Baltimore's example is but one in a seemingly never-ending series of successful hacks of America's local governments, and it won't be the last. We know because we are members of a team of researchers at the University of Maryland, Baltimore County that conducted the first ever nationwide survey of local government cybersecurity.
One of the key findings of our research is that local governments are under constant cyberattack. A sizable fraction of them do not even know if they are under attack or whether they have been breached, and most are unprepared (often woefully) for the cybersecurity challenges they face. Our research found that one of the top barriers to effective local government cybersecurity is the lack of cybersecurity awareness and support from top elected and appointed local officials. If the very people in charge of local governments do not understand the need for cybersecurity and fully support it, it is more likely than not that they will experience serious cybersecurity problems. After experiencing a ransomware attack in 2018, the mayor of Atlanta admitted that cybersecurity had not been a priority. It soon became one!
Additional barriers that our research revealed include: lack of adequate funding for cybersecurity, insufficient staff, outdated technology that is not properly maintained and updated, lack of cybersecurity training for local governmental staff and officials and lack of or poor enforcement of cybersecurity policies.
What should local governments do to improve their cybersecurity? First, top officials must make cybersecurity a priority. Cybersecurity must be properly organized and managed — something our research found is too often not the case. These officials must provide the funding needed for such things as cybersecurity personnel, technology, policy and training. High-quality cybersecurity personnel are difficult for local governments to recruit and retain. This is especially true in the Washington-Baltimore region, where local governments compete not only with private industry but also with various federal agencies that are deeply involved in cybersecurity. But this is no excuse for not trying.
Local officials must insist on creating and maintaining a culture of cybersecurity within their governments. Among other things, this means promoting cybersecurity awareness and training for all employees as well as holding employees, including the top officials themselves, accountable for their cybersecurity decisions and actions. To make cybersecurity an organizational value, everyone must understand its importance to the protection of citizen data and the provision of public services.
Local governments should consider purchasing cybersecurity insurance, which can help address existing cybervulnerabilities and reduce recovery costs in the event of a breach. Slightly less than half of the local governments in our survey had purchased cyberinsurance, but the trend seems to be on the increase. No wonder: Cybersecurity insurance pays off. In June, Lake City, Fla., experienced a ransomware attack that took down its computer systems, email, phones and more. The hackers demanded a $470,000 ransom to release the systems. Lake City officials agreed, but only had to pay $10,000 out of its budget, the cyberinsurance deductible, while the insurance carrier negotiated and paid the rest.
It is essential that local governments make cybersecurity a real priority, but doing so will not be cheap or easy. Yet, as many local governments have learned the hard way, failure to do so can be far more damaging and expensive, the embarrassment factor aside. Local governments must act now and act continuously to protect their information assets at the highest levels of security. As they say in the industry, "it's not whether you will be breached, but when." Local governments that are fully committed to cybersecurity have a much better chance of preventing breaches and of recovering from them more easily and at less cost than those that are not.
———
ABOUT THE WRITERS
Donald F. Norris (norris@umbc.edu) is professor emeritus of public policy at the University of Maryland, Baltimore County, where he leads a research team on the subject of local government cybersecurity. Laura Mateczun is a Ph.D. student in public policy at UMBC and is writing her doctoral dissertation on this subject.
©2019 The Baltimore Sun. Distributed by Tribune Content Agency, LLC.
