Resolve to Be Resilient: Top Cyber Priorities for State and Local Government

Now that November is behind us, let’s reflect on the important lessons from the Cybersecurity and Infrastructure Security Agency's Critical Infrastructure Security and Resilience Month. This year’s theme — Resolve to be Resilient — reminded us that, as critical infrastructure, state and local agencies must prepare and invest now for the disruptions of tomorrow.

Today I’ll focus on cybersecurity resilience, but let’s acknowledge that it is a much broader topic. Every year, we must be ready for wide-ranging incidents that impact our business routines, customer interactions and communities/families. In 2024 alone, we saw how our physical and virtual worlds were affected by:

• Natural disasters like Hurricane Helene devastating socially vulnerable areas that face a harder time recovering;
  
• Accidents like the cargo ship that collapsed Maryland’s Key Bridge, disrupting traffic and operations at the port of Baltimore;
  
• Deliberate attacks like the Baltic Sea cable cuts that have the potential to impact global Internet traffic flows;
  
• Supply chain attacks like the Salt Typhoon espionage operation that infiltrated many of our nation’s top telecom providers to spy on sensitive government conversations.

In the hyperconnected world which we live in, events like these reach well beyond the local area and create unexpected circumstances. Our digital world can provide resilient answers for some events, like supporting a distributed workforce in the event of a natural disaster, but this same digital world can facilitate a broader negative impact on people beyond the local community and even around the world as has been seen with outages caused by malware like Log4j or recent ransomware attacks. The Internet has become the source for this connectiveness and must be protected if we are to deliver consistent services. Resolve to be Resilient is a rallying cry for preparedness as it is often state and local agencies on the frontlines of response and recovery.

THE INTERNET IS CRITICAL INFRASTRUCTURE

For the last five years, digital government has been a top priority for most CIOs. The promise of a digital government has delivered more transparency and access to government services than ever before. On top of that, customer experience has greatly benefited from this evolution. A simple, real-world validation is a transaction with your local department of motor vehicles (DMV) (like driver’s license renewal). You will see that most of the services are digital and online, and you rarely actually need to visit the DMV let alone wait in long lines (that are nonexistent due to offloading to online activities).

The Internet is one of the main components of digitization. It is critical infrastructure for most government agencies as it is the primary interface to the public, and with the proliferation of software as a service (SaaS) and the hybrid workforce, it is the vehicle for internal operations and collaboration as well. Dependence on the Internet creates new requirements for IT departments and at times can cause negative consequences if the IT environment is not properly designed.

Imagine your agency completely without Internet access due to a distributed-denial-of-service (DDOS) attack. Your employees or contractors may not have connectivity to their work tools, and none of your residents have the ability to access your online services. As more citizen services are delivered via the web, the impact gets felt broadly.

But as a state or local government leader, how do you protect your assets on the Internet? How do you optimize customer experience and secure their identity and data? You have more control than you might realize. And it’s imperative to shore up your Internet services as part of your cyber resilience plan for 2025. I believe there are specific focus areas which can put any agency on the right path to resilience: review the DNS infrastructure, secure web application and API services, and review modernized network services.

MODERNIZE THE DNS INFRASTRUCTURE

Domain name system (DNS) services are a critical yet often overlooked component of government cybersecurity and operational infrastructure. These services, which translate human-readable website addresses into IP addresses, play a vital role in maintaining the security, reliability and accessibility of government digital services.

Modern DNS services provide essential security features that help protect against various cyber threats, including DNS poisoning, domain hijacking and data exfiltration attempts. Importantly, DNS is often the first line of defense against cyber threats, and modern DNS services can detect and block malicious traffic before it actually reaches government networks.

Beyond security, DNS services enable government agencies to:

• Maintain high availability of critical online services
• Implement geographic load balancing for better service delivery
• Monitor and analyze network traffic patterns

Resolve to be resilient by modernizing your DNS and getting the most out of your DNS provider. Here’s how:

1. Adopt the .gov top-level domain. Resilience and trust go hand in hand, and using a .gov domain increases trust. Some states are already taking action; for example, California’s Assembly Bill 1637 (AB 1637) requires a full transition by Jan. 1, 2029.
   
2. Use protective DNS. Protective DNS is any security service that analyzes DNS queries and takes action to mitigate threats, leveraging the existing DNS protocol and architecture. Protective DNS prevents access to malware, ransomware, phishing attacks, viruses, malicious sites and spyware at the source, making the network inherently more secure.
   
