A Strategic Approach to Website and Infrastructure Security in State and Local Government

In today’s digital-first era, state and local governments deliver more services online than ever before. Agency websites are no longer static pages — they are constituent-facing platforms that power transactions, manage personal data and connect to complex back-end systems.

As these systems grow in complexity, so do the risks. Cyber threats have evolved beyond simple distributed denial-of-service (DDoS) attacks and now target the entire application ecosystem with sophisticated tools and tactics, many powered by artificial intelligence.

Securing public-sector websites requires more than just firewalls and patching. It calls for a comprehensive, cloud-smart approach that balances performance, accessibility and security without compromise. A new strategic imperative is emerging: build cybersecurity into the architecture of public service websites themselves.

“Your agency’s website is your digital front door,” said Deborah Snyder, a senior fellow at the Center for Digital Government* and the former chief information security officer for the state of New York. “But security can’t stop at the front door.”

A COMPLEX THREAT LANDSCAPE

Government agencies manage a constantly expanding digital footprint. With this expansion comes greater exposure to threats. Attackers exploit a variety of vectors — phishing, credential theft, DDoS and, more recently, AI-driven reconnaissance and content scraping.

“Phishing remains the No. 1 attack that gets through,” said Dan Kent, field chief technology officer for the Americas at Cloudflare. “Even with tools in place, training and vigilance are essential because these attacks are growing more complex.”

Public-facing websites are targeted as points of entry. The threat landscape extends to back-end systems through overlooked attack surfaces such as application programming interfaces, or APIs. “Most agencies are unaware of how many API endpoints they actually have,” Kent noted. “We often discover 30 percent more than they thought existed. That’s a massive expansion of their attack surface.”

These blind spots, coupled with legacy systems and limited visibility, create structural vulnerabilities. “You can’t protect what you can’t see. Visibility is the starting point for any effective website security strategy.” — Steve Caimi, cyber specialist, U.S. public sector, Cloudflare

SECURITY WEBSITES AT SCALE IN THE CLOUD ERA

Cloud adoption and multicloud environments have become the norm across government. Yet many agencies still rely on siloed, legacy tools that can’t scale to meet current demands.

“The traditional perimeter is gone. Today, 80 percent of traffic flows outside agency walls,” said Kent. “That demands a security model that operates at the edge and across clouds.”

A modern security posture must extend protections closer to the users and threats targeting agency websites. Cloud-native security platforms enable agencies to detect and block attacks in real time — before they ever reach critical infrastructure.

“It’s not just about placing protections near your applications,” Kent said. “It’s about placing them where the threats originate. If an attack comes from overseas, stop it there — don’t let it ride the Internet to your servers.”

This approach not only improves website security, but also boosts resilience, scalability and user experience.

Here are some additional best practices to keep in mind:

Consider Security in Tandem With User Experience.

Historically, agencies have viewed security and usability as competing priorities. That’s no longer the case.

“Modern tools have evolved to reduce friction while improving security,” Caimi explained. “Technologies like passkeys, intelligent multifactor authentication and bot detection make it easier for users to access services without compromising defenses.”

Kent points to the importance of integrating security early in website development: “The shift-left approach means embedding security in the application life cycle — not bolting it on later,” he said. “It’s about building with security in mind from day one.”

This proactive stance is essential as more governments adopt centralized digital service portals. Standardizing website security across services not only protects constituent data, but also improves public trust and service delivery.

Lean in to AI.

Artificial intelligence presents a dual cyber challenge. Adversaries use AI to scale attacks, craft realistic phishing messages and exploit vulnerabilities faster. But defenders can also harness AI to detect threats earlier and respond more efficiently.

“We’ve been using machine learning for years to detect anomalies and identify threats,” Kent said. “Now, generative AI lets us automate even more — from summarizing incidents to configuring policies and accelerating response.”

AI also enhances public-facing websites. “We’re starting to see AI-powered assistants that help constituents find services or complete applications,” Caimi noted. “That has enormous potential to improve access and equity.”

Strategic AI adoption means securing website data inputs, monitoring usage and training staff on appropriate applications. “Every agency needs a data governance strategy that keeps pace with its use of AI,” Kent said.

Don't Neglect the Fundamentals.

In the rush to modernize websites, agencies must not neglect foundational cyber hygiene. Asset inventories, patch management, protective DNS and vulnerability scanning remain critical.

“Before you automate or implement AI, make sure your basic defenses are solid,” Kent emphasized. “It’s like DDoS — we see thousands of attacks every day, but few succeed because we’ve built strong foundational protections.”

Caimi agreed: “Frameworks like the Zero Trust Maturity Model provide a road map. Start with identity, data and device visibility, then layer in automation and analytics.”

A CALL TO STRATEGIC LEADERSHIP

Website and infrastructure security is no longer a back-office IT concern. It is a mission-critical function that underpins trust, resilience and service delivery.

“This is the moment to step back and assess your architecture,” Kent said. “If you had to build it from scratch today, would it support the agility, scalability and protection you need for the next 15 years?”

For government leaders, the answer lies in proactive investment, collaborative strategy and a commitment to secure, constituent-centered digital experiences.

The threats are evolving, but so are the tools to fight them. With the right architecture, partnerships and mindset, agencies can secure their websites, protect their infrastructure and deliver services with confidence in a rapidly shifting digital landscape.

*Note: The Center for Digital Government is part of e.Republic, Government Technology's parent company.

This piece was written and produced by the Government Technology Content Studio, with information and input from Cloudflare. AI was used to prepare portions of this article.