Ensuring the Cybersecurity of Our Local Governments in the COVID-19 Era
The views expressed are those of the author and do not necessarily reflect the views of ASPA as an organization.
By Wesley Meares, Jay Heslen and Will Hatcher
August 11, 2020
The nation is facing an unprecedented crisis. COVID-19 is putting unparalleled stress on the nation’s public health infrastructure and public administration in general. The shutdowns caused by COVID-19 have led to the single largest contraction of the United States economy since World War II. Localities have experienced sharp decreases in revenue and are anticipating these declines to last into the next fiscal year. Spending cuts have been made and cost saving measures have been implemented. But there is one area that cities should not cut or underfund. In fact, to the best of their abilities, city leaders should attempt to bolster it. That area is cyber security.
During the pandemic the focus, rightly so, has been on the COVID-19 virus, but the threat caused by computer viruses is still salient. Cities are still being hacked. In fact, cities are more reliant on technology to conduct business and by doing so are exposing themselves to new vulnerabilities—such as meetings being hacked—that they had not anticipated before social distancing guidelines have been implemented. Cities have been vulnerable before the virus, but now cities are more vulnerable. And because of declining resources, it may take longer for municipal officials to recognize a cybersecurity breach. This is a concern because cities hold significant amounts of personal and financial data, and having it open for attack represents a troubling public policy program.
However, few empirical studies have examined the cybersecurity policies of cities in the United States. There is little research in the academic literature that addresses issues concerning whether cities maintain cybersecurity plans and policies that are sufficient to protect their citizens’ data. There is also a general lack of knowledge regarding cybersecurity policies and also practices on the part of cities that place the security of public services and citizens’ privacy at risk.
In a recent study published in the Journal of Cyber Policy, we sought to address these gaps in the academic literature. In 2019, we surveyed cities with a population of 10,000 or greater in the United States. Our survey was developed from the computer security reports from the National Institute of Standards and Technology (NIST) in the U.S. Department of Commerce. Questions were posed concerning the following areas: the utilization of internet-based technologies, the existence of a formal cybersecurity strategic plan, the types of cybersecurity policies being implemented in cities and the resources needed to conduct cybersecurity planning. We collected surveys from 168 officials employed in cities across the U.S. Although our response rate was low, the study’s sample was representative of the nation and the responses provided insights into an understudied but important research area; the cybersecurity policies and practices of cities.
We found that most municipalities had a formal cybersecurity policy in place and the cities that did not were planning to draft a formal policy in the near future. Moreover, we found that municipalities with a formal cybersecurity policy were more likely to detail access to sensitive information and conduct standard test and operations to defend against attacks.
However, we did find three areas that need to be improved:
- First, cities need to track data related to cyber breaches. Only 37% of cities tracked this data.
- Second, cities need to consult with outside auditors and professionals to craft effective policies, review and update the policies regularly and to test systems.
- Third, cities need more funding to effectively implement their cybersecurity operations. For example, Atlanta consulted with an outside firm but lacked the resources to put the recommendations in place. Those recommendations could have helped to address vulnerabilities in their system that were exposed in the cyberattack of 2018.
What can be done to improve cybersecurity for cities and address these areas of concern?
- First, cities that do not have a formal cybersecurity policy should develop one.
- Second, municipalities should explore forming partnerships with neighboring local governments as a means to limit costs in an attempt to expand access to cybersecurity tools and expertise. Collaborations are a necessary tool for public organizations, especially when resources are limited and vital issues are being addressed. Furthermore, strong partnerships among municipalities have the ability to more effectively appeal to the national government for more support for cybersecurity.
- Third, more funding is needed. The federal government should provide more support to state and local governments for cybersecurity. Last and more broadly, cybersecurity should be made into a management function. Only 58.6 % of cities surveyed trained officials on an ongoing basis on cybersecurity. This issue can be addressed through the integration of cybersecurity into daily management practices.
