11.1 Introduction

This chapter, perhaps more than any other, is directed especially toward the top elected and appointed officials in local governments, although it will also be valuable to all staff regardless of pay grade or position. The chapter presents and provides brief answers to a number of questions that top local government officials should ask themselves and their cybersecurity teams. Asking should not be a simple one-off action, but rather an ongoing process. It is not sufficient, for example, for officials to ask the cybersecurity team what IT assets are being protected (Section 11.2) only once, because the number and types of assets change over time. Likewise, it is not sufficient to ask only once about the principal cyberthreats the local government is facing (Section 11.3) because the nature and severity of those threats change over time, just as does the underlying technology.

However, local officials need not pester cybersecurity staff with relentless and unnecessary questioning (after all, these staff members have important work to do!) Ideally, top officials should require regularly scheduled briefings by their governments’ cybersecurity leadership to ensure that these and presumably other questions are asked and answered.

The questions discussed in this chapter are based upon industry experience, best practices, and recent academic research regarding local government cybersecurity. Presented in no particular order, they are intended to serve as a solid, although not a comprehensive or exhaustive starting point to highlight some of the most important cybersecurity issues about which top local officials should inquire.

11.2 What Should My Local Government Be Protecting?

The first step in information protection is knowing what actually needs protecting. As discussed in Chapter 2, the goal of cybersecurity is to protect a local government’s “networks, devices, and data from unauthorized access” and to “ensur[e] confidentiality, integrity, and availability of information” (US Cybersecurity Infrastructure and Security Agency [CISA], 2019). This includes local government systems, platforms, data repositories, workflows, computers, cellphones, modems, servers, routers, and more. Local government IT or cybersecurity staff must first develop an inventory of these systems and devices, as well as any processes and procedures currently in effect. Additionally, the staff should work to understand where any points of vulnerability – both technical and operational – might exist by conducting a formal risk-analysis process. This will help identify everything that needs protection.

For example, a local government comptroller or tax office might deem the ability to collect tax payments a critical local service. However, it is not simply the website that citizens and businesses pay taxes through that must be protected. The computer servers (web servers, databases, etc.) in the tax office and any external connections to payment processors, internet providers, or other government entities across the locality must be considered part of the tax collection workflow. Taken together, this one government service actually reflects a comprehensive and potentially complicated information environment that must be evaluated and protected, and demonstrates how cybersecurity considerations are so pervasive across modern organizations in ways that may not often be considered if you only protect individual computers. The NIST Cybersecurity Framework (Chapter 9) and specifically the NIST Risk Management Framework can help local governments identify cybersecurity assets and vulnerabilities, and guide plans and activities that make the best use of the often scarce financial and personnel resources available for this monumental task (NIST, n.d.).

Due to the often federated and decentralized nature of local governments it is frequently difficult to obtain a complete view of everything within the IT organization’s purview. However, at the minimum, IT and cybersecurity staff should know the critical systems, resources, and workflows within their local government environment to have a clear understanding of what it is they are being charged with protecting. Just as in the five functions of cybersecurity cycle discussed in Chapters 2 and 9, local governments must continuously identify the information systems and assets that make critical service delivery possible.

11.3 What are the Biggest Cybersecurity Threats Facing My Local Government?

As this book heads to press in late 2021, the biggest cybersecurity threat is almost undoubtedly ransomware attacks. These attacks have increased in number considerably during the COVID-19 pandemic and are expected to continue to become even more frequent in number and severe in nature. This is partly because they are so profitable and there is so little risk to the attackers that they will be caught and prosecuted (see Chapters 1, 3, and 12). Phishing and spear phishing attacks (which are often used to deliver ransomware and other types of malware) are also increasing and pose a significant threat to local governments.

In addition to the prominence of ransomware, various sources suggest that there are additional threats that make the list of top cybersecurity concerns, including attacks on IoT devices, credential harvesting, zero day exploits, insider threats, attacks on third parties and cloud providers, DoS and DDoS attacks, and more (e.g., GDATA, 2021; Goddard, 2021; Gurinaviciute, 2021).

It is fair to say that regardless of the threat, all pose serious risks, and all require strong cybersecurity defenses. Just like preparing for power outages or weather events, local governments must adopt appropriate plans and make adequate preparations to take the necessary actions to keep their operations functioning during and after attacks. In some cases, additional funding or staffing capabilities may be required to accomplish this necessary task.

