2.1 Introduction

This chapter begins with a brief description of cybersecurity, followed by a definition of the term itself. Next, it discusses the three “dimensions” of cybersecurity or the “cybersecurity cube.” Third, it introduces the five functions of cybersecurity as laid out by the National Institute of Standards and Technology (NIST) Cybersecurity Framework. Finally, it concludes with a brief history of the origin of the internet and e-government.

Cybersecurity can be considered “good health care” for local governments and society at large. In fact, the term “cyber-hygiene” has been applied to the implementation of routine cybersecurity measures. In today’s world and probably for a long time into the future, cybersecurity is essential. This is because society has grown dependent on computing and the internet to structure daily lives and corporate or government operations which increasingly rely on information and information resources. Therefore, a simple interpretation of cybersecurity is the protection of information technology systems such as computers and mobile devices in organizations (and homes) and the data that they collect, manipulate, store, and transmit.

By extension, information transferred over networks, the networks themselves, and the software, hardware, and other devices involved must all be secured and protected. In some cases, such as with laptops or mobile devices, these information resources do not necessarily need to be connected to the internet in order for cybersecurity to be a concern. Cybersecurity also extends to the physical security of the hardware, devices, and data in an organization, as well as underlying physical infrastructure such as fiber optic cables and the electricity or water necessary to power and/or cool it all.

2.2 Cybersecurity Defined

Perhaps the best definition of cybersecurity comes from the Department of Homeland Security’s (DHS) Cybersecurity Infrastructure and Security Agency (CISA). “Cybersecurity is the art of protecting networks, devices, and data from unauthorized access or criminal use and the practice of ensuring confidentiality, integrity, and availability of information” (CISA, 2019). However, to ensure that all readers have the same understanding of the terms used in this definition this section briefly explains them.

Networks are groups of computers and other electronic devices that are connected together and able to communicate with one another. Many homes today have wireless networks that allow families to surf the web, stream TV and movies, communicate with others, engage in commercial transactions, and more. During the COVID-19 pandemic, these home networks and the devices associated with them allowed children to go to school virtually and parents to go to work remotely. Businesses and local governments across the nation have computer networks of all sizes that are essential to them being able to conduct business and provide services to customers and residents. The internet is the largest computer network in the world with literally billions of devices connected to it (13.8 billion expected in 2021, and 30.9 billion by 2025), many more devices than people living on the planet (Statista, 2020).

Hardware includes the physical connections that make up networks. In addition to computers, tablets, cellphones, routers, and more, devices also include items considered part of the “Internet of Things” (IoT) like printers, smart speakers, home assistants (e.g., from Amazon and Google), smart locks, video cameras, security systems, access card systems, thermostats, air quality controllers, HVAC controls, smoke alarms, lights, parking lot gates, traffic monitoring systems, and more. See Chapter 12 for a more detailed discussion of the IoT.

Data represents the information stored in IT systems and communicated over networks. Data exists in three states: 1) at rest or in storage; 2) in transit; and 3) in use. Accordingly, data needs to be protected while in each state: when it is stable, when it is traveling over networks, and when it is being used. Examples of data commonly stored, communicated, and used by local governments might include financial records including billing and tax records, budgets and budgetary documents, personally identifiable information (PII) such as names, addresses, social security numbers and driver’s license or ID numbers, records of various kinds including student, medical, police, planning, and meeting records, and assorted internal and external communication among others.

The networks, devices, and data used by local governments require appropriate, if not in many cases, very high levels of cybersecurity because the entire operation of a local government can be severely damaged or rendered inoperable by a successful cyberattack. This is certainly what happened to Atlanta and Baltimore when they experienced successful cyberattacks (see Chapter 1).

