When it comes to our state, city and county governments, cybersecurity is no longer the sole responsibility of the chief information officer (CIO) or in some cases the chief information security officer (CISO). It has become clear there are critical roles the chief executive must play.
The chief executive is in the best position to promote and enforce best practices, ensure adequate resources including necessary staff expertise, training, as well as software and hardware solutions. The chief executive is the one who can promote policies and share critical information amongst senior staff. At the state level it is the Governor who is most likely to interact with key federal agencies.
The National Governors Association (NGA) has begun in earnest to support homeland security as well cybersecurity through their Homeland Security & Public Safety Division. Within this division they have created the Cybersecurity, Technology & Communications program. NGA has an amazing staff working with states and executives as well as other agencies and relevant nonprofits including the National Association of State CIOs and the Public Technology Institute/CompTIA. Among the many objectives one will find:
Cybersecurity (governance, incident response, infrastructure/electrical grid/elections, cybercrime, healthcare, economic development and workforce)
Smarter States, Smarter Communities
Public Safety Communications (FirstNet, NG911, Land Mobile Radio, alerts and warnings)
Public Safety Technologies (AI, Predictive Analytics, Forensic/Biometric Tools)
Information Sharing
For more information including staff contacts and NGA publications in this area go here.
Recognizing the need for high-level attention the National League of Cities (with the active participation of CompTIA) issued an 18-page report titled “Protecting Our Data: What Cities Should Know About Cybersecurity." This publication is specifically designed for public managers and leaders aimed at America’s 19,000 cities and towns and more than 218 million Americans.
Part of the study centered on the results of NLC/PTI Cyber Security Survey. It was designed to explore gaps and weaknesses when it comes to safeguarding data and cyber security generally.
The most alarming result from the survey dispels the myth that cities, towns and villages are safe from attacks by bad actors. The survey found that 44% of local governments report an attack from a cyber incident hourly (26%) or daily (18%. That number rises to 66.7% over the duration of a year. But what is even more alarming is the large number of local governments that do not know how often they are attacked (27.6%), experience an incident (29.7%) or a breach (41%).
Worse still, while 88.8% of local governments know that most incidents come om external actors, nearly one-third (31.9%) do not know if the attacks were from an internal source or an external one. Even though local governments constantly experience incidents, a majority do not catalog or count attacks (53.6%).
The survey also revealed that 25% of city and town respondents claimed they did not have a cyber security plan designed to protect their information systems from attack as well as have a plan to provide steps for recovery in case of attack? Suggesting there is a need to involve more city officials, when asked “How engaged are your elected officials with regards to your cyber security efforts?. Of those surveyed, 54% responded “somewhat engaged” and 29% of staff responded their elected officials are “not engaged”.
Cyber security and protecting our nations digital infrastructure has become an all-hands responsibility. Our state and local government elected leaders and public managers have a vital leadership role to play and perhaps it all starts with a better understanding of the issues, polices, and required resources.
For a copy of the latest NLC Study, go to here.
