5
Cyberattacks: Targeting Local Government1
5.1 Introduction
This chapter discusses the nature of cyberattacks that local governments contend with on an almost daily basis. It uses data from several sources, including from the first-ever nationwide survey of cybersecurity among American’s grassroots or local governments to address cyberattacks against these governments (Norris et al., 2019). Included also are data from a more recent survey conducted by Hatcher et al. in 2018, a survey of a small group of CISOs of mainly large cities by one of the authors in 2020 (Norris, 2021), and findings from the professional literature where relevant.
Governments of all types and sizes, and increasingly local governments, are under constant or nearly constant attack (e.g., Norris et al., 2018, 2019). This should not be surprising because, among other things, more than half of the cyberattacks against organizations in the United States are against small- and medium-size businesses. Additionally, like such businesses, local governments often lack the funds and skills to combat such attacks.
This chapter begins by briefly discussing the methodology employed to conduct the 2016 survey from which the data in the chapter are derived. Then it examines the data from that survey concerning attacks and attackers against local government information assets, local government cybersecurity preparedness, and the barriers to achieving high levels of cybersecurity in them. The chapter then concludes by providing some recommendations to local governments for improving their levels of cybersecurity and makes suggestions for future research into local government cybersecurity. Appendix 5.1, which discusses in detail the methodology behind the 2020 survey, follows.
To conduct the 2016 survey, the authors partnered with the International City/County Management Association (ICMA), and in the summer of 2016 ICMA mailed the survey to all municipal governments with populations of 25,000 and greater and to all county governments of the same size (a total of 3423 local governments). The survey produced a response rate of 11.9 percent (n = 406 local governments). The survey results are reasonably representative of the overall population of the local governments that we surveyed, although larger local governments are proportionately overrepresented, smaller local governments are numerically overrepresented.
For the 2020 survey, which was conducted under a research fellowship from ICMA, the author revised the 2016 survey instrument and administered it by email as part of a combined convenience and expert sample to member CISOs of the Coalition of City CISOs (https://cityciso.org) and a few non-member local governments. The survey received a response rate of 50 percent. (For a more detailed discussion of the research methodology behind both surveys, see Appendix 5.1.)
5.2 Cyberattacks on Local Governments
This section begins by examining the exposure of American local governments to cyberattacks. To do so, it was necessary to ensure that all respondents (in both the 2016 and 2020 surveys) had a common understanding of three important terms used in the survey – attack, incident, and breach. Therefore, the survey instruments provided definitions of those terms. Attack was defined as: any attempt by any party to gain unauthorized access to any component of your local government’s information technology system for the purpose of causing mischief or doing harm. Then, the survey instrument provided definitions of incident and breach found in the industry-accepted annual Verizon Data Breach Investigations Report (2015). The definition of incident provided was: “Any event that compromises the confidentiality, integrity or availability of an information asset”; and of breach was: “An incident that resulted in confirmed disclosure (not just exposure) to an unauthorized party.”
5.2.1 Attacks, Incidents, and Breaches
With these definitions in mind, the survey asked if local governments catalogued or counted attacks, incidents, and breaches. Fewer than half (47 percent) said that they catalogued or counted attacks; followed by 58 percent that catalogued or counted incidents; and 60 percent that did so for breaches (Table 5.1). In terms of the method of cataloguing or counting, only 33 percent of local governments employed a formal system, while 41 percent used an informal system and 38 percent used no system at all (Table 5.2).
Table 5.1 Does your local government catalogue and count attacks, incidents, and breaches?
| Yes | No | Total | |||
|---|---|---|---|---|---|
| N | % | N | % | ||
| Attacks | 173 | 46.5 | 199 | 53.5 | 372 |
| Incidents | 217 | 58.3 | 155 | 41.7 | 372 |
| Breaches | 221 | 60.1 | 147 | 40.0 | 368 |
Table 5.2 Does your local government employ a formal or informal method of cybersecurity management?
| N | % | |
|---|---|---|
| Formal | 80 | 33.1 |
| Informal | 161 | 66.9 |
| Total | 241 | 100.0 |
Next, the survey inquired about the frequency of attacks, incidents, and breaches (Table 5.3). Attacks occurred the most frequently: hourly or more – 28 percent; at least daily – 19 percent; less than daily – 24 percent. However, 29 percent said that they did not know how frequently their system was attacked. Earlier research found that local governments are under constant or near constant attack (Norris et al., 2018). It is possible, even likely that the 24 percent who responded that attacks occurred less than daily were not well informed of the frequency of attacks against their systems.
Table 5.3 How frequently is your local government’s information system subject to attacks, incidents, and breaches (in %s)?
| Attacks | Incidents | Breaches | |
|---|---|---|---|
| Hourly or more | 27.7 | 4.8 | 4.3 |
| At least once a day | 19.4 | 7.7 | 3.4 |
| Less than daily | 23.8 | 53.1 | 29.9 |
| Don’t know | 29.1 | 34.4 | 62.4 |
| Total | 100.0 | 100.0 | 100.0 |
Findings from the 2020 survey suggest that attacks have become more frequent. More than half of the local governments reported that attacks were constant: 29 percent said hourly, and 14 percent said daily. None responded that they did not know how frequently they were being attacked.
