Hackers are targeting US local governments — and it’s time to fight back
Everything from power plants to libraries are at risk
In the crosshairs
Local governments have sufferedsuccessful cyberattacksin recent years. These include attacks on targets ranging from911 call centerstopublic school systems. The consequences of a successful cyberattack against local government can bedevastating.
I and other researchers at University of Maryland, Baltimore County have studied the cybersecurity preparedness of the United States’over 90,000 local government entities. As part of our analysis, working with theInternational City/County Management Association, we polled local government chief security officers about their cybersecurity preparedness. Theresultsare both expected and alarming.
Among other things, the survey revealed that nearly one-third of U.S. local governmentswould be unable to tellif they were under attack in cyberspace. This is unsettling; nearly one-third of local governments that did know whether they were under attack reported being attacked hourly, and nearly half at least daily.
Ill-equipped
Lack of sound IT practices, let alone effective cybersecurity measures, can make successful cyberattacks even more debilitating. Almost half of U.S. local governments reported that their IT policies and procedures were not in line with industry best practices.
In many ways, local governments areno differentfrom private companies in terms of the cybersecurity threats, vulnerabilities and management problems they face. In addition to those shared cybersecurity challenges, where local governments particularly struggle is in hiring and retaining the necessary numbers of qualified IT and cybersecurity staff with wages and workplace cultures that can compare with those of the private sector or federal government.
Additionally, unlike private companies, local governments by their nature are limited by the need to comply with state policies, the political considerations of elected officials and the usual perils of government bureaucracy such as balancing public safety with the community’s needs and corporate interests. Challenges like these can hamper effective preparation for, and responses to, cybersecurity problems – especially when it comes to funding. In addition, much of the technology local communities rely on, such as power and water distribution, are subject to the dictates of the private sector, which has its own set of sometimes competing interests.
[Get The Conversation’s most important coronavirus headlines, weekly in a science newsletter]
Large local governments are better positioned to address cybersecurity concerns than smaller local governments. Unfortunately, like other soft targets in cyberspace, small local governments are much more constrained. This places them at greater risk of successful cyberattacks, including attacks thatotherwise might have been prevented. But the necessary, best-practice cybersecurity improvements that smaller cities and towns need often compete with the many other demands on a local community’s limited funds and staff attention.
Getting the basics right
Whether they are victimized by a war on the other side of the world, a hacktivist group promoting itsmessageor a criminal group trying to extort payment, local governments in the U.S. are enticing targets. Artificial intelligence hacking tools and vulnerabilities introduced by the spread of smart devices and the growing interest in creating “smart cities” put local governments even more at risk.
There’s no quick or foolproof fix to eliminate all cybersecurity problems, but one of the most important steps local governments can take is clear: Implement basic cybersecurity. Emulating the National Institute of Standards and Technology’snational cybersecurity frameworkor other industry accepted best practices is a good start.
I believe government officials, especially at the local level, should develop and apply the necessary resources and innovative technologies and practices to manage their cybersecurity risks effectively. Otherwise, they should be prepared to face the technical, financial and political consequences of failing to do so.
This article byRichard Forno, Principal Lecturer in Computer Science and Electrical Engineering,University of Maryland, Baltimore County, is republished fromThe Conversationunder a Creative Commons license. Read theoriginal article.
Story byThe Conversation
An independent news and commentary website produced by academics and journalists.An independent news and commentary website produced by academics and journalists.
Get the TNW newsletter
Get the most important tech news in your inbox each week.