The second part of CISA’s definition of cybersecurity addresses how local government networks, devices, and data are secured. Specifically, this relates to how maintaining the confidentiality, integrity, and availability of an organization’s information helps protect it from unauthorized and criminal use. In the cybersecurity discipline, this is known as the CIA triad and has served as one of the bedrock principles of the field since the early 1970s (Fruhlinger, 2020). In short, confidentiality means that information is accessible only to parties with proper authorization. Integrity means that the information has not been improperly altered and can be trusted by users. Availability means that people can access the information when needed. Steps taken to ensure the confidentiality and integrity of information can overlap and reinforce one another but care must be taken to balance those requirements by also ensuring that information remains available as intended.

Confidentiality of data and information is made possible by emphasizing the concepts of authentication and authorization when accessing a local government’s information resources. Authentication is the process of determining that users are indeed who they say they are and can be accomplished by using strong passwords or newer forms of authentication such as biometrics, like facial recognition, or multi-factor authentication, in which two or more pieces of evidence authenticate a user such as a randomly generated set of numbers. Authorization means that the authenticated users have the authority to access the information relevant to their job duties and are not authorized to access information outside the scope of their responsibilities. Information can also be kept confidential through encryption and/or by physical security controls that restrict who can access that information. In other words, confidentiality means that only authorized users, who have been properly authenticated, can access a local government’s systems and information. This is important to remember because if users have access to everything that is considered sensitive or confidential, then nothing really can be considered sensitive or confidential.

Integrity means protecting information against unwanted alteration and ensuring it can be trusted by users. This includes not only the malicious altering of information but also unintentional accidents, human errors and mistakes, malfunctions and/or physical corruption caused by hardware or software problems. Integrity means the information is accurate and complete in its original form, as long as it is trustworthy. Data corruption can occur during the processes of writing, reading, collecting, storing, and transmitting the information. Accidents happen, and data can be corrupted due to ignorance or negligence. Physical corruption of hardware can happen naturally over time, especially if exposed to too much heat or through prolonged use, such as a server’s hard drive.

To help ensure integrity of information resources, in addition to applying technical controls to prevent or report unauthorized modification to information resources, audits and checkups are helpful to detect either accidental or malicious alteration. For example, a regular audit would have immediately recognized the impact of the virus created by the disgruntled software employees in the 1999 cult film classic Office Space (Judge, 1999). There, the employees developed a faulty virus to siphon fractions of a penny from each of the company’s transactions into a separate bank account, which allowed them to steal hundreds of thousands of dollars in only a few days. Similarly, a manual examination of system anomalies (as in the movie) – such as a seventy-five cent accounting error – is what led Berkeley astronomer-turned-hacker-tracker Cliff Stoll to uncover a prominent Soviet cyber-espionage plot against the United States in the 1980s as chronicled in The Cuckoo’s Egg (1989).

Availability means information is accessible to users when they need it. In order to ensure availability, information systems must operate correctly. For example, if a local government stores data on the cloud (or, with an outside organization) and does not have the necessary internet bandwidth (speed and capacity) to access the information during times of high traffic, the information may not be available, and the local government may not be able to complete tasks efficiently, if at all. Ensuring this principle of availability, at least within the cybersecurity sense, requires close coordination between the local government’s cybersecurity team and IT department, since the latter is responsible for network administration and availability.

2.3 Dimensions of Cybersecurity

Organizational cybersecurity involves more than the specific technologies utilized by a local government. Indeed, it can be perceived as a cube: one dimension is the three principles of security (protecting the confidentiality, integrity, and availability of information); the second dimension is the three states of data (at rest, in transit, and in use); and the third dimension involves the three ways of ensuring the CIA of information in its three states, through technology, policies, and practices and people (Figure 2.1).

John McCumber, a retired Air Force officer and former Cryptologic Fellow at the NSA, developed the cube of information security for a paper he presented at conference in 1991. The intent of the cube is to establish a “comprehensive model for understanding the threat to our automated information systems…This model not only addresses the threat, it functions as an assessment, systems development, and evaluation tool” (McCumber, 1991, p. 328).

