8.1 Introduction

People are a critical component to cybersecurity, especially for local governments. As discussed in Chapter 2, people are one key element of cybersecurity along with technology, policies, and practices. After all, it is people that utilize technology and enact policies and practices to ensure high levels of local government cybersecurity. However, it is also people who make mistakes, either out of ignorance, negligence, or malice, and who fail to follow cybersecurity policies and procedures. So just who are the people referred to in this chapter? They include the elected officials of a local government as well as top managers, department heads, employees, vendors, contractors, and any and all others who have access to the local government’s IT system. By extension, people also include those who are responsible for attacking local government information systems – including criminals and criminal organizations, although the focus of this chapter is mainly on people as internal actors.

This chapter discusses first, how people are the root of the cybersecurity problem and how they constitute perhaps the major obstacle to achieving high levels of local government cybersecurity. Second, it addresses the ways people are targeted by malicious actors. Third, the chapter covers the ways people can be assets to local government cybersecurity. Finally, it discusses the training and accountability of local government officials and staff. Last, is a brief conclusion.

8.2 People as a Problem

The results of the 2016 survey presented in Chapters 5 and 6 show that local governments generally have the technology aspect of cybersecurity under control. At the same time, it is common to hear cybersecurity officials complain that people are their biggest problem. While a perhaps obvious statement, there are many ways people can be a cybersecurity problem. First, they make mistakes. Human error can mean both unintentional actions and lack of action (e.g., not reporting a cybersecurity risk like a phishing email) that can result in an adverse cybersecurity event. If local government officials and staff are unaware of the common threats that they face or the cybersecurity policies they must follow, it is highly probable that they will make mistakes. For example, Shelby County, Tennessee sold what was believed to be a fully decommissioned¹ polling machine on eBay, which was used as an experimental platform at the DEFCON hacker conference and was found to have the personal information of 650,000 voters still on its hard drive, including name, address, birth date, party registration, and method of voting (Collier, 2017). Even in cases where ignorance or negligence are not in play, people can still make mistakes. After all, it only takes one click on an URL that is linked to a file containing malware for a cyberattack to succeed.

Second, people can and do act with malice. There is always the possibility that some employees may act with motives such as theft, mischief, greed, or revenge. This can be as simple as stealing a laptop with local government PII on the hard drive or as complex as altering or deleting information so it cannot be used or trusted. Disgruntled employees might even disrupt or destroy information to make systems inoperable. In 2010, a former network administrator for the City of San Francisco was found guilty of one felony count of denying computer services for refusing access to the city’s passwords and declining to relinquish administrative control of the city’s network (McMillan, 2010). He was ultimately sentenced to prison and ordered to pay $1.5 million in restitution (Van Derbeken, 2010). However, it is important to note that this case represents an exception and that few officials or public sector employees (17 percent) were responsible for cybersecurity incidents in the public sector in 2020 (Verizon, 2021).

Third, it is people who are responsible for engaging in attacks against local governments. As would be expected, people external to the organizations make up 83 percent of the cybersecurity incidents in the public sector (Verizon, 2021). As discussed in Chapters 3 and 12, such attacks are increasing in number as attack methods evolve and become more successful while the risk of getting caught and costs associated in launching such attacks remains low and the rewards are potentially very high. From the mythical (or perhaps not so mythical) lone hacker motivated by avarice or activism to state-sponsored or state-sanctioned cybercriminals, the types of people who attack local governments are as varied as they are numerous.