11.4 Who is in Charge of Cybersecurity in My Local Government?

Typically, the answer is the CISO or other staff member formally assigned this responsibility. However, who is in charge varies in practice. Larger, more well-funded local governments are likely to have experienced and well-trained CISOs and more extensive cybersecurity capabilities and staffing. Smaller jurisdictions, on the other hand, are likely to have smaller budgets, fewer staff, and the smallest may not only lack a CISO but also one or more full-time, trained staff members to address cybersecurity, if not routine IT matters.

Additionally, the degree of responsibility assigned to the CISO or other staff person in charge of cybersecurity (hereafter, just CISO) will also vary by having more or less authority. In some local governments the CISO will have total responsibility for cybersecurity across the organization. For example, the 2020 CISO survey found that nearly two-thirds of CISOs had total responsibility while in just over one-third responsibility was divided. In one of the cities with divided cybersecurity responsibility, San Francisco, the CISO has to deal with 52 separate departments that are semi-autonomous (Norris, 2021).

In every local government, ultimate responsibility for all functions rests with the chief elected official or officials and/or the top appointed manager. This is not to say that these officials will be as knowledgeable about or as fluent in cybersecurity as cybersecurity professionals, although some might well be. Rather, the top officials will look to their cybersecurity staff to advise them. However, the final decision-making authority on cybersecurity issues remains theirs. Yet, when something goes wrong, the proverbial buck – as Harry Truman wryly noted – stops with the top elected officials. This said, the buck may pause elsewhere on its way to the top, as it did in Baltimore after the 2019 ransomware attack when the CIO who had warned officials about cybersecurity weaknesses was essentially fired (see Chapter 1).

Finally, and to no one’s surprise, who is really in charge in at least some few jurisdictions, may not be who actually is listed on the organization chart. It may be someone (elected or appointed) behind the scenes or perhaps someone not part of the local government at all (such as a major donor or vendor) with sufficient knowledge or influence to affect decision-making around and administration of this vital function. Large “P” politics may also play a role in cybersecurity in some local governments where, for example, political ideology drives or at least influences outsourcing decisions and vendor awards. Needless to say, these exceptions are never in the best interests of good local government administration and should be scrupulously avoided, and, if identified, firmly remedied to the extent possible.

Local governments should always have a clear cybersecurity chain of command, at the head of which is a trained, experienced CISO who is formally invested with sufficient authority and responsibility to manage this function. There should be no question in any official or staff member’s mind about who is in charge. If there is (especially if it is widespread within the organization), surely problems will follow, especially during adverse cybersecurity events.

11.5 Is Cybersecurity Properly Staffed in My Local Government?

There is no easy way to answer whether your local government cybersecurity function is properly staffed. The 2020 CISO survey that one of the authors conducted (mentioned in Chapters 5 and 6) addressed this question and found considerable variation in cybersecurity staffing among the local governments in the survey (Norris, 2021). For example, one city reported no in-house cybersecurity staff, and one reported 24. The number of cybersecurity staff was not exactly proportional to local government population, although larger governments generally had more cybersecurity staff. Among the smaller jurisdictions in the survey (less than 700,000 residents), the number of in-house cybersecurity staff ranged from zero to 12. Among the mid-size larger jurisdictions (between 700,000 and 1 million), one had zero, one had five, one eight, and one 14. Among the larger jurisdictions (between one million and nearly four million), one had seven, one nine, one 12, and one 24.

Some sources suggest that cybersecurity staffing should be a percentage (usually in the range of 5 to 10 percent) of an organization’s IT staff (e.g., Fimlaid, 2019; Mehravari and Allen, 2016). This may not be the best advice because IT staffing may be quite small or unusually large, so a percentage guideline may not produce satisfactory staffing results for every local government. A better approach might be to examine the types and range of cybersecurity functions that must be performed in a local government and then estimate the number of staff and skill sets required for those functions. A second, and complementary approach might be to determine the number of cybersecurity personnel in similarly sized local governments whose cybersecurity functions are similar. Whatever approach is taken, top local officials should carefully examine what is needed to ensure that cybersecurity is adequately staffed and then, within budgetary limitations, authorize the CISO to advertise, recruit, and hire the appropriate number of qualified staff.