So far, this chapter has discussed the CIA triad and the three states of data in the previous section. It also discussed technology, including the devices, hardware, and software involved in protecting the cybersecurity of a local government. The remaining aspects of cybersecurity safeguards include policies and practices, and people. These policies, procedures, and practices enable local governments to use information technologies to protect the CIA of information in its three states. Policies include the written measures that local governments implement through various practices and procedures, which may or may not be specifically established by policy.

People develop policies, procedures, and practices, and people use technologies (although, certain if not many of these can be automated). In his initial writing, McCumber described this third cybersecurity safeguard as “education, training, and awareness” (McCumber, 1991, p. 333). Without cybersecurity education, training, and awareness among staff and officials, it would be impossible for local governments to protect the security of their information resources. All local government employees and officials, whether elected or appointed, must be trained in basic cybersecurity awareness. The five functions of cybersecurity also address how people are involved in successful cybersecurity operations.

The cybersecurity cube provides a succinct model for understanding how to address local government cybersecurity. All three dimensions, and each aspect of the three dimensions, must be considered when developing and implementing a comprehensive cybersecurity policy. The NIST Cybersecurity Framework, first published in 2014, mentioned throughout this book, provides the methodology for doing so.

2.4 The Five Functions of Cybersecurity

The five functions of cybersecurity found in the NIST Cybersecurity Framework form a cycle through which local governments can help protect the confidentiality, integrity, and availability of their information resources by organizing how to accomplish these goals through technology, policies and practices, and people (see also Chapter 9). These functions are: Identify, Protect, Detect, Respond, and Recover, and they work together in a continuous cycle with each function reinforcing the other (see Figure 2.1). These functions can be found in the NIST Cybersecurity Framework Version 1.1, which is discussed in greater detail in Chapter 9 (NIST, 2018). As a local government moves through the framework, it can assess its current cybersecurity posture and identify how to improve its cybersecurity and reach its desired level of performance.

The framework puts forth flexible standards and guidelines that can be applied differently depending on the critical infrastructure sector in which the organization operates, as shown in Table 2.1.

Depending on their local geography, the functions they perform and the services they provide, local governments likely will be interested in the cybersecurity issues facing several of these sectors. In many cases, these governments will share common concerns with sectors like emergency services, government facilities, healthcare, power, and water/wastewater systems.

The Identify function involves “develop[ing] an organizational understanding” of the particular cybersecurity risks facing the local government (2018, p. 7). Assessing a local government’s cybersecurity posture involves identifying which “systems, people, assets, data, and capabilities” are involved in supporting critical functions and services (2018, p. 7). A local government must understand the hardware and software it is using before its systems can be protected. It must also develop risk assessment and risk management plans, such as presented in the NIST Risk Management Framework (NIST, n.d.). The Identify function goes beyond identifying how the local government currently governs cybersecurity and involves identifying all of the stakeholders and the objectives specific to the local government’s overall operations. Ultimately, however, local governments must first identify risks in order to protect against them.

Protect, the second function of cybersecurity, means “develop[ing] and implement[ing] appropriate safeguards to ensure delivery of critical services” (2018, p. 7). Local governments must aim to protect the confidentiality, integrity, and accessibility of their information resources. Accordingly, this function involves protecting local government assets identified in the previous function to prevent adverse cybersecurity events and limit the effects of successful cybersecurity attacks. Access management (authentication and authorization) and regular maintenance are examples of basic protocols under the Protect function. Maintenance should occur regularly and according to policy. Cybersecurity awareness training for all system users is also essential to protecting local government information systems. Protect also involves the more technical functions such as logs of audits and system changes and system back-ups. With protection systems and polices in place, the occurrence and impact of cybersecurity events can be mitigated. Even if local government information systems are protected with high levels of cybersecurity, they are also under constant or nearly constant attack, which can result in cybersecurity incidents and breaches. As a result, these systems must be properly staffed, equipped, and managed to perform the Detect function.