8.3 The Ways People are Targeted

People within organizations are targeted by cybercriminals in a variety of ways, with the dominant method being through social engineering. As mentioned earlier, social engineering is a technique that exploits human psychology and human error by manipulating the emotions of fear, greed, curiosity, helpfulness, and safety in the minds of the potential victim (Terranova Worldwide Corporation, 2020). For example, fear involves the threat of severe consequences if one does not respond to an email. Greed involves the possibility of potentially outsized personal gain if the victim (for example) clicks on a link included in the message. Their curiosity may be piqued by crafting an email framed in the context of a current news event like the coronavirus pandemic or a natural disaster. Or the message may play to feelings of helpfulness by asking the potential victim to provide assistance to the sender, such as to facilitate a large money transfer between bank accounts. Finally, such messages may play to the victim’s sense of safety by offering them “guidance” to help ensure the security of the local government’s information and assets – but in actuality, that guidance, if followed, weakens or breaks it. Emotions are a human vulnerability and make it fairly easy to use them to entice people to open an attachment or click a hyperlink connected to malware or disclose confidential or personal information like passwords.

Social engineering attacks make up about 70 percent of the cybersecurity incidents in the public sector (Verizon, 2021). Within the category of social engineering, phishing, which is explained in Chapter 3, is by far the most common method (98 percent) employed in attacks against public sector organizations (Verizon, 2021). According to Verizon, the more phishing emails an attacker sends, the more likely the campaign is to succeed – after ten emails there is more than a 90 percent chance of success (2013). Only about 2 percent of social engineering attacks in the public sector involve pretexting, and less than 1 percent involve spam. Pretexting is somewhat different from phishing and spear phishing in that it builds on the trust of the receiver by pretending to be a person with authority, like a department head or elected official. Pretexting is generally associated with what Verizon terms as a business email compromise attack. In such an attack, the cybercriminal targets employees with access to funds in order to convince them to transfer funds into an external account (Muncaster, n.d.). For example, the Clerk of Courts of Collier County, FL, paid $184,000 to a false bank account for Quality Enterprises USA, a contractor of the county, and the city of Naples, FL, paid $700,000 to someone posing as a representative of Wright Construction Group, another company contracting with the local government (Riley, 2019). When top officials, like a CEO or CFO, or elected official or top appointed official, are targeted it is known as a whaling attack because of the perceived large size and value of the target. Misrepresentation occurs in both phishing and pretexting attacks as the malicious actors pretend to be someone they are not. Finally, spam is similar to phishing but usually involves a far larger number and wider variety of targets. Attacks using spam-based techniques are all about the volume of emails sent, because someone somewhere will fall for the guise. The Collier County (FL) Mosquito Control District lost almost $100,000 in an insurance spam attack via email (Riley, 2019).

Attackers also target people in local governments using artificial intelligence (AI) and machine learning (ML) techniques with increasing frequency. As discussed in Chapter 12, these techniques and technologies can help make social engineering attacks seem more persuasive and believable. For example, AI and ML can assist attackers to automatically gather public information on local government employees in order to develop spear phishing attacks. AI and ML can also be used to write large numbers of emails in a style similar to a human, potentially even referencing personalized items that only the recipient might understand. ML and other data harvesting or analysis techniques make this process easier by finding and “mining” social media accounts and other public information on potential victims through image recognition tools to further craft more convincing phishing email messages. Voice impersonation, speech, and facial recognition and other forms of ML like “deepfakes” can be so sophisticated that they trick employees into believing they are communicating with someone they are not. An emerging phenomenon, deepfakes are synthetic images or videos that purport to be real people but are in fact hoaxes designed to trick the viewer or listener into believing what they are seeing or hearing. Of course, local governments need to understand that defenders of their IT systems can also use AI and ML to help identify cyberattacks or even suspicious activity before an incident occurs. For example, modern email security technology utilizing AI can identify these potential attacks and either block them from delivery or prominently alert users about their potential lack of legitimacy.

Malicious actors target not only local government employees but citizens as well. The most prominent example of the targeting of citizens involves disinformation campaigns leading up to elections. Disinformation campaigns, as seen in the attempts by Russia to influence the 2016 and 2020 elections, specifically aim to lower the level of citizen trust in election administration by spreading false or misleading information online (Forno, 2020). Successful ransomware attacks against elections infrastructure, such as the 2020 attack on Hall County, Georgia’s information systems, which included a voter signature database, can add fuel to the disinformation fire and effectively reduce citizen trust and potentially impact democratic participation (Forno, 2020). Although not specifically a cybersecurity concern at first glance, since 2016, many cybersecurity practitioners and technology companies have begun to examine and counter the use of cyber-related tools and techniques that seek to sow social division within local communities. And of course, ensuring the integrity of election information, systems, and results certainly falls under the purview of cybersecurity practitioners in their quest to ensure the confidentiality, integrity, and availability of information and information systems.