11.6 Does My Local Government Budget Adequately for Cybersecurity?

As noted at various points in this book, studies have repeatedly found that inadequate funding is the top barrier to cybersecurity in American local governments. The 2016 nationwide survey found that the top four barriers to cybersecurity were inability to pay competitive salaries, insufficient number of cybersecurity staff, lack of funds, and lack of adequately trained personnel. And each of these barriers is linked to funding (Norris et al., 2019). So, it is likely that many local governments may not be funding cybersecurity adequately, either.

The IT research and advisory firm Gartner found that average spending by US businesses on cybersecurity is between 5 and 8 percent of companies’ IT budgets (Nash, 2019). Among the local governments in the 2020 survey, the average amount of cybersecurity spending was 4 percent of the IT budget, and the range was between zero and 10 percent. Just over half of these governments spent less on cybersecurity (as a percentage of their IT budgets) than Gartner found among US businesses, while one-third were within or greater than Gartner’s estimate (Nash, 2019).

One way for local officials to learn if the cybersecurity budget is sufficiently adequate is to regularly ask their CISOs this question, although the answer provided may not be totally objective. One complaint often heard from business executives and local government officials is that IT departments are always asking for more money. Therefore, it is important to obtain a more objective picture of cybersecurity funding needs versus funds actually budgeted. This can be accomplished by comparing available cybersecurity resources against similarly sized local governments in the region, conducting a risk analysis to help determine the likely scope of an appropriately sized cybersecurity capability, or engaging with consultants and other third parties to provide management analysis and advice on how to balance necessary cybersecurity requirements with current or projected funding availability.

11.7 Does My Local Government Follow Cybersecurity Best Practices?

For nearly thirty years, government, industry, and academic experts have developed and promulgated many best practice recommendations regarding how to build and sustain effective cybersecurity in organizations. This book contains an entire chapter (9) about the NIST Cybersecurity Framework, a document that epitomizes current cybersecurity best practices, and Chapter 7 discusses essential cybersecurity policies. If local governments follow cybersecurity best practice recommendations like these, they will be able to provide acceptable, if not high, levels of cybersecurity for their information assets. Properly implemented, many of these recommendations (known as cyber-hygiene) can reduce the chances of both accidental and malicious cybersecurity incidents.

Unfortunately, studies have shown that, on average, local governments do not practice cybersecurity effectively. The results of the 2016 survey, discussed in Chapter 6, make this strikingly clear. Only 55 percent of respondents said that their local government’s cybersecurity technology was at the level of best practice, only 43 percent said their practices were at that level, and less than one-third said that their policies were at that level with one-quarter saying that their policies were one generation behind (Norris et al., 2020).

But how can local officials know if their governments are following best practices? Perhaps the best way is to task the CISO with reporting at least annually to top officials about which best practices have been implemented, whether they are fully or only partially implemented, whether there have been any implementation problems, whether all relevant personnel, elected and otherwise, have been trained in cybersecurity awareness and hygiene and are practicing it properly and more. Officials in larger local governments (and those with sufficient funding) may want to periodically hire security firms or seek assistance from other security experts (e.g., local universities, the National Guard cyber units, CISA, etc.) to conduct independent audits of their governments’ cybersecurity policies, procedures, and practices to ensure that they are following best practices. The bottom line is to ask and then to verify and, as has been noted elsewhere in this chapter, make sure that this is an ongoing process and not a one-off exercise.

11.8 Do My Local Government’s Cybersecurity Policies and Procedures Match What is Happening in Practice?

This is an easy one to answer. Following the recommendations of the previous section, ask, keep asking, and verify. Then ask again. Use independent external organizations to conduct audits as needed. Additionally, local government cybersecurity and IT organizations should engage in an internal process of continual self-assessment and improvement to ensure not only effectiveness of their cybersecurity program and activities, but that it remains effective against an ever-changing threat and vulnerability landscape.

11.9 How Does My Local Governments Ensure Continuous Improvement for Cybersecurity?

Effective cybersecurity is a journey, not a destination. Cybersecurity should also be considered a process of continuous improvement (e.g., Gelnaw, 2019; Interactive.com, 2021). A continuous improvement process is needed because the threat landscape is constantly changing and evolving. As a result, local governments must continuously adapt to the changing cybersecurity environment. This can be accomplished through a process of continuous improvement in which local governments constantly monitor for threats, identify and examine risks, and make any adjustments needed in their cybersecurity program to counter the threats and mitigate the risks identified in the monitoring process.

