IoT and automated systems may invite cyberattacks. They take advantage of gaps in security and the multiple entries of technology. Inadequate security measures and negligence within municipalities generate cyber risks.

From a review of local government cybersecurity in 2020, local governments have three ways of cybersecurity structure: 

1. Centralized: A single IT department is responsible for managing all the cybersecurity in a town or city. As a benefit, it ensures an extensive coverage of risks.
2. Decentralized: Every department must run its own cybersecurity. Unlike centralized, a police department or building division in a town government must deal with IT matters individually.
3. Federated: For local governments that operate with federated, it’s shared. The chief information security officer (CISO) assumes part of the authority for cyber protection. Local offices and departments take on the rest. The disadvantage of this model is that the CISO does not set the precedent for local government departments. A lot of breaches and cyberattacks can happen from a lack of education surrounding proper cybersecurity protocols. If a CISO is unable to totally control a local government’s cybersecurity, departments may be susceptible to hackers.

Cybersecurity Preparedness

As with federal government agencies, local and state governments commonly take action post-attack. 

An example comes from the Riverside Ohio police and fire department in 2018. The department servers suffered an unrecoverable data loss from 10 months of information. Unfortunately, it “effectively shut down the police department’s records management system.” Surprisingly, Riverside went through another data loss only a month after the initial shutdown. Since the first time, they ran daily backups in case it happened again, which it did. In March 2018 and May 2019, two attacks occurred in the local government of the city of Baltimore as well. 

An IBM news report examined the results from a poll. In it, U.S. city and state employees assessed their readiness for cyberattacks. Overwhelmingly, more than natural disasters and terrorist attacks, 73% of government employees feared “impending ransomware threats to cities across the country.” 

Moreover, respondents revealed the prevalence of ransomware attacks. A poll showed that the departments of 1 in 6 employees had a ransomware attack. This evidence has not stimulated proactive prevention. Only 38% of employees received “general ransomware prevention training.” 

Along with cybersecurity structure in local government, there are obstacles to achieving uniform and effective cybersecurity across states, towns, and cities.

Problems in Governments that Cause Cyber Risks 

Other factors contribute to the flaws in cybersecurity at this level of government. IoT emerges as a feature in buildings that will only continue, according to Smart Buildings Market for 2021-2026. The research estimates that “over 78% of new construction will involve at least one facet of IoT and/or related smart buildings market-related technologies over the course of the next five years.”

More state and local governments will incorporate these types of technologies into their offices. "[T]hese internet-connected devices and systems greatly increase exposure to cybersecurity risks.” IMCA reviewed the consideration for IoT safety in municipalities. They go in hand with the accessibility and streamlined application that IoT offers. Technology is not dangerous but a lack of cybersecurity resources is.

Risks for administering IoT devices:

• Weak or hard-coded passwords
• Old and unpatched embedded operating systems and software
• Insecure data transfer and storage
• Lack of secure updates

The Center for Digital Government (CDG) surveyed 103 state and local officials to determine why governments lacked an effective security strategy:

• 46% said lack of cybersecurity skills among their workforce
• 40% said issues with integrating security tools
• 36% said the inability to rapidly respond to threats

The following security and compliance challenges include: 

• Legacy 
• Unpatched and non-supported networks increasing exposure
• Excessive manual processes 
• Limited enterprise visibility around the endpoints connected to networks

From the survey, 66% of participants acknowledged that “their data-sharing practices are only somewhat mature or not mature at all."

Governments experience challenges with data accessibility and sharing. They have difficulty transforming data into actionable intelligence. It's a result of different data formats and storage environments. “At the same time, governments must deal with an ever-evolving regulatory environment and an increasingly privacy-focused landscape that makes it safer for them to limit data sharing rather than expose themselves to added risks.”

Data analytic challenges from a CDG survey:

• 41% said security
• 38% said privacy concerns
• 35% said data quality
• 34% said data silos

The article poses a few solutions:

• Governments need to better align their data with people, technologies, and processes for the connection to be seamless.
• Storing and indexing data calls for reconfiguration for security. 
• Muncipilatites must leverage modern technologies to support data sharing across departments.
• Cybersecurity is a necessity and data contains confidential information that demands protection. 

On top of this, 52% of state and local government IT/Security professionals agreed their budget hasn’t improved. This could hinder training on ransomware prevention.

What Regulations Constitute State and Local Cybersecurity? 

The EU implements the General Data Protection Regulation (GDPR), a data privacy and security law that provides regulations for organizations worldwide to control cybersecurity. Some states have begun implementing cybersecurity mandates on their own. Following this, the U.S. is starting to catch up with statewide mandates such as the California Consumer Privacy Act (CCPA). The act provides guidance for California businesses and organizations, mostly to protect consumers and let them have greater control over their personal information and what businesses can take advantage of. 

Additionally, the 2018 California Civil Code on Security of Connected Devices places a new requirement on manufacturers. On January 1, 2020, manufacturers began following these guidelines. IoT devices are now sold with the right security features to protect data and privileged information. The code will reduce "unauthorized access, use, adaption, disclosure, or destruction."

The New York City chief technology officer issued the New York City Internet of Things. It defines IoT safety and security practices. The new order creates processes to evaluate city technology. ICMA's “Cybersecurity Considerations to Implement IoT,” also gives recommendations for improvement.’”

The Committee on Homeland Security wants to introduce The State and Local Cybersecurity Improvement Act. The proposal stems from fears that the federal government is slow to cybersecurity. Stretched state and local budgets and current defenses cannot stand against foreign hackers.

The act develops "a new Department of Homeland Security (DHS) grant program." Advocates plan to tackle cybersecurity risks for state and local governments.

A National League of Cities report, “State and Local Partnerships for Cybersecurity,” believes in a collaborative approach. Cities and states can strengthen national cybersecurity infrastructure together. 

Currently, “Delaware is the only state that offers voluntary statewide cybersecurity training for state non-executive and local government employees.” Out of the 50 U.S. states, only 16 mandate cybersecurity training. Nine states lack cybersecurity training programs completely. 

Organizations are fighting to unify and structure the inconsistencies among states.

How to Secure Critical Local and Government Data 

Beyond firewalls and antivirus software, a simple and inexpensive (compared to ransomware costs) solution is keeping backup images and copies of data. In this way, governments will have another layer of protection in case of ineffective cybersecurity. 

Security is central to software design at Macrium. Our applications give you complete control over where your data is stored and will operate fully offline for the most secure, air-tight networks.

Macrium Software provides extensive backup imaging for this reason. Check out our website to learn about installing effective backups to prevent data loss at Macrium.com.