As expected, the local governments in the 2016 survey reported that incidents occurred less frequently than attacks, and breaches occurred less frequently than incidents. Just over one-third of responding local governments did not know how frequently incidents occurred, and nearly two-thirds did not know how often their systems were breached. These data suggest that in 2016, at least, sizeable numbers of local government were guilty of cybersecurity malpractice. Not knowing if a government’s IT system has experienced an incident or breach is fundamental to proper cybersecurity.
All but one of the governments in the 2020 survey reported that they had experienced incidents. Only 7 percent said no incidents; 21 percent had experienced one incident; 14 percent – two incidents; 29 percent – four; and 21 percent more than five. Regarding breaches, half reported no breaches; 29 percent reported one breach; 7 percent reported having been breached twice; and 7 percent said more than three times.
The data, especially the “did not knows,” in the 2016 survey strongly suggest that at least some local governments were not practicing cybersecurity well. The situation improved in the 2020 survey, although the number of governments in that survey reporting multiple breaches in the past year is troublesome. The 2016 data also suggest that, despite providing a definition of the term breach in the instrument, some respondents apparently did not understand what constituted breach because nearly 8 percent said that their governments were breached at least daily.
When asked whether the frequency of attacks, incidents, and breaches had changed over the 12 months prior to the survey (Table 5.4), one-third of local governments reported that attacks remained about the same, four in ten said the same about incidents as did nearly half about breaches. Much smaller percentages said they had experienced fewer attacks – 7 percent; incidents – 13 percent; and breaches – 13 percent. One-third of respondents said that attacks had increased; fewer than one in five (18 percent) said incidents had increased; and very few (6 percent) said breaches had increased. Again, however, the number of local governments that did not know was not trivial: 25 percent for attacks; 27 percent for incidents; and 35 percent for breaches.
Table 5.4 In the past 12 months, has your local government’s information system experienced more, less, or about the same number of attacks, incidents, and breaches?
| Attacks | Incidents | Breaches | ||||
|---|---|---|---|---|---|---|
| N | % | N | % | N | % | |
| Fewer | 27 | 7.4 | 47 | 13.1 | 47 | 13.1 |
| Same | 125 | 34.4 | 149 | 41.4 | 164 | 45.8 |
| More | 118 | 32.5 | 65 | 18.1 | 20 | 5.6 |
| Don’t know | 93 | 25.6 | 99 | 27.5 | 127 | 35.5 |
| Total | 363 | 100.0 | 360 | 100.0 | 358 | 100.0 |
The responses in 2020, however, were clear that the frequency of attacks had increased in the past year with almost 93 percent saying so. Only 7 percent of local governments said that the frequency of attacks had remained about the same.
Next, the survey asked if respondents could determine the types of attackers during the previous year and the attackers’ motives. A clear majority said that they could not determine the types of attackers (Table 5.5). Of those who were able to determine the types of attackers, 50 percent said attackers included external actors-organizations, 43 percent said they included external actors-individuals, 21 percent said state actors, and 9 percent said malicious insiders (Table 5.6). By contrast, nearly two-thirds of respondents to the 2020 survey said that they could identify their attackers. When asked, respondents to the 2016 survey said that the top reasons for the attacks were: ransom, mischief, sensitive information, hacktivism, and theft of money (Table 5.7) These findings are consistent with the 2020 survey in which ransom, theft of money, and theft of PII were the top three attack purposes, and with a report by PNC released in 2018 (Kozlik, 2018).
Table 5.5 Is your local government able to determine the types of attackers that attack your system?
| N | % | |
|---|---|---|
| Yes, can determine | 151 | 41.6 |
| No, cannot | 212 | 58.4 |
| Total | 363 | 100.0 |
Table 5.6 Types of attackers.
| Yes | No | ||||
|---|---|---|---|---|---|
| N | % | N | % | Total | |
| External Actors/ Organizations | 76 | 50.3 | 31 | 20.5 | 107 |
| External actors/ individuals | 65 | 43.0 | 42 | 27.8 | 107 |
| State actors | 31 | 20.5 | 76 | 50.3 | 107 |
| Malicious insiders | 14 | 9.3 | 94 | 62.3 | 108 |
Table 5.7 Purpose of attacks.