One reason for the failure of so many organizations, in both the public and private sectors, to follow a continuous improvement process is that many of their top executives think in terms of models that emphasize cybersecurity in fortification terms – building firewalls, etc. “The problem with these mental models is that they treat cybersecurity as a finite problem that can be solved, rather than the ongoing process that it is” (Lohrmann, 2019).

To ensure that their governments engage in continuous improvement, local officials should task their CISOs to conduct regular briefings on how the continuous cybersecurity improvement process works in their governments, if one exists, and what are the results of that process. If a continuous improvement process does not exist, or has only been partially implemented, these officials should task their CISOs with establishing one or fully implementing one.

11.10 Do All Officials and Employees in My Local Government Receive Adequate Cybersecurity Training?

To answer this question, top local officials need to ask their cybersecurity leadership what training is offered, how frequently it is offered, whether it is mandatory or optional, and whether any means are employed to periodically test if end users are practicing proper cybersecurity hygiene. Answers to the first two will provide information about whether the right training is being provided and whether it is offered frequently enough. At a minimum, local governments should provide cybersecurity awareness training for all officials, staff, contractors, indeed all parties who use their governments’ IT systems and networks. The training must be mandatory for all, and accountability mechanisms should be developed in order to ensure that all users practice proper cybersecurity hygiene (see Chapter 8).

Some of the more important components of cybersecurity awareness training include: ensuring users understand the local government’s rules concerning computer, email, internet, and social media usage; password rules; how to identify and what to do about social engineering (phishing and more); rules concerning BYOD, and the rules concerning working remotely, among other items.

It is helpful to conclude the training with quizzes or scored games to find out if users actually learned what was taught in the trainings. If it appears that learning did not occur satisfactorily, then perhaps re-training is needed or maybe the training itself needs to be re-tooled or some combination of both.

Additionally, cybersecurity staff should run periodic tests to determine if end users are practicing what they have learned from the training. This could be something as simple as a phishing email designed to trick unwary users into opening an attachment or clicking on a URL or dropping USB drives around the facility to see if users connect them to their computers (thus potentially launching a malware attack) or bring them to IT instead. Perhaps consider contests to recognize employees who demonstrate sound cybersecurity practices. Those who fail tests should be required to attend further trainings. Repeated failures could result in the loss of some or all computer use privileges and in extreme cases result in termination of employment. It’s important to remember that cybersecurity training activities can be as innovative, creative, and even as fun as imagination or budgets allow, which in turn can facilitate greater participation and learning by turning an otherwise boring required task into something interesting and even rewarding.

11.11 Is My Local Government Able to Detect Cyberattacks?

As discussed earlier in this book, it is essential that local governments are able to detect attacks, incidents, and breaches. If they cannot, they are essentially operating blind. The 2016 survey found that fewer than half of local governments were prepared to detect attacks – 42 percent, incidents – 38 percent, and breaches – 36 percent (Norris et al., 2019). These capabilities have almost certainly improved since the survey was conducted at least among larger and more well-funded local governments. Unfortunately, it is questionable if others have improved substantially. Therefore, local officials should task their CISOs to brief them periodically on measures being taken to ensure that their local governments are taking all the means necessary to detect attacks, incidents, and breaches, to explain those measures, and describe their effectiveness.

Detection of attacks, incidents, or suspicious activity comes in many forms. Most frequently, the proper deployment of sensors such as firewalls and intrusion prevention systems that monitor networks, along with security tools on individual computers like antimalware software, is the first step, as is subscribing to third-party threat monitoring services. Data from these sensors can be fed into a Security Information and Event Management (SIEM) system that provides IT and cybersecurity staff an aggregated top-down picture of the activity on their networks to allow them to identify and respond to potentially malicious activity more quickly. Additionally, the IT help desk can be a source of incident detection based on what type of inquiries are received from users reporting problems or other anomalies happening on their computers. Unfortunately, some incidents (including data breaches) are only discovered through third party and media reports after the fact.

11.12 Is My Local Government Able to Respond Effectively to Adverse Cybersecurity Events?

The 2016 survey found that only 27 percent of local governments were prepared to recover from breaches, 25 percent to recover from exfiltration of data, and 48 percent to recover from ransomware attacks (Norris et al., 2019). As mentioned above, this has no doubt improved among at least some local governments, but among those without adequate resources and staffing it probably remains unsatisfactory.

