First, they are popular targets. During the first half of 2019, nearly two-thirds of ransomware attacks targeted state and local governments. Second, they face a multitude of threats — data breaches, ransomware, phishing, malware and more — and they must be prepared to defend against all of them. For example, last year, government officials in Cabarrus County, N.C., fell victim to an online social engineering attack in which the scammer stole $1.7 million in taxpayer funds. Third, and perhaps most important, with continued growth in e-gov applications and smart city initiatives, state and local governments are collecting and storing more data than ever before. Securing this information will need to be a top priority.
Unfortunately, many agencies simply aren’t up to the task. They don’t have the talent, training or resources to respond to the most advanced attacks. Nor is it necessarily reasonable to expect them to. They can outsource some of these security roles to the private sector, just as they do with other IT responsibilities, but they still must be accountable.
In many cases, the most effective response to cybersecurity incidents will entail government agencies pooling resources and capabilities. For example, last July, Louisiana Gov. John Bel Edwards declared a state of emergency after multiple public school systems in the state were hit with a ransomware attack. The declaration allowed the governor’s office to direct resources from the State Police, the Louisiana National Guard and the state Office of Technology Services, among others, to create a coordinated response to the attack.
Some efforts underway to make this type of collaboration on cybersecurity issues more routine are coming from partnerships between state and local governments. In the 2019 State CIO Survey conducted by the National Association of State Chief Information Officers (NASCIO), 65 percent of states reported providing security services to local governments, up from 54 percent in 2016. States are assisting local government agencies with issues such as election security, ransomware response and cyberincident response. For example, Pennsylvania provides statewide access to a cloud-based anti-phishing training program as part of its “PA CyberSafe” program. But many states still do not have such initiatives or their efforts are incomplete. In a recent report, both NASCIO and the National Governors Association called for states to do more outreach to local government, such as by marketing state-level security services, hosting cybersecurity summits and including local governments in service contracts.
The federal government can also increase its support to state and local governments, and there are some promising initiatives. Congress passed the DHS Cyber Hunt and Incident Response Teams Act in December 2019, which established permanent teams in the Department of Homeland Security (DHS) to help prevent and respond to cybersecurity incidents. State and local governments, among others, can request assistance from these teams in the event of an attack or security threat.
Congress is also considering additional legislation to increase federal support for state and local cybersecurity efforts. In January, Sens. Hassan, Cornyn, Peters and Portman introduced S. 3207, the Cybersecurity State Coordinator Act of 2020, which would provide each state with a federally funded cybersecurity coordinator based in DHS’ Cybersecurity and Infrastructure Security Agency. The coordinator would be responsible for helping to prevent and respond to cybersecurity threats by working with federal, state and local governments, as well as local schools and hospitals.
The reality is that every jurisdiction is not going to have the same level of training and resources to respond to cybersecurity incidents. But ignoring these problems will not fix them. When it comes to measuring risk and implementing countermeasures, policymakers must take a whole-of-government approach that spans jurisdictions. States are not secure if their local governments are facing unmitigated cyberthreats, and the nation is not secure if states are vulnerable.