| Yes | No | ||||
|---|---|---|---|---|---|
| N | % | N | % | Total | |
| Ransom | 60 | 39.7 | 41 | 27.2 | 101 |
| Mischief | 38 | 25.2 | 63 | 41.7 | 101 |
| PII | 28 | 18.5 | 73 | 48.3 | 101 |
| Hacktivism | 26 | 17.2 | 75 | 49.7 | 101 |
| Theft of money | 21 | 13.9 | 80 | 53.0 | 101 |
| Employee records | 15 | 9.9 | 86 | 57.0 | 101 |
| Confidential records | 14 | 9.3 | 87 | 57.6 | 101 |
| Customer/ citizen records | 12 | 7.9 | 89 | 58.9 | 101 |
| Espionage | 5 | 3.3 | 96 | 63.6 | 101 |
| Revenge | 2 | 1.3 | 99 | 65.6 | 101 |
| Terror | 2 | 1.3 | 99 | 65.6 | 101 |
5.2.2 Preparedness
To better understand how well local governments can defend their IT assets, the 2016 survey asked how prepared these governments felt they were to detect, prevent, and recover from several potential events that could adversely affect their systems, including incident and attack detection and recovery (Table 5.8). Only small percentages of local governments reported having a very good or excellent ability to do so, ranging from 48 percent with a very good or excellent ability to recover from ransomware attacks to 21 percent with a similar ability to detect exfiltration. As seen in Table 5.8, responses to the remainder of this question do not inspire confidence in these governments’ ability to withstand attacks, incidents, and breaches or to recover from them. Consistent with findings thus far in this chapter, once again it appears that local governments were not practicing high levels of cybersecurity.
Table 5.8 Preparedness of local governments to.
| Detect Attacks | Detect Incidents | Prevent Breaches | Recover from Breaches | |||||
|---|---|---|---|---|---|---|---|---|
| N | % | N | % | N | % | N | % | |
| Poor/fair | 97 | 28.0 | 98 | 28.3 | 98 | 28.5 | 90 | 26.5 |
| Good | 88 | 25.4 | 98 | 28.3 | 103 | 29.9 | 79 | 23.2 |
| Very good/ excellent | 145 | 41.9 | 132 | 38.2 | 125 | 36.3 | 125 | 36.8 |
| Don’t know | 16 | 4.6 | 18 | 5.2 | 18 | 5.2 | 46 | 13.5 |
| Total | 346 | 100.0 | 346 | 100.0 | 344 | 100.0 | 340 | 100.0 |
| Detect Exfiltration | Prevent Exfiltration | Recover from Exfiltration | Recover from Ransomware | |||||
| N | % | N | % | N | % | N | % | |
| Poor/fair | 168 | 49.3 | 146 | 42.9 | 107 | 31.7 | 64 | 18.7 |
| Good | 54 | 15.8 | 64 | 18.8 | 68 | 20.1 | 77 | 22.5 |
| Very good/ excellent | 70 | 20.5 | 85 | 25.0 | 94 | 27.8 | 165 | 48.3 |
| Don’t know | 49 | 14.4 | 45 | 13.2 | 69 | 20.4 | 36 | 10.5 |
| Total | 341 | 100.0 | 340 | 100.0 | 338 | 100.0 | 342 | 100.0 |
This finding is also consistent with the results of a 2018 survey of over 1000 respondents from companies in the UK and the US. Among other things, it found that nearly half of participants had “no understanding of how to protect their companies against cyber attacks [sic]” (Keeper Security, Inc and Ponemon Institute, 2018).
Next, the 2016 survey inquired about the level of confidence that these governments had in their ability to prevent all breaches (Table 5.9). Three in ten reported being not at all or only slightly confident, 31 percent said somewhat confident, and 34 percent replied confident or highly confident of being able to prevent all breaches. Viewed differently, nearly two-thirds of respondents were less than confident in the ability of their local government to prevent all breaches. This finding will doubtless come as no surprise because, as cybersecurity professionals know, it is not a matter of whether, but when an organization will be breached (see also Ponemon Institute, 2015).
Table 5.9 Confidence in your local government’s ability to prevent all breaches.
| N | % | |
| Not at all/slightly confident | 100 | 30.3 |
| Somewhat confident | 103 | 31.2 |
| Confident/highly confident | 115 | 34.9 |
| Don’t know | 12 | 3.6 |
| Total | 330 | 100.0 |
5.2.3 Barriers to Cybersecurity
Clearly, a number of factors may contribute to American local governments’ failure to practice higher levels of cybersecurity. With this in mind, the survey included a number of questions about barriers to the effective practice of cybersecurity (Table 5.10). The specific barriers considered were based on the barriers identified in the prior literatures on IT and government and e-government. The five most important barriers reported in the 2016 survey were: 1) the inability to pay competitive salaries to cybersecurity employees; 2) insufficient number of cybersecurity staff; 3) lack of funds; 4) lack of adequately trained personnel; and 5) lack of end user accountability. All other potential barriers were selected by less than one-third of respondents.