8.4 People as Cybersecurity Assets

People – in this case, local government employees – are central to the ability of local governments to maintain effective cybersecurity. As such, local governments should view their own people as assets and critical to their cybersecurity posture. Specifically, people can be assets in local government cybersecurity by following cybersecurity policies and practices, practicing good cybersecurity hygiene, reporting anomalies and phishing emails, and acting as cybersecurity advocates within the organization to promote good cybersecurity practices.

Officials and employees who actively follow the local government’s cybersecurity policies and the cybersecurity awareness training that they receive (or should receive) are perhaps the organization’s biggest assets. Doing so proactively increases the likelihood that they will not cause adverse cybersecurity events. As described earlier, it only takes one person to click one bad link to create a major cybersecurity incident. Officials and employees who are unaware of policies that, for example, prohibit sharing passwords, putting local government information on personal devices, and much more, or who know the rules governing their use of the IT system but disregard them create unnecessary risks that can easily lead to successful cyberattacks.

Practicing good cybersecurity hygiene means more than just following local government cybersecurity policies and practices. Proper cybersecurity hygiene also involves remaining vigilant and thinking through actions taken online. In some cases, it is the local government officials’ and employee’s responsibility to make sure the devices they are using are patched and up-to-date, whether government-provided or personally owned. It is most important that local government officials and employees as well as contractors, indeed anyone who has access to a local government’s IT system, understand that security is something they must constantly keep in mind and practice responsibly. After all, cybersecurity is the responsibility of every local government official and employee, not just IT or cybersecurity staff.

Reporting suspicious activity or things like phishing emails requires awareness, attention, and motivation on the part of all users of these IT systems. Phishing and spear phishing attacks depend on employees not knowing what these attacks are and how they operate or, if they know, not paying close attention and clicking a link or responding to an email that at first glance seems legitimate. Local governments should ensure employees are able to identify phishing and spear phishing attacks as well as the proper way to deal with such attacks. At the minimum, the latter should include a written policy on about proper reporting of such attacks. Local governments should also regularly remind end users of their responsibility to be on the lookout and report potentially malicious emails or websites.

Some organizations have created a formalized role for cybersecurity advocates within individual functions or teams (Martino, 2018/a>). People in these roles may not necessarily be technologists or cybersecurity experts but are taught cybersecurity best practices so that they can champion the cause of security within their departments. Creating and enabling proactive cybersecurity advocates in local governments can help ensure that both overall mission objectives and goals specific to cybersecurity are met. Having cybersecurity advocates in operating departments can ensure a better understanding of the department’s unique organizational culture, language, and style so that cybersecurity measures can be presented in such a way to ensure wider acceptance and less resistance. Similarly, where practicable, rotating IT and cybersecurity staff among different departments can help the cybersecurity departments of larger local governments with adequate budgetary capacity better understand the nuances of each department.

8.5 Training and Accountability

As discussed in Chapters 3 and 6, the best way to ensure the people in a local government are assets to organizational cybersecurity is through training and accountability. Local governments should provide cybersecurity awareness training regularly to all end users, and local government must hold end users accountable for their cybersecurity actions and inactions. Awareness and training efforts should begin during the onboarding process and should continue throughout their time on the job. Cybersecurity awareness should never be seen as a one-off event.

