Cybersecurity Challenges to American State and Local Governments

In this paper, we examine cybersecurity challenges to American state and local governments. In particular, we address the extent and magnitude of cyberattacks against these governments, the problems these governments face in preventing attacks from being successful, the barriers internal to their organizations that make cybersecurity difficult to achieve, and actions that they believe should be taken to improve cybersecurity practice. Our research method consisted of a focus group of information technology (IT) and cybersecurity (CS) officials from one American state. Among other things we found that cyberattacks, mostly in the form of malicious emails, are constant, 24/7/365, and can number in the tens of thousands per day (at least among state government and larger local governments). The participants in our focus group noted that while they weren't perfect at it, they felt that for the most part they had the technical side of cybersecurity under good control. These governments’ biggest cyber challenge is human error; that is, end users who (mostly by mistake and without malice) open an attachment or click on a link in a phishing email that then allows an attacker into the government’s IT system. We also found that the probability of a successful phishing cyberattack is relatively high. These governments face several barriers when attempting to prevent cyberattacks and when endeavoring to mitigate successful ones, including: insufficient funding and staffing; problems of governance (namely, lack of control over all actors within a governmental unit due mainly to the federated nature of government); and insufficient or under-enforced cybersecurity policies. Our participants also noted that there are several common sense ways that state and local governments can improve cybersecurity. Among others, these include: frequent vulnerability assessment, continual scanning and testing, securing cybersecurity insurance, improving end user authentication and authorization, end user training and control, control over the use of external devices (flash drives, etc.), improved governance methods, sharing information about cyberattacks and cybersecurity policies and practices among governments, and, finally, creating a culture for cybersecurity in governmental organizations. Areas for further research into state and local government cybersecurity include: the types of cyberattacks that state and local governments typically face; the types of actions that these governments should take to prevent the attacks from being successful and to mitigate the results of successful attacks; gaps between these governments’ need to prevent and mitigate cyberattacks and their ability to do so, including barriers to effective state and local government cybersecurity and best cybersecurity practices; and recommendations for improving state and local government cybersecurity.