In order to be able to recover from adverse cybersecurity events, it is essential that local governments adopt and implement at least the following policies: acceptable use policy, information security policy, privacy policy, identity and access management policy, incident handling policy, and disaster recovery/business continuity policy, which will help them to understand the actions that must be taken to respond to cybersecurity incidents. Chapter 7 describes these policies – and others – in greater detail.

11.13 Should My Local Government Try to Build Cybersecurity Partnerships and, if So, with What Organizations?

The answer to this question is a resounding yes. First, local governments should develop proactive relationships with local, state, and federal law enforcement organizations that handle cybersecurity investigations. For example, the FBI facilitates industry-specific Information Sharing Analysis Centers (ISACs) that have local government affiliates, as do the Department of Justice’s Joint Terrorism Task Forces (JTTFs). Perhaps the largest ISAC related to local governments is the Multi-State Information Sharing and Analysis Center (MS-ISAC), which has at least 10,706 local governments and local government agencies and organizations as partners (MS-ISAC, n.d.). MS-ISAC membership comes with access to threat advisories, a cyber alert map, incident response services, education materials, and tabletop cybersecurity exercises, a 24/7 security operation center, a Malicious Code Analysis Platform (MCAP), a Vulnerability Management Program (VMP), and more. Regional information sharing organizations like the New York City Cyber Critical Service and Infrastructure (CCSI) Project, which has 282 members, also offer the opportunity to share threat intelligence (Manhattan District Attorneys Office, n.d.; Paul, 2021). The Coalition of City CISOs is a smaller, more targeted organization for cybersecurity operations leaders of larger municipalities to network, and share best practices and threat information (Coalition of City CISOs, n.d.).

In addition to the FBI and MS-ISAC, local governments should consider forming relationships with CISA, which provides assistance in incident response through the National Cybersecurity and Communications Integration Center (CISA, 2021). CISA has 10 regional offices throughout the country which provide services to critical infastructure providers and state and local governments, and whose Regional Directors are excellent points of contact for relationship building and in times of emergency (CISAc, n.d.) CISA also offers a range of assessment tools such as: vulnerability scanning; phishing campaign assessment; risk and vulnerability assessment; cyber resilience review; external dependencies management assessment; cyber infrastructure survey; remote penetration testing; web application scanning; Cyber Security Evaluation Tool (CSET®); and validated architecture design review (CISAa, n.d.).

Local government cybersecurity departments should seek out, join, and participate in local, regional, national, and/or global working groups, task forces, associations, training events, infrastructure providers, utilities, hospitals, etc. to gain professional and operational networking opportunities, share information about threats and risks, learn, and otherwise mutually support the cybersecurity community. Professional organizations such as the International City/County Management Association, the National Association of Counties, and the Public Technology Institute all provide up-to date cybersecurity resources and recommendations for local governments.

In an ideal world, such professional and personal relationships should be established and developed before, not during or after, a cybersecurity incident occurs. Doing so frequently provides those involved a “running start” as they begin preparing the response. If relationships with law enforcement organizations that can assist with cybersecurity investigations are already formed, the built trust and familiarity can help with a more quick and efficient process of incident response and mitigation. Information-sharing organizations, like MS-ISAC, help local government cybersecurity departments keep abreast of the latest threats and trends in order to better identify an incident when it occurs, and to address known vulnerabilities.

Local governments might also consider forming relationships with regional academic institutions, like universities, community colleges, and technical schools for cybersecurity internships, job placements, and more. For example, the Center for Advanced Red Teaming at the University at Albany works with organizations in the public (and private) sector to help anticipate, prevent, and mitigate cybersecurity incidents (The Center for Advanced Red Teaming, n.d.). Red Teaming is a process by which a team of people tests an organization’s information systems to identify any vulnerabilities in practice, which also helps train the team of testers. Such partnerships can help address the skills gap in local government cybersecurity by creating a pipeline to employment for local, trained cybersecurity practitioners.

11.14 Does My Local Government Follow the NIST Cybersecurity Framework’s Standards?

The answer to this question can be relatively straightforward as a yes or no. However, as discussed in Chapter 9, there is not exactly a clear line or point when a local government can say, “yes, the NIST Cybersecurity Framework has been fully implemented.” The more correct answer would be, “yes, the local government cybersecurity department has incorporated the NIST Cybersecurity Framework into its cybersecurity program and planning, which we follow to the best of our ability and available resources.”