Table 5.10 Barriers to achieving highest possible level of cybersecurity.
| Not/Small Barrier | Modest Barrier | Somewhat/ Severe Barrier | Don’t Know | Total | ||||||
| N | % | N | % | N | % | N | % | N | % | |
| Inability to pay competitive salaries | 67 | 19.8 | 42 | 12.4 | 198 | 58.6 | 31 | 9.2 | 338 | 100.0 |
| Insufficient number of staff | 68 | 20.2 | 71 | 21.1 | 179 | 53.1 | 19 | 5.6 | 337 | 100.0 |
| Lack of funds | 57 | 16.6 | 95 | 27.7 | 181 | 52.8 | 10 | 2.9 | 343 | 100.0 |
| Lack of adequately trained personnel | 86 | 25.5 | 76 | 22.6 | 158 | 46.9 | 17 | 5.0 | 337 | 100.0 |
| Lack of end user accountability | 121 | 35.8 | 78 | 23.1 | 127 | 37.6 | 12 | 3.6 | 338 | 100.0 |
| Lack of trained personnel to hire | 120 | 35.3 | 73 | 21.5 | 108 | 31.8 | 39 | 11.5 | 340 | 100.0 |
| Lack of adequate cybersecurity Awareness | 118 | 35.1 | 104 | 31.0 | 104 | 31.0 | 10 | 3.0 | 336 | 100.0 |
| No end user training at all | 172 | 51.3 | 64 | 19.1 | 86 | 25.7 | 13 | 3.9 | 335 | 100.0 |
| Some, but insufficient end user training | 158 | 48.2 | 88 | 26.8 | 65 | 19.8 | 17 | 5.0 | 328 | 100.0 |
| Federated nature of local government | 183 | 55.8 | 41 | 12.5 | 58 | 17.7 | 46 | 14.0 | 328 | 100.0 |
| Too many IT networks/ systems | 222 | 66.1 | 43 | 12.8 | 55 | 16.4 | 16 | 4.8 | 336 | 100.0 |
| Lack of support from department managers | 209 | 61.5 | 70 | 20.6 | 47 | 13.8 | 14 | 4.1 | 340 | 100.0 |
Perhaps most importantly, four of the top five barriers identified in the 2016 survey centered around inadequate funding for cybersecurity (Table 5.11). If local governments cannot pay competitive salaries, it is because of their financial limitations (i.e., lack of funds). If local governments lack sufficient numbers of cybersecurity staff, it is also due to financial limitations. This said, it is also true that local governments find it difficult to compete for IT and cyber personnel because private-sector salaries are typically much higher than the public sector is able to pay. Last, lack of adequately trained personnel is also related to funding because training is not free. Indeed, training is often cut when local governments face budgetary difficulties, like those experienced during the “Great Recession” of 2009 and the “Pandemic Recession” of 2020.
Table 5.11 Top three things needed to ensure the highest level of cybersecurity.
| 1 | 2 | 3 | Total | |||||
| N | % | N | % | N | % | N | % | |
| Greater funding for cybersecurity | 76 | 54.7 | 37 | 26.6 | 26 | 18.7 | 139 | 100.0 |
| Better cyber policies | 46 | 38.3 | 36 | 30.0 | 38 | 31.7 | 120 | 100.0 |
| Greater CS awareness | 42 | 35.3 | 29 | 24.4 | 48 | 40.3 | 119 | 100.0 |
| More end user training | 22 | 25.3 | 32 | 36.8 | 33 | 37.9 | 87 | 100.0 |
| More cyber personnel | 26 | 30.2 | 37 | 43.0 | 23 | 26.7 | 86 | 100.0 |
| Improved cyber hardware | 35 | 42.2 | 26 | 31.3 | 22 | 26.5 | 83 | 100.0 |
| More training for cyber personnel | 21 | 28.8 | 24 | 32.9 | 28 | 38.4 | 73 | 100.0 |
| Pay competitive salaries for cyber personnel | 15 | 23.1 | 30 | 46.2 | 20 | 30.8 | 65 | 100.0 |
| More end user accountability | 13 | 20.0 | 18 | 27.7 | 34 | 52.3 | 65 | 100.0 |
| Better enforcement of cyber policies | 11 | 20.4 | 26 | 48.1 | 17 | 31.5 | 54 | 100.0 |
| Greater support – top electeds | 9 | 29.0 | 9 | 29.0 | 13 | 41.9 | 31 | 100.0 |
| Greater support dept managers | 5 | 16.7 | 13 | 43.3 | 12 | 40.0 | 30 | 100.0 |
| Greater support top appointeds | 7 | 35.0 | 3 | 15.0 | 10 | 50.0 | 20 | 100.0 |
| Consolidation of networks/systems | 3 | 23.1 | 3 | 23.1 | 7 | 53.8 | 13 | 100.0 |
These findings are consistent with several years of research into IT and government and e-government (e.g., Holden et al., 2003; Norris and Kraemer, 1996; Norris and Reddick, 2013) as well as evidence produced by the literature review for this book (Caruson et al., 2012; Deloitte-NASCIO, 2010 through 2020; Ponemon Institute, 2015). These findings are also consistent also with the 2020 survey in which the top two barriers were lack of funding and lack of sufficient and adequately trained staff, and with a recent survey of state governments that found the top two barriers were lack of funding and lack of cyber staff (Deloitte-NASCIO, 2020).
