Cyberattacks on organizations and institutions have unfortunately become commonplace, and the 90,000 local governments in the US are often targets for these incidents. Taking data from local government surveys, William Hatcher, Donald F. Norris, Laura Mateczun, Wesley L. Meares, and John Heslen assess the current state of cybersecurity in state and local government, finding that these organizations are in fact practicing cyber insecurity. Considering these findings, they make a number of recommendations, including better funding for cybersecurity measures in local government budgets, and improved staff training and management practices.

During the summer of 2023, New York City’s school system was hit by two successful cyberattacks that left the data of over 45,000 students and their families vulnerable. In response, the NYC Department of Education centralized management of school websites, email systems, and other information technologies. This is one of the hundreds or thousands of examples of cyber-attacks on the public sector. It is telling, though, that the largest city in the US, even with its significant resources, struggles to ensure cybersecurity.

Surveying local government cybersecurity policies

In the US, local governments (e.g., cities, counties, towns, and townships) provide most of the public services that residents rely upon daily. Today, these public services depend on the use of information technology (IT) by local governments. As public administration researchers, we have surveyed local governments in the US about their cybersecurity policies and practices. The results of these surveys provide a clear picture that local governments struggle to secure their informational technology and data, leading us to describe their cybersecurity efforts as cyber insecurity.

This vital public problem can be addressed by increasing spending for cybersecurity, ensuring adequate staffing and training, and promoting effective management practices for cybersecurity practice.

Solution 1: Local governments need a line item in their IT budgets dedicated solely to cybersecurity, which is significant enough to provide effective protection.

Most local governments in the US fail to provide adequate funding for effective cybersecurity. Most states only spend three percent of their budgets on cybersecurity, with many spending less, while many private companies spend five to eight percent of their budgets on cybersecurity. By not funding the needed cybersecurity budgets, local governments have difficulties hiring sufficiently trained staff, purchasing the latest software and hardware to protect data, and conducting audits of current security practices to improve them.

Solution 2: Local governments need to hire appropriate cybersecurity staff. 

Our research found that many local governments lack cybersecurity or IT staff with the needed expertise to be effective. Moreover, organizational leaders often lack the needed cyber awareness. For instance, our surveys have found that many department managers and elected officials do not adequately acknowledge the importance of cybersecurity. Additionally, 41 percent of surveyed cities in 2018 reported not providing cybersecurity training regularly. Appropriate staff need to be hired, but they also need to be adequately trained.

Photo by Sigmund on Unsplash 

Solution 3: Local governments must train all employees to practice cybersecurity awareness. 

In November 2023, the FBI and the Multi-State Information Sharing and Analysis Center (MS-ISAC) warned of the efficacy of Rhysida ransomware attacks, which, along with other ransomware attacks, successfully targeted multiple public sector organizations the previous spring. Often, these attacks are successful because staff do not practice adequate cybersecurity hygiene. It is vital that not just staff but all personnel, especially top managers and elected officials, practice cyber awareness.

Sufficiently funded and effective training is the solution. Such training includes effective biannual cyber hygiene guidance in organizations. Still, staff also need to attend cybersecurity instruction offered by professional associations, read materials broadly produced by these organizations, and complete coursework on cybersecurity in the public sector. Successful cyberattacks are costly for governments, and there needs to be accountability for staff who do not follow effective training. 

Solution 4: Local governments must implement evidence-based cybersecurity policies and on-the-ground management practices to fight against insecurity. 

In a 2018 survey, we found that most US cities (71 percent of those surveyed) reported having a formal cybersecurity policy. However, our combined research has shown that although local governments have policies on the books, they are likely failing at implementing them, as respondents indicated they were not highly effective. They are not following evidence-based managerial practices for cybersecurity or practicing the fundamentals of cybersecurity. This was most likely the case in the 2018 ransomware attack that affected the city of Atlanta for more than a week, and cost the city around $17 million. The city failed to implement solid cybersecurity management practices, which allowed cybercriminals to hold vital public data and technology hostage.

Many local governments are failing in the essential practices of cybersecurity. For instance, our research has found that around a third of surveyed governments reported not having a process to record known cyber-attacks. As noted, many cities do not provide regular cybersecurity training to their employees, which is a foundational evidence-based management practice.

To address these failures of implementation and management, local governments need to update their overall cybersecurity policies and hold employees accountable for not following them.

Policies to strengthen cybersecurity.

Local governments need to put in place the following:

• Acceptable Use Policy (AUP), sometimes known as a Policy for Responsible Computing – broadly, this policy describes activities that are permitted and prohibited on the local government’s IT system;
• Information Security Policy – describes how information is created, exchanged, stored, protected and handled on the local government’s IT system;
• Privacy Policy (which may be a stand-alone policy or part of the Information Security Policy) – describes the types of information collected, used, stored and shared by the local government and security protocols in place to protect the information;
• Identity and Access Management Policy (IAM) – establishes who has access to what information and other resources on the local government’s IT system and how they may access and use that information;
• Incident Handling Policy (IHP) – local governments must be prepared for inevitable cyberattacks and breaches and this policy describes how the local government will respond when they occur; and
• Disaster Recovery/Business Continuity Policy (DR/BCP) – describes how the local government “…will respond to emergencies that disrupt governmental operations, including cyberattacks as well as natural disasters, terrorist attacks and other [adverse cyber events]…”

Many of the day-to-day features of modern society require local governments to have functioning IT technologies. But with over 90,000 local governments in the US, there are plenty of opportunities for cybercriminals to steal public data and wreak havoc on public services. And as history shows, criminals do not hesitate to take advantage of this environment of insecurity. When these systems are hacked, the public good is adversely affected, and our trust in government is harmed, leading to less effective government and the questioning of our political systems. The sophistication of attacks will only improve, so it is imperative for local governments must prioritize their resources, actions, and decisions so that they are able to ensure the highest levels of cybersecurity possible not only for their IT systems but for all public services.

• This article is based on the paper, ‘Local government cyber insecurity: Causes and recommendations for improvement’, in Public Administration Review.
• Please read our comments policy before commenting. 
• Note: This article gives the views of the author, and not the position of USAPP – American Politics and Policy, nor the London School of Economics. 
• Shortened URL for this post: https://bit.ly/41tTFkC