LSE - Small Logo
LSE - Small Logo

William Hatcher

Donald F. Norris

Laura Mateczun

Wesley L. Meares

John Heslen

December 20th, 2023

Surveys show US local governments must do more to address their cyber insecurity.

0 comments | 1 shares

Estimated reading time: 8 minutes

William Hatcher

Donald F. Norris

Laura Mateczun

Wesley L. Meares

John Heslen

December 20th, 2023

Surveys show US local governments must do more to address their cyber insecurity.

0 comments | 1 shares

Estimated reading time: 8 minutes

Cyberattacks on organizations and institutions have unfortunately become commonplace, and the 90,000 local governments in the US are often targets for these incidents. Taking data from local government surveys, William Hatcher, Donald F. Norris, Laura Mateczun, Wesley L. Meares, and John Heslen assess the current state of cybersecurity in state and local government, finding that these organizations are in fact practicing cyber insecurity. Considering these findings, they make a number of recommendations, including better funding for cybersecurity measures in local government budgets, and improved staff training and management practices.

During the summer of 2023, New York City’s school system was hit by two successful cyberattacks that left the data of over 45,000 students and their families vulnerable. In response, the NYC Department of Education centralized management of school websites, email systems, and other information technologies. This is one of the hundreds or thousands of examples of cyber-attacks on the public sector. It is telling, though, that the largest city in the US, even with its significant resources, struggles to ensure cybersecurity.

Surveying local government cybersecurity policies

In the US, local governments (e.g., cities, counties, towns, and townships) provide most of the public services that residents rely upon daily. Today, these public services depend on the use of information technology (IT) by local governments. As public administration researchers, we have surveyed local governments in the US about their cybersecurity policies and practices. The results of these surveys provide a clear picture that local governments struggle to secure their informational technology and data, leading us to describe their cybersecurity efforts as cyber insecurity.

This vital public problem can be addressed by increasing spending for cybersecurity, ensuring adequate staffing and training, and promoting effective management practices for cybersecurity practice.

Solution 1: Local governments need a line item in their IT budgets dedicated solely to cybersecurity, which is significant enough to provide effective protection.

Most local governments in the US fail to provide adequate funding for effective cybersecurity. Most states only spend three percent of their budgets on cybersecurity, with many spending less, while many private companies spend five to eight percent of their budgets on cybersecurity. By not funding the needed cybersecurity budgets, local governments have difficulties hiring sufficiently trained staff, purchasing the latest software and hardware to protect data, and conducting audits of current security practices to improve them.

Solution 2: Local governments need to hire appropriate cybersecurity staff. 

Our research found that many local governments lack cybersecurity or IT staff with the needed expertise to be effective. Moreover, organizational leaders often lack the needed cyber awareness. For instance, our surveys have found that many department managers and elected officials do not adequately acknowledge the importance of cybersecurity. Additionally, 41 percent of surveyed cities in 2018 reported not providing cybersecurity training regularly. Appropriate staff need to be hired, but they also need to be adequately trained.

Photo by Sigmund on Unsplash 

Solution 3: Local governments must train all employees to practice cybersecurity awareness. 

In November 2023, the FBI and the Multi-State Information Sharing and Analysis Center (MS-ISAC) warned of the efficacy of Rhysida ransomware attacks, which, along with other ransomware attacks, successfully targeted multiple public sector organizations the previous spring. Often, these attacks are successful because staff do not practice adequate cybersecurity hygiene. It is vital that not just staff but all personnel, especially top managers and elected officials, practice cyber awareness.

Sufficiently funded and effective training is the solution. Such training includes effective biannual cyber hygiene guidance in organizations. Still, staff also need to attend cybersecurity instruction offered by professional associations, read materials broadly produced by these organizations, and complete coursework on cybersecurity in the public sector. Successful cyberattacks are costly for governments, and there needs to be accountability for staff who do not follow effective training. 

Solution 4: Local governments must implement evidence-based cybersecurity policies and on-the-ground management practices to fight against insecurity. 

In a 2018 survey, we found that most US cities (71 percent of those surveyed) reported having a formal cybersecurity policy. However, our combined research has shown that although local governments have policies on the books, they are likely failing at implementing them, as respondents indicated they were not highly effective. They are not following evidence-based managerial practices for cybersecurity or practicing the fundamentals of cybersecurity. This was most likely the case in the 2018 ransomware attack that affected the city of Atlanta for more than a week, and cost the city around $17 million. The city failed to implement solid cybersecurity management practices, which allowed cybercriminals to hold vital public data and technology hostage.

Many local governments are failing in the essential practices of cybersecurity. For instance, our research has found that around a third of surveyed governments reported not having a process to record known cyber-attacks. As noted, many cities do not provide regular cybersecurity training to their employees, which is a foundational evidence-based management practice.

To address these failures of implementation and management, local governments need to update their overall cybersecurity policies and hold employees accountable for not following them.