Of course, cybersecurity accountability should also be emphasized from the onboarding process throughout the official or employee’s career. Accountability for cybersecurity should include both rewards and punishments. Employees should be rewarded for proper cyber-hygiene and for not engaging in risky behavior or violating the local government’s cybersecurity policies and regulations. Resources permitting, they could even be incentivized to follow cybersecurity best practices such as becoming recognized for reporting activity that staved off a potential cybersecurity incident. However, there should also be punishment for engaging in negligent or malicious behavior – both by senior leaders and managers and rank-and-file employees. Typical responses to employees committing a cybersecurity error include alerting managers; restricting network access; removing network access until additional training is completed; and even “naming and shaming” the employee (Help Net Security, 2020). Some of these punishments may not be appropriate for all employees and officials, but at the very least additional training should be a requirement for employees and officials making mistakes. When malicious behavior is involved, more severe punishments should be considered.

8.6 Conclusion

People are the weakest link in cybersecurity. Yet they are also essential elements to ensuring high levels of cybersecurity in organizations. Among other things, this can be accomplished through ongoing awareness training and accountability. If all end users understand that they are integral components of their local governments’ cybersecurity and practice proper cybersecurity hygiene, they will be less likely to take actions, whether deliberate or not, that will expose their local government to unnecessary risks.

When thinking about cybersecurity threats, vulnerabilities, or other operational cybersecurity matters, local governments must recognize that it is ultimately people – not technology – that are the root of the great majority of cybersecurity problems. Developing a robust culture of cybersecurity and implementing a cybersecurity posture based on established best practices and procedures can help reduce the likelihood that people, as the weakest link in cybersecurity, will make the already-challenging task of cybersecurity for local governments even more difficult.

References

1. Collier, K. (2017, August 01). Personal info of 650,000 voters discovered on poll machine sold on eBay. Gizmodo. https://gizmodo.com/personal-info-of-650-000-voters-discovered-on-poll-mach-1797438462
2. Forno, R. (2020, October 29). Ransomware can interfere with elections and fuel disinformation – Basic cybersecurity precautions are key to minimizing the damage. The Conversation. https://theconversation.com/ransomware-can-interfere-with-elections-and-fuel-disinformation-basic-cybersecurity-precautions-are-key-to-minimizing-the-damage-147531
3. Help Net Security (2020, August 05). 4 in 10 organizations punish staff for cybersecurity errors. https://www.helpnetsecurity.com/2020/08/05/4-in-10-organizations-punish-staff-for-cybersecurity-errors
4. Martino, S. (2018, October 16). Your greatest security asset: Employees. National Cybersecurity Alliance. https://staysafeonline.org/blog/greatest-security-asset-employees
5. McMillan, R. (2010, April 27). Admin who kept SF network passwords found guilty. Network World. https://www.networkworld.com/article/2208076/admin-who-kept-sf-network-passwords-found-guilty.html
6. Muncaster, P. (n.d.). Social engineering attacks to watch out for. Verizon. https://enterprise.verizon.com/resources/articles/s/social-engineering-attacks-to-watch-out-for;
7. Riley, P. (2019, August 19). Collier County scammed out of $184K in phishing scheme that investigators say originated abroad. Naples Daily News. https://www.naplesnews.com/story/news/government/2019/08/19/collier-county-scammed-out-184-k-cyber-attack-phishing-scheme/2049019001
8. Terranova Worldwide Corporation (2020). How to protect your data from social engineering. https://terranovasecurity.com/wp-content/uploads/2020/09/White-Paper-Social-Engineering-EN.pdf
9. Van Derbeken, J. (2010, August 07). S.F. computer whiz Childs gets 4- year sentence. SFGATE. https://www.sfgate.com/bayarea/article/S-F-computer-whiz-Childs-gets-4-year-sentence-3178759.php
10. Verizon (2013). Verizon 2013 Data breach investigations report. https://www.netsurion.com/eventtracker/media/eventtracker/files/collateral/verizon-data-breach-2013.pdf
11. Verizon (2021). Verizon 2021 Data breach investigations report. https://enterprise.verizon.com/resources/reports/2021-data-breach-investigations-report.pdf