The framework provides a process and tool through which local governments can identify and assess its current cybersecurity posture, and plan for where it wishes to be in the future. The framework’s categories and subcategories describe the steps a local government must take in order to meet a specific desired outcome regarding an aspect of the organization’s cybersecurity. Depending on the unique characteristics of the local government and the services it provides, different areas of the framework may be more robustly followed than others. They also directly link to the specific industry standards and NIST special publications that set forth the technical requirements for meeting those outcomes. Following the NIST Cybersecurity Framework as closely as possible will ensure the local government has implemented current cybersecurity best practices and standards and have a high level of cybersecurity protection.

11.15 Does My Local Government Need Cybersecurity Insurance?

Cybersecurity insurance can help protect local governments against losses related to cyberattacks and breaches. Although policies can vary widely, covered expenses typically include the cost of notifying individuals and providing credit-monitoring services for those whose PII has been affected by a breach, as well as costs related to recovering data and restoring systems to a functioning state. Legal costs related to litigation subsequent to a breach, or regulatory proceedings can also be covered by cybersecurity insurance. Crisis management, forensics, and loss of income might also be included. These costs are generally not included in general liability insurance policies. Local governments considering cybersecurity insurance can experience many benefits, such as undergoing a formal cybersecurity risk assessment in order to receive coverage. Undergoing such a review can identify and highlight vulnerabilities and encourage adoption of cybersecurity best practices.

There are exemptions to cybersecurity insurance policies, including the war and terrorism exemption, which raise questions about coverage of attacks stemming from state-sponsored organizations. It is unclear how the war and terrorism exemption affects cybersecurity insurance coverage in practicality. In 2017, Mondelez International, a large multinational food corporation housing brands like Chips Ahoy, Oreo, Halls, and Cadbury suffered at least $100 million in damages caused by the NotPetya cyberattack (Bateman, 2020). The US, UK, Lithuania, Estonia, Canada, Australia, New Zealand, and others jointly attributed the NotPetya attack to the Russian government (Corcoran, 2019). Zurich American Insurance denied Mondelez International’s claim on the sole ground that “hostile or warlike action…by any government or sovereign power… or agent or authority [thereof]” was excluded under the policy (Bateman, 2020). Mondelez brought suit in 2018, and litigation remains ongoing as of this writing.

Cybersecurity insurance can also create perverse incentives for attackers if it covers ransomware payments. If successful attacks against organizations with cybersecurity insurance frequently result in payment, it encourages further attack. Additionally, as seen in the attack against Colonial Pipeline, ransom payment does not ensure system restoration, let alone speedy recovery (Turton et al., 2021). While it is not specifically illegal to make ransomware payments, the US Department of the Treasury issued an advisory highlighting the risk of sanctions against those making or facilitating such payments to “malicious cyber actors” (US Department of the Treasury, 2020). Moreover, some state governments are moving in the direction of adopting legislation to prohibit state agencies and local governments from paying ransom (Bergal, 2021). This is likely a growing trend.

Because attribution of who conducted a cyberattack can be incredibly difficult and take an extensive amount of time to accomplish, and because ransom payments are often made using anonymous cryptocurrencies (making it that much more difficult to know who is on the receiving end), it is almost impossible to know whether the payment is made to a designated “malicious cyber actor.” Despite the potential for quick system restoration as the result of paying the ransom demand, it is probably best that local governments not make or authorize ransomware payments regardless of whether such payments are covered by cybersecurity insurance.

Local governments should consider the numerous benefits of cybersecurity insurance coverage, including the process of applying for coverage itself. The New York State Department of Financial Services (NYDFS) issued industry guidance to insurers in the form of a cybersecurity insurance risk framework in 2021 (New York State Department of Financial Services, 2021). The framework directs cybersecurity underwriters to implement seven best practices. Local governments must therefore understand specifically what is and is not covered by their cybersecurity insurance policies. Despite the current uncertainties in the cybersecurity insurance market, the benefits and services provided by coverage are considerable, especially for local governments with limited resources. Looking ahead, it is also unclear if cybersecurity insurance policies will continue providing coverage for ransomware attacks and how future ransomware policy riders might be structured.

11.16 What Would an Attacker Do Against Our Local Government, and Would We Be Prepared?

Attackers will utilize known vulnerabilities and threats in the hopes that some local governments or third parties have not yet patched or upgraded their systems, or that a user will fall prey to a social engineering attack like a phishing email. Attackers will try robust measures to gain access to government systems. System access allows adversaries to sit, wait, and watch activity on government networks, to capture and potentially expose or sell PII and other government data, or to encrypt, destroy, or expose said data and systems unless a ransom is paid. Defenders must be prepared to detect a breach as soon as possible, to mitigate the effects of a breach, and to improve local government systems so similar attacks will not succeed in the future.