3. Defend your DNS infrastructure. We recommend that organizations take steps to secure their DNS infrastructures such as reviewing audit logs regularly and adding multifactor authentication. Also, agencies should ensure their providers  implement DNS security extensions and move toward encrypted DNS protocols to better protect government communications.

MAINTAIN YOUR CUSTOMER PRESENCE WITH WEB APPLICATION AND API SERVICES

Government agencies are increasingly finding themselves on the frontlines of a new cybersecurity battleground: the protection of web applications and APIs (application programming interfaces). As web applications and APIs are now the primary way residents interact with government services from tax filing to benefits management, these digital interfaces handle millions of sensitive transactions daily. Their security is paramount to maintaining public trust. Web application and API attacks are at record highs and in 2022 over 400 million web application and API attacks were recorded daily.

Traditional perimeter security isn't enough anymore — we need comprehensive application and API security measures that can protect against modern threats such as:

• Sophisticated bot attacks targeting government services
• API-specific vulnerabilities that can expose sensitive data
• Supply chain attacks through third-party integrations
• Zero-day exploits targeting application frameworks

Gartner defines cloud web application and API protection (WAAP) as a category of security solutions designed to protect web applications irrespective of their hosted locations. Typically, these services are offered as a series of security modules that provide protection from a broad range of runtime attacks on web-based applications.

Resolve to be resilient by ensuring that your customer applications are protected by leveraging WAAP tools with the following steps:

• Leveraging a CDN to protect against DDOS attacks and add resilience with load balancing
• Implement web application firewall services to filter and monitor HTTP traffic and protect against malicious bots and web crawlers
• Use strong authentication and authorization controls for applications and APIs
• Secure, monitor and manage API traffic with an API gateway
• Perform continuous security testing and vulnerability assessments
• Assess your providers real-time threat detection and response capabilities

ENSURE BUSINESS CONTINUITY BY MODERNIZING NETWORK SERVICES

On the National Association of State Chief Information Officers' Top 10 list, legacy modernization is a constant. There are many reasons why modernization continues to show up, ranging from the continued use of outdated and out-of-service infrastructure components to the inability of IT departments to keep pace with the incredible architectural changes which have happened in IT over the last decade. The latter caused by the move to SaaS applications, data centers being displaced by cloud and the proliferation of the hybrid worker, all which helped invert the typical data/traffic workflow of 80/20 internal company/external company to a 20/80 paradigm. And with that major shift, the hub and spoke router networks of the past must be replaced and/or upgraded to support this transformation.

Most agencies and private companies are on the same journey to modernize their network infrastructure to accommodate the above transformation. As most IT assets and users are now on the Internet versus a corporate network, augmenting or replacing traditional MPLS networks with the Internet as a WAN makes sense from a performance and cost perspective. Cloud-based services to accelerate, optimize and protect these infrastructure components makes sense from a security and use perspective. This modern approach provides scalable bandwidth, optimized for modern application delivery, with resilience built in, all while reducing complexity and costs.

Today’s network resilience can be delivered as a service similar to how data centers and applications have been delivered as a service (IaaS and SaaS) for years now. It is possible and often recommended to use the Internet for an agency’s backbone, or at least a component of the backbone. The benefit includes built-in resilience and scalability. A cable cut, data center outage, or even a massive DDoS attack will not impact uptime or performance. This is possible due to the security architectures today like zero trust and encryption technologies. One that’s part of the state’s enterprise architecture, delivers WAN as a service, firewall as a service, DDoS protection, and a SASE framework — helping agencies protect, connect and accelerate their networks without the cost and complexity of running or maintaining any hardware.[1]

CONCLUSION

As government agencies continue to expand their digital services, their IT architecture and cybersecurity strategy must transform to address the modern world. This includes protecting IT infrastructure, customer-facing online services delivered by web applications and APIs. A secure, consistent online presence remains critical to maintaining public trust and protecting sensitive information. With cyber threats evolving daily, robust security measures are not just a technical requirement but a fundamental obligation to public service. 

1. Secure your DNS infrastructure now.
2. Protect your customer-facing applications and other web assets.
3. Modernize network service because your mission depends on it.

At Cloudflare, we’re helping state and local agencies around the country enhance their service resilience by protecting entire networks, their Internet-scale applications and websites efficiently, like the Arizona Department of Homeland Security and the Oklahoma Office of Management and Enterprise Services. Learn more about how we can help your agency protect, connect and accelerate your mission here.