5.3 Conclusions and Recommendations
Evidence available from a variety of sources including but not limited to the 2016 survey of local government cybersecurity shows that organizations including local governments are under frequent, if not constant attack and that they often practice cybersecurity poorly. This is almost certainly a function of the several barriers to cybersecurity identified in the survey and other sources – of which lack of funding was the most serious. Indeed, when asked about the top three things needed to ensure the highest level of cybersecurity, respondents to the 2016 survey first named a need for greater funding, followed by better cybersecurity policies, and greater cybersecurity awareness among local government employees (Table 5.11). Thus, a first recommendation is that, within budgetary limitations, local governments must provide adequate finding for cybersecurity.
What might American local governments consider to improve their practice of cybersecurity? First, as noted above, they must fund cybersecurity adequately, an issue that is addressed in greater detail in Chapter 6. Second, top local elected and appointed officials must be fully committed to cybersecurity. One of the most frequent complaints heard from IT and cybersecurity staff is that their organizations’ top executives do not understand and are not sufficiently supportive of cybersecurity and that cybersecurity does not get their attention until a serious adverse event occurs, which, of course, is too late. If top local government officials do not fully understand or support cybersecurity, those who work for them will, understandably, ask, “Why should I?” And lack of support from the top will make it difficult to ensure, establish, and maintain cybersecurity at high levels.
One way these officials can make cybersecurity a priority is to address existing barriers to cybersecurity. This is a third recommendation. Within their fiscal and administrative limitations, local governments must address known barriers to cybersecurity, especially funding, staffing, and accountability. Although lack of funding ranked at the top of the list of reported barriers to cybersecurity, local governments can take action in a number of areas where cost is not as great a factor, such as adopting and implementing cybersecurity policies and providing end user training, which are addressed in greater detail in Chapter 6.
Fourth, top officials must insist that their governments be aware of and follow the latest cybersecurity best practices, such as those published by relevant federal government agencies. At the minimum, these currently include the NIST Cybersecurity Framework and the DHS cybersecurity strategy document and resources (DHS, 2018a, 2018b; NIST, 2014, 2018a, 2018b).
The 2016 survey found numerous cases in which local governments did not know that they were under cyberattack and had experienced incidents or breaches (mercifully, this was not the case in the 2020 survey). No top local government official, whether elected or appointed, and certainly no IT or cybersecurity official should ever have to answer “I do not know” to questions about the cybersecurity of their organizations. Knowing the security status of their information system is fundamentally important to a local government’s ability to address vulnerabilities and improve cyber-outcomes. For local officials and staff not to know about important aspects of their government’s cybersecurity is akin to malpractice. So, a fifth recommendation is to eliminate the “don’t knows.”
Last, local governments must create and maintain a culture of cybersecurity within their organizations. The concept of a culture of cybersecurity began to gain traction among practitioners only within the past decade or so (e.g., Deloitte-NASCIO, 2010). Among other things, a culture of cybersecurity means that the elected officials and top managers fully embrace and support cybersecurity, play important roles in it, insist that others in their governments do so as well, and hold all accountable when they do not. Chapter 6 provides greater detail on the meaning of a culture of cybersecurity.
Local governments are currently attractive targets for cyberattackers, and they are likely to remain so well into the future. This is partly because of the failure of so many of these governments to provide high levels of cybersecurity. The effects of cyberattacks at the local level can have devastating consequences for governmental operations and service delivery, local business activities, citizen engagement, local trust, and more. Therefore, local government leaders must understand and actively support cybersecurity operations that are proactive, effective, and capable of making it more difficult for adversaries to cause significant harm to local government information assets. While total security is a noble goal – but, sadly, one that is never fully achievable – there is much that can be done by local governments to make it more difficult for attacks and incidents to be successful.
Having discussed cyberattacks against local governments in these pages, Chapter 6 will explore the assorted management issues related to implementing, managing, and sustaining an effective local government cybersecurity program.
Appendix 5.1 Research Method and Data
2016 Survey
To produce the data for the 2016 study, the survey’s authors partnered with the International City/County Management Association (ICMA) for a nationwide survey of local government cybersecurity. ICMA is the premier membership organization of local government professionals in the United States and is widely recognized for its research into many aspects of local governance, including information technology. ICMA also has a survey capability that is unsurpassed in reaching local governments across America.
In cooperation with staff at the ICMA, the authors prepared a draft survey instrument based on the limited available information about local government cybersecurity from previous research on this subject (e.g., Caruson et al., 2012; Norris et al., 2018), and on the professional literature that is discussed in the literature review in Chapter 4. The draft survey instrument was then submitted for review and comment to a volunteer advisory group created to assist in this project. The group consisted of the IT directors, Chief Technology Officers (CTO), CISOs or equivalent officials in ten cities and counties in the authors’ home state of Maryland as well as the CIO and CISO of their university. After receiving comments and suggestions from these advisors, the survey instrument was appropriately revised. ICMA then pre-tested the instrument, and final adjustments were made to it. The process used to develop the instrument creates face validity for the instrument, and provides confidence that, on the whole, the questions in it produce reliable data.
The instrument examined a wide range of local government cybersecurity issues. For the purposes of this chapter, we have focused on those related to cyberattacks. Chapter 6 focuses on issues relating to cybersecurity management.