More generally, the field of public administration should integrate cybersecurity into the curriculum and prepare future public managers for IT and cybersecurity issues. Cybersecurity is often not included in the coursework of graduate programs in public affairs. Leaders of public affairs program need to work together to ensure that our graduates are learning what they need to know in order to protect the data of public organizations and the citizens that are being served. Professional associations are an important part of this goal. NASPAA and ASPA could play a critical role in promoting cybersecurity education in public affairs programs.
Authors:
Wesley Meares, PhD
Associate Professor, Augusta University
Jay Heslen, PhD
Assistant Professor, Augusta University
Will Hatcher, PhD
Professor and Interim Chair, Augusta University
(No Ratings Yet)
Loading...
Ensuring the Cybersecurity of Our Local Governments in the COVID-19 Era
The views expressed are those of the author and do not necessarily reflect the views of ASPA as an organization.
By Wesley Meares, Jay Heslen and Will Hatcher
August 11, 2020
The nation is facing an unprecedented crisis. COVID-19 is putting unparalleled stress on the nation’s public health infrastructure and public administration in general. The shutdowns caused by COVID-19 have led to the single largest contraction of the United States economy since World War II. Localities have experienced sharp decreases in revenue and are anticipating these declines to last into the next fiscal year. Spending cuts have been made and cost saving measures have been implemented. But there is one area that cities should not cut or underfund. In fact, to the best of their abilities, city leaders should attempt to bolster it. That area is cyber security.
During the pandemic the focus, rightly so, has been on the COVID-19 virus, but the threat caused by computer viruses is still salient. Cities are still being hacked. In fact, cities are more reliant on technology to conduct business and by doing so are exposing themselves to new vulnerabilities—such as meetings being hacked—that they had not anticipated before social distancing guidelines have been implemented. Cities have been vulnerable before the virus, but now cities are more vulnerable. And because of declining resources, it may take longer for municipal officials to recognize a cybersecurity breach. This is a concern because cities hold significant amounts of personal and financial data, and having it open for attack represents a troubling public policy program.
However, few empirical studies have examined the cybersecurity policies of cities in the United States. There is little research in the academic literature that addresses issues concerning whether cities maintain cybersecurity plans and policies that are sufficient to protect their citizens’ data. There is also a general lack of knowledge regarding cybersecurity policies and also practices on the part of cities that place the security of public services and citizens’ privacy at risk.
In a recent study published in the Journal of Cyber Policy, we sought to address these gaps in the academic literature. In 2019, we surveyed cities with a population of 10,000 or greater in the United States. Our survey was developed from the computer security reports from the National Institute of Standards and Technology (NIST) in the U.S. Department of Commerce. Questions were posed concerning the following areas: the utilization of internet-based technologies, the existence of a formal cybersecurity strategic plan, the types of cybersecurity policies being implemented in cities and the resources needed to conduct cybersecurity planning. We collected surveys from 168 officials employed in cities across the U.S. Although our response rate was low, the study’s sample was representative of the nation and the responses provided insights into an understudied but important research area; the cybersecurity policies and practices of cities.
We found that most municipalities had a formal cybersecurity policy in place and the cities that did not were planning to draft a formal policy in the near future. Moreover, we found that municipalities with a formal cybersecurity policy were more likely to detail access to sensitive information and conduct standard test and operations to defend against attacks.
However, we did find three areas that need to be improved:
What can be done to improve cybersecurity for cities and address these areas of concern?
More generally, the field of public administration should integrate cybersecurity into the curriculum and prepare future public managers for IT and cybersecurity issues. Cybersecurity is often not included in the coursework of graduate programs in public affairs. Leaders of public affairs program need to work together to ensure that our graduates are learning what they need to know in order to protect the data of public organizations and the citizens that are being served. Professional associations are an important part of this goal. NASPAA and ASPA could play a critical role in promoting cybersecurity education in public affairs programs.
Authors:
Wesley Meares, PhD
Associate Professor, Augusta University
Jay Heslen, PhD
Assistant Professor, Augusta University
Will Hatcher, PhD
Professor and Interim Chair, Augusta University
Follow Us!