One of the best ways for local governments to understand what an attacker can do against their information systems is by engaging in a Red Team/Blue Team review and training process. As discussed in Section 11.13 above, a red team is a group of individuals testing a government’s systems in a campaign as if they were legitimate attackers. The red team emulates common attack tools and methodologies and goes through the attack lifecycle as a typical hacker might. Blue teams act as the government’s proactive network defenders. These defenders try to divert the adversary’s efforts by precluding them from having an effect and impeding their actions, limiting the effectiveness of the attack, and exposing the adversary. These two groups take combined lessons learned and integrate improvements into the government’s information systems. Frequently, the red teams are third-party experts who specialize in penetration testing and other types of adversarial behavior practiced by cyberattackers.

Engaging in red team/blue team exercises can help local governments identify and remediate cybersecurity vulnerabilities. Tabletop cybersecurity exercises are also a great option to help local government leaders – especially managers – understand the threats they face, how they might respond to them, and otherwise get a sense of how adverse cybersecurity events are experienced in reality. CISA offers tabletop exercises (CISAb, n.d.) as well as remote penetration tests, phishing campaign assessments, web application scanning, and vulnerability scanning (CISAa, n.d.). And, as mentioned earlier, cybersecurity awareness activities and training can help local governments understand their level of preparedness – especially as pertaining to individual end-users.

CISA provides free cybersecurity tabletop exercises that local governments should utilize in order to practice real-life scenarios, spot areas for improvement and incorporate lessons learned into policy and practice (CISA, n.d.). Tabletop exercises provide the opportunity for relationship building across departments, which is essential in the event of a emergency, and for employee training and development more generally. https://www.cisa.gov/publication/cybersecurity-scenarios

11.17 Conclusion

This chapter has raised and endeavored to answer a number of important cybersecurity related questions that local government leaders should be asking of themselves and their IT and cybersecurity professionals. But these are not the only questions that can and should be asked! Again, local government officials must understand that cyber threats continually change and evolve so asking questions like these must not become a one-and-done task on a management checklist. Rather, such data collection, reflection, and self-assessment should be a continuous process that leads to the development of specific insights and recommendations that can guide day-to-day cybersecurity activities and craft an understanding of the cybersecurity culture within the local government.

This analysis also can be presented to top elected and appointed officials not only to provide updates on local government cybersecurity matters, but also to help justify management decisions and policies as well as requested additional budget or staffing resources for cybersecurity. Ultimately, cybersecurity is an iterative process and a continuous cycle – asking questions like those presented in this chapter can help make implementing and managing the process of effective local government cybersecurity a smoother one for all concerned.