The survey received a final response rate of 11.9 percent (n = 406 local governments), which is considered low. However, there were several reasons for it. Chief among them is, first, the substantial decline in response rates to surveys in recent years (e.g., Anseel et al., 2010), including those conducted by ICMA. A second reason is that IT and cybersecurity officials across the nation are reluctant to respond to such surveys because they are afraid that their responses might reveal sensitive information about their governments’ cybersecurity problems and practices.
There is some degree of satisfaction that a response of 406 to a random sample of 3400 local governments would have produced a margin of error of 5 percent at a confidence level of 95 percent. Clearly, however, this was not a random sample but rather a population survey. As a result, there are other reasons that these results should be taken seriously. Consider, for example, two factors. First, as seen in Table 5.A.1, the survey results are reasonably representative of the overall population of the local governments that were surveyed. While larger local governments are proportionately overrepresented, smaller local governments are numerically overrepresented. This is not surprising because it reflects the relative distribution of local governments in the US. There is also some regional variation, with local governments in the Northeast and North Central regions being underrepresented and those in the South and West being overrepresented. This is also not surprising and is probably because the occurrence of the council manager form of government is greater in the latter two regions and, as Table 5.A.1 shows, council manager governments were overrepresented.
Table 5.A.1a Local government demographics.
| Number Surveyed | Number Responding | Response Rate (%) | |
|---|---|---|---|
| Total | 3423 | 406 | 11.9 |
| population size | |||
| 500,000+ | 140 | 31 | 22.1 |
| 250,000–499,999 | 168 | 26 | 15.5 |
| 100,000–249,999 | 532 | 63 | 11.8 |
| 50,000–99,999 | 939 | 107 | 11.4 |
| 25,000–49,999 | 1644 | 179 | 10.9 |
| Geographic division | |||
| Northeast | 574 | 42 | 7.3 |
| North Central | 1048 | 120 | 11.5 |
| South | 1148 | 139 | 12.1 |
| West | 653 | 105 | 16.1 |
| City/county | |||
| Municipalities | 1893 | 262 | 13.8 |
| Counties | 1530 | 144 | 9.4 |
| Form of government 1 | |||
| Elected (Mayor-Council, County Council-Elected Executive, County Commission) | 1541 | 117 | 7.6 |
| Appointed (City Council-Manager, County Administrator/Manager) | 1588 | 276 | 17.4 |
| Form of government 2 | |||
| Mayor-Council | 570 | 46 | 8.1 |
| County Commission | 685 | 33 | 4.8 |
| County Council-Elected Executive | 286 | 38 | 13.3 |
| City Council-Manager | 1035 | 204 | 19.7 |
| County CA/CM | 553 | 72 | 13.0 |
The 2020 Survey
The 2020 survey was conducted to provide data for an exploratory study that employed a combination of convenience and expert sampling. A convenience sample is a method of sampling that includes participants because they were easily reached by the researchers (Battaglia, 2014). By contrast, an expert sample involves the selection if participants who are knowledgeable experts in the field of the survey, in this case local government cybersecurity (Patton, 2018). To gather data for this study, the author surveyed top IT and cybersecurity officials in 11 cities and three counties in the US (Table 5.A.3). Respondents to this survey included 11 CISOs, one CIO, and two ITDs. These officials, or key informants, all had considerable expertise, experience in and knowledge of the cybersecurity of their local governments, including their governments’ cybersecurity management, practices, risks, strengths, limitations, and problems. The use of knowledgeable key informants who are trained, experienced practitioner experts working as the top cybersecurity or IT officials for their local governments should mean that the data from the survey is both valid and reliable.
Table 5.A.3 What is your official title?
| Number | % | |
| CISO | 11 | 78.6 |
| CIO | 1 | 7.1 |
| ITD | 2 | 14.3 |
| Other | ||
| Total | 14 | 100.0 |
Second, the survey’s authors are confident of these results because the great majority of respondents (83.9 percent) were experienced, local government IT and cyber professionals, mostly CIOs, ITDs, and CISOs (Table 5.A.2). Thus, the men and women who responded to this survey were knowledgeable, expert local government practitioners who “knew their stuff.”
The principal strengths and limitations of this method are that it is simpler, easier, and less expensive than probability sampling, and therefore useful for studies like this. It also produces information from knowledgeable key informants, so the data should be both valid and reliable. The principal limitations of this type of research include that the results are not representative of a broader population and, therefore, cannot be generalized to that population. It is also prone to contain bias and sampling error. For exploratory studies, the strengths appear to outweigh the limitations of this research method.
Table 5.A.2 Respondent profession and experience.
| Profession | N | % |
| IT professionals | 193 | 83.9 |
| Other government | 28 | 14.5 |
| Other | 3 | 1.6 |
| Total | 193 | 100.0 |
| IT Experience | ||
| 0–5 Years | 25 | 24.8 |
| 6–10 Years | 30 | 29.7 |
| 11–19 Years | 30 | 29.7 |
| 20+ Years | 16 | 15.8 |
| Total | 101 | 100.0 |
The survey was conducted between mid-April and late August 2020. The initial plan was to conduct a combination of face-to-face and telephone interviews. However, because of the COVID-19 pandemic, conducting face-to-face interviews was unsafe. It was also clear that telephone interviews would not be feasible because of the difficulty finding the telephone numbers of IT and cybersecurity officials on many local government websites, the time pressure under which cybersecurity and IT officials across the nation were working during the pandemic, and a reluctance among such officials to respond to surveys (Norris et al., 2019). Hence, we used email only (see Norris et al., 2019).
