Cities Under Siege: Strategies For Combating Cyberattacks Against State and Local Governments
The views expressed are those of the author and do not necessarily reflect the views of ASPA as an organization.
By Ian Hutcheson
September 22, 2019
State and local governments in the United States are under siege. Ransomware attacks by cybercriminals against these governments have increased in recent years, according to a May 2019 report from Recorded Future. The implications for privacy, service disruption, public safety and stewardship of taxpayer money make attacks against government targets especially threatening to the population at-large. Preventing cyberattacks for state and local governments is critical to earning the trust of residents and providing the services that are foundational to their livelihoods. Three strategies for governments to ward off this threat are:
- Committing to a policy of not paying ransoms
- Investing in recruiting and retaining skilled technology professionals
- Developing comprehensive cybersecurity plans
Eliminating the threat of cyberattacks is beyond the capacities of any single government, but a multiplicity of governments uniting behind these and other strategies will help diminish the danger posed by ransomware attacks.
Surrendering To The Enemy
One of the most immediate dilemmas facing an organization that has been the victim of a ransomware attack is whether or not to pay the ransom. This choice is particularly tricky for governmental organizations that provide services vital to the safety and security of their communities. It is not surprising then that many governments decide to pay the ransom after an attack in order to quickly get up and running again.
Giving into the demands of cybercriminals may accomplish the short-term objective of quickly restoring operations, but it does so at the cost of the long-term goal of disincentivizing ransomware attacks. At the Annual Meeting of the United States Conference of Mayors in 2019, the group of municipal leaders resolved to not pay the ransom in the event that their organizations suffered an attack. The Mayors cited the need to disincentivize cybercriminals from targeting city governments by making them less attractive prospects for securing ransoms. In combatting the rise of cyberattacks on state and local governments, the immediate operational needs of targeted organizations may need to be sacrificed in the interest of a long-term decrease in this trend.
Building An Army
One of any organization’s greatest defenses against ransomware attacks are its reserves of cybersecurity experts. The inability of government to reliably employ skilled technology workers is well-documented and some of the reasons cited for this include high-demand for tech talent in today’s labor market, cumbersome hiring processes, and lower salaries compared to the private sector, according to a 2015 Booz Allen Hamilton report that focuses on the federal workforce. These problems are shared by many state and local governments who themselves must compete with federal agencies for the talents of cybersecurity workers.
If state and local governments are to prevent cybercriminals from holding their data hostage, they will need to invest in recruiting and retaining the right soldiers for this fight. This does not only mean that governments will need to spend more money in attracting this talent. Flexible work schedules are often valued by younger professionals, but some evidence suggests an increase in the number of state government agencies that do not offer flex hours. Whether through higher salaries or personnel policies more in line with current workforce trends, governments will need to entice innovative technology professionals to bolster their cyber defenses.
A Plan Of Attack
Government agencies are well-versed, perhaps to a fault, in developing plans for confronting the problems they must address. Given this, the finding of a Public Technology Institute survey that only 35% of local governments have developed cybersecurity plans is surprising. As the novelty of these incidents recedes and cyberattacks on governments become more common, it is incumbent upon these organizations to plan for them in the same way they do for any issue with far-reaching implications for their residents.
While not every problem addressed through a strategic plan is meaningfully improved, significant evolution on an issue is unlikely to occur without a comprehensive approach. In a 2017 report released by the International City/County Management Association, a surveyed sample of local government information officers ranked developing cybersecurity plans as the fourth most effective means of increasing system security and listed improved cybersecurity policies as the second most important improvement that organizations could make. Developing strategic plans is a move that governments can make largely with existing resources and without having to shift funding away from other issues that are important to their residents.
In the fight against ransomware attacks on state and local governments, there is little doubt that these organizations will need to devote greater resources towards the issue. Hiring the right people to man the front lines of their defenses will require greater spending, but there are actions they can take without substantial increases in funding. Developing comprehensive cybersecurity plans will ensure that these threats are planned for strategically. Committing to not paying ransoms may seem impractical, but it is perhaps the best way to disincentivize ransomware attacks. Although several organizations have lost major battles against cybercriminals recently, the war is far from lost if state and local governments commit to taking this threat seriously and combating it creatively.
Ian Hutcheson, MPA is a Management & Budget Analyst for the City of Oklahoma City and a member of the ASPA Oklahoma Chapter. He is a 2018 graduate of the Master of Public Administration program at the University of Kansas. Ian’s professional areas of interest include city management, finance and budget, economic development and urban design. Contact: [email protected]. Twitter handle: “ihutch01”
(3 votes, average: 5.00 out of 5)
Loading...