References

1. Bateman, J. (2020, October 05). War, terrorism, and catastrophe in cyber insurance: Understanding and reforming exclusions. Carnegie Endowment for International Peace. https://carnegieendowment.org/2020/10/05/war-terrorism-and-catastrophe-in-cyber-insurance-understanding-and-reforming-exclusions-pub-82819
2. Bergal, J. (2021, July 26). States consider legislation to ban ransomware payments. Government Technology. https://www.govtech.com/policy/states-consider-legislation-to-ban-ransomware-payments
3. Center for Advanced Red Teaming (n.d.). The global focal point for Red Teaming research, training and practice. https://www.albany.edu/cehc/cart
4. Coalition of City CISOs (n.d.). About us. https://cityciso.org/about-us
5. Corcoran, B. (2019, March 08). What Mondelez v. Zurich may reveal about cyber insurance in the age of digital conflict. LawFare. https://www.lawfareblog.com/what-mondelez-v-zurich-may-reveal-about-cyber-insurance-age-digital-conflict
6. Cybersecurity Infrastructure and Security Agency (CISA), US Department of Homeland Security a (n.d.). Cyber resource hub. https://www.cisa.gov/cyber-resource-hub
7. Cybersecurity Infrastructure and Security Agency b (CISA), US Department of Homeland Security (n.d.). CISA tabletop exercise package. https://www.cisa.gov/publication/cisa-tabletop-exercise-package
8. Cybersecurity Infrastructure and Security Agency (CISA), US Department of Homeland Security c (n.d.). CISA Regions. https://www.cisa.gov/cisa-regions
9. Cybersecurity Infrastructure and Security Agency (CISA), US Department of Homeland Security (2019, November 14). Security Tip (ST04-001) What is cybersecurity? https://us-cert.cisa.gov/ncas/tips/ST04-001
10. Cybersecurity Infrastructure and Security Agency (CISA), US Department of Homeland Security (2021, February 25). Cyber incident response. https://www.cisa.gov/cyber-incident-response
11. Fimlaid, J. (2019, March 5). Information security staffing guide. NuHarbor Security. https://www.nuharborsecurity.com/information-security-staffing-guide
12. GDATA (2021, May 3). 11 Biggest cyber security threats in 2021. https://www.gdatasoftware.com/blog/biggest-security-threats-2021
13. Gelnaw, A. (2019, March 22). The importance of continuous improvement in security performance management. BitSight. https://www.bitsight.com/blog/importance-continuous-improvement-security-performance-management
14. Goddard, W. (2021, May 18). Top 25 cyber security threats. IT Chronicles. https://itchronicles.com/information-security/top-25-cyber-security-threats
15. Gurinaviciute, J. (2021, February 3). 5 biggest cybersecurity threats. Security Magazine. https://www.securitymagazine.com/articles/94506-5-biggest-cybersecurity-threats
16. Interactive.com (2021). A framework for continuous cyber security improvement. https://www.interactive.com.au/insights/a-framework-for-continuous-cyber-security-improvement
17. Lohrmann, D. (2019, February 23). Why so many organizations still don’t understand security. Government Technology. https://www.govtech.com/blogs/lohrmann-on-cybersecurity/why-many-organizations-still-dont-get-security.html. In this blog post, Lohrmann cites the following: Alex Blau. 2017. The Behavioral Economics of Why Executives Underinvest in Cybersecurity. Harvard Business Review.
18. Manhattan District Attorneys Office (n.d.). NYC cyber critical service and infrastructure (CCSI) project. https://www.manhattanda.org/ccsi
19. Mehravari, N. and Allen, J. (2016, February 22). Structuring the chief information security officer (CISO) organization. SEI Blog. https://insights.sei.cmu.edu/blog/structuring-chief-information-security-officer-ciso-organization
20. Multi-State Information Sharing & Analysis Center (MS-ISAC) (n.d.). MS-ISAC local governments. https://www.cisecurity.org/partners-local-government
21. Nash, K.S. (2019, December 30). Tech chiefs plan to boost cybersecurity spending. The Wall Street Journal. https://www.wsj.com/articles/tech-chiefs-plan-to-boost-cybersecurity-spending-11577701802
22. New York State Department of Financial Services (2021, February 04). Insurance circular letter no. 2 (2021). https://www.dfs.ny.gov/industry_guidance/circular_letters/cl2021_02
23. Norris, D.F. (2021) A new look at local government cybersecurity 2020. Public Management/Local Government Review, pp. 15–20. Washington. D: International City/County Management Association.
24. Norris, D.F., Mateczun, L., Joshi, A., and Finin, T. (2019). Cyberattacks at the grassroots: American local governments and the need for high levels of cybersecurity. Public Administration Review, 79 (6), 895–904. https://doi.org/10.1111/puar.13028
25. Norris, D.F., Mateczun, L., Joshi, A., and Finin, T. (2020). Managing cybersecurity at the grassroots: Evidence from the first nationwide survey of local government cybersecurity. Journal of Urban Affairs, 43 (8), 1173–1195. https://doi.org/10.1080/07352166.2020.1727295
26. Paul, D. (2021, July 08). New York City opens cyberattack defense center. The Wall Street Journal. https://www.wsj.com/articles/new-york-city-opens-cyberattack-defense-center–11625778530
27. Turton, W., Riley, M., and Jacobs, J. (2021, May 13). Colonial Pipeline paid hackers nearly $5 million in ransom. Bloomberg. https://www.bloomberg.com/news/articles/2021-05-13/colonial-pipeline-paid-hackers-nearly-5-million-in-ransom
28. U.S. Department of the Treasury (2020, October 01). Advisory on potential sanctions risks for facilitating ransomware payments. https://home.treasury.gov/system/files/126/ofac_ransomware_advisory_10012020_1.pdf
29. U.S. National Institute of Standards and Technology (NIST) (n.d.). About the risk management framework (RMF). https://csrc.nist.gov/Projects/risk-management/about-rmf