Initially, emails were directed only to the then approximately 17 members of the Coalition of City CISOs (https://cityciso.org) that was established in the spring of 2019, and we are especially grateful for the coalition’s support for this survey. Indeed, most of the local governments that participated (at least nine) are members of the coalition. Two anonymous colleagues who were familiar with this research, one in a city government and one in a local government membership organization, volunteered to solicit responses from other local governments, and we thank them for their assistance as well. These efforts produced only five additional responses for a total of 14 responses, of which nine were from coalition members. See Table 5.A.4 for participating jurisdictions.
Table 5.A.4 Participating local governments and their population.
| Boston, MA | 692,600 |
| Chicago, IL | 2,693,976 |
| Dallas, TX | 1,343,573 |
| Detroit, MI | 670,031 |
| Fairfax County, VA | 1,457,532 |
| Los Angeles, CA | 3,979,576 |
| Memphis, TN | 651,073 |
| Nashville, TN | 670,820 |
| San Francisco, CA | 881,549 |
| Seattle, WA | 753,675 |
Population data from the 2019 Census estimates for counties and for cities and towns. Please note that the authors received explicit permission from the ten listed local governments to identify them by name.
Perhaps the most prominent reason for low response rates in this type of research is the concern among CISOs and other officials that revealing anything about their cybersecurity might put the local government at risk. Revealing too much might also be embarrassing. In this and previous research, more than one official has essentially replied: “Our policy is not to respond to such surveys.”
The refusal of local government cybersecurity and IT officials to participate in surveys and other types of research into their cybersecurity is unfortunate for at least three reasons. First, it deprives local governments across the nation of reliable information about the state of cybersecurity management and practice among their peers, which knowledge can benefit all local governments. Second, it deprives these governments with evidence-based recommendations to improve their management and practice of cybersecurity. And the third reason involves cybersecurity researchers, whose job it is to gather and make sense of the data that can influence local government cybersecurity management and practice. If researchers cannot gather the data, they cannot analyze it and provide results to local governments to help in their cybersecurity planning or to other scholars conducting similar research.
Beyond gathering and analyzing data and providing results to local governments, these scholars can also begin theorizing about aspects of local government cybersecurity management and practice, such as what are the factors or conditions that produce certain cybersecurity outcomes among local governments and why? However, without data from studies of various kinds about local government cybersecurity, such theorizing is not likely to occur.
Respondents were promised anonymity and confidentiality for their participation in the survey because they are essential elements for the conduct of research into sensitive topics. However, it is clear from this and other cybersecurity surveys, that this promise was not sufficient to produce higher response rates. For example, the 2016 survey achieved only an 11.9 percent response rate after several mailings and personal contact by telephone (Norris et al., 2019). In their 2018 nationwide survey of municipal government cybersecurity (based in part on Norris et al., 2019), Hatcher et al. achieved only a 7 percent response rate (2020).
Note
- 1 This chapter is a revised and expanded version of Donald F. Norris, Laura Mateczun, Anupam Joshi, and Tim Finin. 2020. Cyberattacks at the grassroots: American local governments and the need for high levels of cybersecurity. Public Administration Review. 79(6): 895–904. It is included with the permission from the publisher, John Wiley and Sons, Inc.
References
- Anseel, F., Lievens, F., Schollaert, E., and Choragwicka, B. (2010). Response rates in organizational sciences, 1995–2008: A meta-analytic review and guidelines for survey researchers. Journal of Business Psychology, 25(3), 335–349. https://link.springer.com/article/10.1007/s10869-010-9157-6
- Battaglia, M.P. (2014). Nonprobability sampling. In P.J. Lavrakas (Ed.), Encyclopedia of Survey Research Methods (pp. 524–527). Sage Publications.