Cities Under Siege: Strategies For Combating Cyberattacks Against State and Local Governments
The views expressed are those of the author and do not necessarily reflect the views of ASPA as an organization.
By Ian Hutcheson
September 22, 2019
State and local governments in the United States are under siege. Ransomware attacks by cybercriminals against these governments have increased in recent years, according to a May 2019 report from Recorded Future. The implications for privacy, service disruption, public safety and stewardship of taxpayer money make attacks against government targets especially threatening to the population at-large. Preventing cyberattacks for state and local governments is critical to earning the trust of residents and providing the services that are foundational to their livelihoods. Three strategies for governments to ward off this threat are:
Eliminating the threat of cyberattacks is beyond the capacities of any single government, but a multiplicity of governments uniting behind these and other strategies will help diminish the danger posed by ransomware attacks.
Surrendering To The Enemy
One of the most immediate dilemmas facing an organization that has been the victim of a ransomware attack is whether or not to pay the ransom. This choice is particularly tricky for governmental organizations that provide services vital to the safety and security of their communities. It is not surprising then that many governments decide to pay the ransom after an attack in order to quickly get up and running again.
Giving into the demands of cybercriminals may accomplish the short-term objective of quickly restoring operations, but it does so at the cost of the long-term goal of disincentivizing ransomware attacks. At the Annual Meeting of the United States Conference of Mayors in 2019, the group of municipal leaders resolved to not pay the ransom in the event that their organizations suffered an attack. The Mayors cited the need to disincentivize cybercriminals from targeting city governments by making them less attractive prospects for securing ransoms. In combatting the rise of cyberattacks on state and local governments, the immediate operational needs of targeted organizations may need to be sacrificed in the interest of a long-term decrease in this trend.
Building An Army
One of any organization’s greatest defenses against ransomware attacks are its reserves of cybersecurity experts. The inability of government to reliably employ skilled technology workers is well-documented and some of the reasons cited for this include high-demand for tech talent in today’s labor market, cumbersome hiring processes, and lower salaries compared to the private sector, according to a 2015 Booz Allen Hamilton report that focuses on the federal workforce. These problems are shared by many state and local governments who themselves must compete with federal agencies for the talents of cybersecurity workers.
If state and local governments are to prevent cybercriminals from holding their data hostage, they will need to invest in recruiting and retaining the right soldiers for this fight. This does not only mean that governments will need to spend more money in attracting this talent. Flexible work schedules are often valued by younger professionals, but some evidence suggests an increase in the number of state government agencies that do not offer flex hours. Whether through higher salaries or personnel policies more in line with current workforce trends, governments will need to entice innovative technology professionals to bolster their cyber defenses.
A Plan Of Attack
Government agencies are well-versed, perhaps to a fault, in developing plans for confronting the problems they must address. Given this, the finding of a Public Technology Institute survey that only 35% of local governments have developed cybersecurity plans is surprising. As the novelty of these incidents recedes and cyberattacks on governments become more common, it is incumbent upon these organizations to plan for them in the same way they do for any issue with far-reaching implications for their residents.
While not every problem addressed through a strategic plan is meaningfully improved, significant evolution on an issue is unlikely to occur without a comprehensive approach. In a 2017 report released by the International City/County Management Association, a surveyed sample of local government information officers ranked developing cybersecurity plans as the fourth most effective means of increasing system security and listed improved cybersecurity policies as the second most important improvement that organizations could make. Developing strategic plans is a move that governments can make largely with existing resources and without having to shift funding away from other issues that are important to their residents.
In the fight against ransomware attacks on state and local governments, there is little doubt that these organizations will need to devote greater resources towards the issue. Hiring the right people to man the front lines of their defenses will require greater spending, but there are actions they can take without substantial increases in funding. Developing comprehensive cybersecurity plans will ensure that these threats are planned for strategically. Committing to not paying ransoms may seem impractical, but it is perhaps the best way to disincentivize ransomware attacks. Although several organizations have lost major battles against cybercriminals recently, the war is far from lost if state and local governments commit to taking this threat seriously and combating it creatively.
Ian Hutcheson, MPA is a Management & Budget Analyst for the City of Oklahoma City and a member of the ASPA Oklahoma Chapter. He is a 2018 graduate of the Master of Public Administration program at the University of Kansas. Ian’s professional areas of interest include city management, finance and budget, economic development and urban design. Contact: [email protected]. Twitter handle: “ihutch01”
Follow Us!