With greater access to, and use and sharing of, data comes greater risks of cyber security incidents. Mattia Caldarulo, Jared Olsen and Mary K. Feeney write that recent high-profile hacking and data loss incidents in US city governments illustrate the importance of data security in an age of increased data sharing. In new research, they find that cities who shared data more often were more likely to experience malicious cyber-incidents, and that cities with set data sharing routines were less likely to experience such incidents. 

The rapid digitalization of government services, widespread adoption of new information technologies, and growing availability of big data have transformed cities into nodes of national information technology (IT) networks and repositories of sensitive data.

This new role for cities in the digital age presents both opportunities and risks for local governments. Data enables cities to better serve their communities. Thanks to data sharing – the transfer of data from one organization to another – local governments can foster transparency and trust, secure public safety, facilitate services integration, increase efficiency, and engage citizens. Hence, many US cities host data repositories and regularly exchange both sensitive and non-sensitive data.

Local governments are increasingly vulnerable to malicious and accidental cyber-incidents, events that threaten the confidentiality, integrity, or availability of digital information and systems. For instance, in 2019, a group of hackers infiltrated the information systems of over 20 cities in Texas and encrypted their data, halting public services. In 2021, an employee mistakenly deleted eight million data files containing evidence collected by the Dallas Police Department, partially disrupting the local legal system. In new research, we examine the relationship between data sharing and data security, examining how data sharing processes influence the likelihood of cities experiencing cyber-incidents.

We test whether the frequency of data exchanges, the type of the data shared, and the mechanisms used for sharing data are related to the likelihood of experiencing both malicious cyber-incidents (e.g. ransomware attacks) and accidental cyber-incidents (e.g. unintended data leaks). We examine data from two national surveys from 2016 and 2018 to a representative sample of 500 US cities with populations ranging from 25,000 to 250,000. We also analyzed responses from managers in 202 cities.

Data sharing practices among local governments 

Our 2016 survey of local governments found that US cities vary in how often and how they exchange different types of data. Differences exist in how often they share data, the type of data shared, and how they share data.

Figure 1 shows how often city departments receive data on average and from non-governmental organizations, city agencies, and other government organizations. Around 84 percent of respondents receive data from other departments on at least a weekly basis. Two-thirds (66 percent) receive data from other governmental organizations at least once a week and more than half (58 percent) receive data from non-governmental organizations weekly or more often.

Figure 1 – How often local managers receive data from different actors, 2016

Cities also differ in the types of data they share and how they share them. Local governments can exchange sensitive and non-sensitive data. Sensitive data can uniquely identify an individual. Examples of sensitive data include names, social security numbers, tax numbers, and addresses. More than a third of cities (38 percent) report that they need to access sensitive data to do their jobs.

Cities can share data either by following established routines or on an ad hoc basis. Routines involve having specific processes for sharing data, like using special software or following policies or rules. Our survey shows that a large majority of local government managers (70 percent) receive data through established sharing routines.

Photo by Scott Rodgerson on Unsplash

Findings from the 2016 survey show that data sharing in US cities is a multi-faceted phenomenon. We investigate how variation in different data sharing elements is related to cyber-vulnerabilities.

Exposure to cyber-incidents 

Cyber-incidents are becoming more frequent and severe. In 2018, we asked public managers if they had experienced malicious cyber-incidents (i.e., ransom demands) and accidental cyber-incidents (i.e., unintended disclosure of information) in the previous 12 months. About nine percent of respondents experienced unintended disclosure of information and six percent reported having experienced ransom demands.

How are data sharing processes related to the likelihood that city departments will experience cyber-incidents? 

Sensitive data: We find that the probability of experiencing unintended data disclosure is six percent higher when agencies exchange sensitive data. However, sharing sensitive data is not significantly associated with an increase in the likelihood of experiencing ransom demands. This may stem from the fact that ransom perpetrators primarily seek monetary gain and aim to disrupt an organization’s overall information system rather than target specific datasets.

Data sharing frequency: We find that the probability of experiencing ransom demands is positively associated with how often a local government shares data. An increase in the frequency of data receipt is linked with an increase in the probability of experiencing ransom demands by nine percent. The explanation for this relationship stems from the nature of the cyber-incident. Since ransom demands are usually caused by external offenders trying to access and hijack the information system, frequently receiving data increases the number of opportunities an offender has to access an IT system.

Data sharing routines: Having established routines to share data is associated with a reduction in the probability of experiencing ransom demands by 7.7 percent. Sharing data through routine mechanisms simplifies the exchange process and enables governments to monitor and promptly detect anomalous access to their IT systems.

What can local governments do? 

As local governments increasingly share data to enhance public service delivery, they confront the challenge of balancing the benefits of transparency and collaboration with the potential for security threats. We find that sharing sensitive data, receiving data often, and using routine practices, are related to the probability that local governments will experience cyber-incidents, both malicious and accidental.

Our findings highlight the necessity for tailored solutions to address the specific types of cyber-incidents cities encounter. Frequent sharing of sensitive data requires routine practices and protections, underscoring the importance of implementing organizational processes designed to streamline data sharing practices. Public managers engaged in data sharing should establish data-sharing routines and protect sensitive data to ensure their information systems do not become vulnerable to malicious attacks or unintended data leaks.

• This article is based on the paper, ‘Oversharing: The downside of data sharing in local government’, in Public Administration. 
• Please read our comments policy before commenting. 
• Note: This article gives the views of the author, and not the position of USAPP – American Politics and Policy, nor the London School of Economics. 
• Shortened URL for this post: https://wp.me/p3I2YF-dWS