- Caruson, K., MacManus, S.A., and McPhee, B.D. (2012). Cybersecurity policy-making at the local government level: An analysis of threats, preparedness, and bureaucratic roadblocks to success. Homeland Security & Emergency Management, 9(2), 1–22. https://www.degruyter.com/document/doi/10.1515/jhsem-2012-0003/html
- Deloitte and National Association of State Chief Information Officers (2010). State governments at risk: A call to secure citizen data and inspire public Trust. Lexington, KY. https://www.nascio.org/Portals/0/Publications/Documents/Deloitte-NASCIOCybersecurityStudy2010.PDF
- Deloitte and National Association of State Chief Information Officers (2012). 2012 Deloitte-NASCIO cybersecurity sStudy–state governments at risk: A call for collaboration and compliance. https://www.nascio.org/Portals/0/Publications/Documents/Deloitte-NASCIOCybersecurityStudy2012.pdf
- Deloitte and National Association of State Chief Information Officers (2014). 2014 Deloitte-NASCIO cybersecurity study–state governments at risk: Time to move forward. https://www.nascio.org/Portals/0/Publications/Documents/Deloitte-NASCIOCybersecurityStudy_2014.pdf
- Deloitte and National Association of State Chief Information Officers (2016). 2016 Deloitte-NASCIO cybersecurity study–state governments at risk: Turning strategy and awareness into progress. https://www.nascio.org/Portals/0/Publications/Documents/2016/2016-Deloitte-NASCIO-Cybersecurity-Study.pdf
- Deloitte and National Association of State Chief Information Officers (2018). 2018 Deloitte-NASCIO cybersecurity study–states at risk: bold plays for change. https://www.nascio.org/wp-content/uploads/2019/11/2018DeloitteNASCIOCybersecurityStudyfinal.pdf
- Deloitte and National Association of State Chief Information Officers (2020). 2020 Deloitte-NASCIO cybersecurity study. https://www.nascio.org/wp-content/uploads/2020/10/2020-Deloitte-NASCIO-Cybersecurity-Study-1.pdf
- Hatcher, W., Meares, W.L., and Heslen, J. (2020). The cybersecurity of municipalities in the United States: An exploratory survey of policies and practices. Journal of Cyber Policy, 5(2), https://doi.org/10.1080/23738871.2020.1792956
- Holden, S.H., Norris, D.F., and Fletcher, P.D. (2003). Electronic government at the local level: Progress to date and future issues. Public Productivity and Management Review, 26(3), 1–20. https://www.tandfonline.com/doi/abs/10.1177/1530957603252580
- Keeper Security, Inc., and Ponemon Institute (2018, November). 2018 State of cybersecurity in small and medium size businesses. https://www.keepersecurity.com/assets/pdf/Keeper-2018-Ponemon-Report.pdf
- Kozlik, T. (2018, April 23). Cyberattacks: A real threat to state and local governments, infrastructure. PNC. https://www.pnc.com/content/dam/pnc-com/pdf/corporateandinstitutional/MunicipalBond/Cyberattacks-a-real-threat.pdf
- Norris, D.F. (2021). A new look at local government cybersecurity in 2020 Recommendations for staying vigilant against persistent cyber threats. Local Government Review. A publication of the International City/County Management Association. https://icma.org/sites/default/files/2021-07/PM%20%2B%20LGR%20July%202021%20LOW-RES.pdf
- Norris, D.F. and Kraemer, K.L. (1996). Mainframe and PC computing in American cities: Myths and realities. Public Administration Review, 56(6), 568–576. doi: 10.2307/977255
- Norris, D.F., Mateczun, L., Joshi, A., and Finin, T. (2018). Cybersecurity at the grassroots: American local governments and the challenges of internet security. Journal of Homeland Security and Emergency Management, 15(3), 1–14. https://www.degruyter.com/document/doi/10.1515/jhsem-2017-0048/html
- Norris, D.F., Mateczun, L., Joshi, A., and Finin, T. (2019). Cyberattacks at the grassroots: American local governments and the need for high levels of cybersecurity. Public Administration Review, 76(6), 895–904. https://onlinelibrary.wiley.com/doi/abs/10.1111/puar.13028
- Norris, D.F., and Reddick, C.G. (2013). Local E-government in the United States: Transformation or incremental change? Public Administration Review, 73(1), 165–175. https://doi.org/10.1111/j.1540-6210.2012.02647.x
- Patton, M.Q. (2018). Expert sampling. In B.B. Frey (Ed.), The SAGE Encyclopedia of Educational Research, Measurement, and Evaluation. SAGE Publications.
- Ponemon Institute (2015). State of cybersecurity in local state & federal government. https://ssl.www8.hp.com/ww/en/secure/pdf/4aa6-2563enw.pdf
- U.S. Department of Homeland Security (2018a). Cybersecurity strategy. https://www.dhs.gov/sites/default/files/publications/DHS-Cybersecurity-Strategy_1.pdf
- U.S. Department of Homeland Security (2018b). Cybersecurity resources. https://www.dhs.gov/topic/cybersecurity (This resource continuously updated by DHS.)
- U.S. National Institute of Standards and Technology (2014). NIST roadmap for improving critical infrastructure cybersecurity. National Institute of Standards and Technology. https://www.nist.gov/sites/default/files/documents/cyberframework/roadmap-021214.pdf
- U.S. National Institute of Standards and Technology. (2018a). Framework for improving critical infrastructure cybersecurity, version 1.1. National Institute of Standards and Technology. https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
- U.S. National Institute of Standards and Technology (2018b). Cybersecurity framework state, local, tribal and territorial perspectives. https://www.nist.gov/cyberframework/perspectives/state-local-tribal-and-territorial-perspectives
- Verizon (2015). 2015 data breach investigations report. http://www.verizon.com/about/news/2015-data-breach-report-info