Policies to strengthen cybersecurity.

Local governments need to put in place the following:

  • Acceptable Use Policy (AUP), sometimes known as a Policy for Responsible Computing – broadly, this policy describes activities that are permitted and prohibited on the local government’s IT system;
  • Information Security Policy – describes how information is created, exchanged, stored, protected and handled on the local government’s IT system;
  • Privacy Policy (which may be a stand-alone policy or part of the Information Security Policy) – describes the types of information collected, used, stored and shared by the local government and security protocols in place to protect the information;
  • Identity and Access Management Policy (IAM) – establishes who has access to what information and other resources on the local government’s IT system and how they may access and use that information;
  • Incident Handling Policy (IHP) – local governments must be prepared for inevitable cyberattacks and breaches and this policy describes how the local government will respond when they occur; and
  • Disaster Recovery/Business Continuity Policy (DR/BCP) – describes how the local government “…will respond to emergencies that disrupt governmental operations, including cyberattacks as well as natural disasters, terrorist attacks and other [adverse cyber events]…”

Many of the day-to-day features of modern society require local governments to have functioning IT technologies. But with over 90,000 local governments in the US, there are plenty of opportunities for cybercriminals to steal public data and wreak havoc on public services. And as history shows, criminals do not hesitate to take advantage of this environment of insecurity. When these systems are hacked, the public good is adversely affected, and our trust in government is harmed, leading to less effective government and the questioning of our political systems. The sophistication of attacks will only improve, so it is imperative for local governments must prioritize their resources, actions, and decisions so that they are able to ensure the highest levels of cybersecurity possible not only for their IT systems but for all public services.


About the author

William Hatcher

Dr. William Hatcher is a professor of political science and public administration and chair of the Department of Social Sciences at Augusta University. He currently serves as the co-editor-in-chief of the Journal of Public Affairs Education. He also serves as the co-editor of the Routledge series on Public Affairs Education. He received both a B.S. in political science (2003) and an MPA (2004) from Georgia College and State University and a Ph.D. in public policy and administration from Mississippi State University (2010). Dr. Hatcher has served as a public planner and as chair of the Board of Adjustment in Richmond, Kentucky. His research has appeared in journals such as the Public Administration Review, American Journal of Public Health, and American Review of Public Administration. He is the author of The Curious Public Administrator (Routledge, 2023).

Donald F. Norris

Donald F. Norris, PhD, is Professor Emeritus of Public Policy at the University of Maryland, Baltimore County Policy. His fields of study include: (1) public management where he specializes in information technology in government, including e-government and cybersecurity; and 2) urban affairs broadly but with specific attention to metropolitan governance. Dr. Norris has published eight books (his most recent, co-authored by Laura Mateczun and Richard Forno, is entitled Cybersecurity and Local Government, 39 articles in refereed journals (with two in process), 25 chapters in books and 14 papers in refereed conference proceedings. Dr. Norris received a B.S. in history from the University of Memphis and an M.A. and a Ph. D. in political science from University of Virginia. He can be reached at norris@umbc.edu. As a retiree, he spends most of the year in Naples, FL, where he volunteers as a boat captain for the Conservancy of Southwest Florida!

Laura Mateczun

Laura Mateczun, JD, MPS, Ph.D. student is a research assistant for the University of Maryland, Baltimore County Division of IT where she leads implementation of the Maryland Public Higher Education Privacy Law and other IT security standards. She is writing her dissertation on local government cybersecurity at UMBC's School of Public Policy in public management, and recently published Cybersecurity and Local Government (2022) with co-authors Donald Norris and Richard Forno. In addition to her JD, she has also received a master's in cybersecurity.

Wesley L. Meares

Wesley L. Meares is an Associate Professor of Public Administration in the Department of Social Sciences at Augusta University, where he serves as the graduate program director for the Master of Public Administration program. His research interests include housing policy, community development, sustainability, and local government cybersecurity. Dr. Meares research has appeared in journals such as Cities, Public Administration Review, Public Administration Quarterly, Local Environment, Journal of Urban Affairs, Housing Studies, Journal of Public Affairs Education and Journal of Urbanism. He received his B.A. in Political Science from Lagrange College, a Master of Public Administration from Western Kentucky University, and a Ph.D. in Urban and Public Affairs from the University of Louisville.

John Heslen

John Heslen, Ph.D., is an Assistant Professor of political science at Augusta University with joint appointments in AU’s School of Computer and Cyber Sciences as well as Pamplin School of Arts, Humanities and Social Sciences.. Before coming to Augusta University, Dr. Heslen served as an intelligence officer with both the Defense Intelligence Agency and the United States Air Force, specializing in combatting terrorism, counterintelligence, and strategic cyber intelligence.

Posted In: Urban, rural and regional policies

Leave a Reply

Your email address will not be published. Required fields are marked *

LSE Review of Books Visit our sister blog: British Politics and Policy at LSE

RSS Latest LSE Events podcasts