Detect means “develop[ing] and implement[ing] appropriate activities to identify the occurrence of a cybersecurity event” (2018, p. 7). The time it takes to discover a breach can exponentially increase the amount of damage inflicted. According to IBM, in 2021 it took organizations an average of 287 days to identify that a cybersecurity breach occurred (IBM, 2021). Anomalous activity on a local government’s information systems should be detected through continuous monitoring of the network, the physical environment, and employee activity. Once a baseline of network activity is understood, incident alert thresholds can be established, and events can be analyzed for attack targets and methods. These detection methods can be improved with regular testing. The detection of emergent threats, such as Zero-Day vulnerabilities discussed in Chapter 3, represents a growing problem for cybersecurity officials since the very nature of these vulnerabilities means that defenders cannot defend against or remediate them because they are unknown.

Zero day attacks target vulnerabilities so new that people aren’t aware of them and defensive measures aren’t available to fix them yet.

The Respond function involves instituting “appropriate activities to take action regarding a detected cybersecurity incident” (2018, p. 8). Response planning, external and internal communications, analysis, mitigation, and improvement are all aspects of this function. Once a cybersecurity incident has been detected, the response plan needs to be executed and procedures followed. Local governments should develop and implement clear personnel roles and responsibilities in order to ensure quick and effective response. Event analysis is essential to understanding the incident’s full impact. This includes performing digital forensics and addressing the vulnerabilities found, as well as properly collecting and preparing evidence for a possible legal action. After action reports and lessons learned help build institutional memory and improve a local government’s overall cybersecurity posture.

Finally, the Recover function entails utilizing “appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident” (2018, p. 8). Local governments should maintain resiliency plans for when events do occur and update them with lessons learned. The goal is to return to normal operations as quickly as possible, and to improve the systems in place. Similar to the Respond function, communications and public relations is a critical aspect of recovery (Figure 2.2).

2.5 Origin of the Internet and E-government

This section presents a brief history of the formation of the internet, because regardless of its many benefits the internet has opened organizations to unprecedented risks from cyberattacks. Unfortunately, the way the internet was developed has security ramifications to this day and likely well into the future. In the late 1960s and early 1970s the Defense Advanced Research Projects Agency established the precursor to the internet (ARPANET) as a way of developing a resilient communications medium that could survive the effects of a nuclear war. At the time, the ARPANET connected only a handful of research institutions and universities in the United States (McKenzie, 2009). By 1981 the network had grown to 213 hosts, including some international organizations (Norman, n.d.). Unfortunately, those developing ARPANET did not consider the security of the network when building it, because trusted parties like academic and research institutions, were its only users (Timberg, 2015) and its future evolution into the global public internet was never considered. Hence, no one understood or could foresee why security would be so important.

Moving forward to the 1990s and the early 2000s and the advent of e-government (also known as electronic government or digital government), there was a growing movement and interest in shifting the delivery of government services online as much as possible. This evolution of online service delivery continues to this day, especially as local governments have witnessed the conveniences and cost savings from it. Starting with the federal government in the 1990s, state and local level e-government did not gain significant traction until the mid-2000s. Similar to how the internet was developed, initial e-government efforts focused little on the security of websites and how to place information and services online except for posting privacy and security policies (West, 2008). The security of local governments’ systems themselves was not as high a priority. As more and more local governments became digitally enabled, the number of (often successful) attacks against them has increased, thus increasing attention to the need for strong cybersecurity on these systems. As mentioned earlier, this is necessary to ensure the confidentiality, integrity, and availability of the information stored on them and to enable those governments to continue providing public services even when being attacked and, especially when these systems are breached.

2.6 Conclusion

Cybersecurity involves three dimensions: the three principles of information security; the three states of data; and the three safeguards of cybersecurity. Protecting the confidentiality, integrity, and availability of information is the ultimate goal of an effective cybersecurity program. This information must be protected in all three of its states: at rest, in transit, and in use. The best way to accomplish these goals is to enable a robust cybersecurity program that involves technology, policies, procedures, practices, and people. As a reliable starting point, local governments should follow the NIST Cybersecurity Framework and the five functions of cybersecurity to institute the highest levels of cybersecurity possible for their organizations.

References

1. Cybersecurity Infrastructure and Security Agency (CISA), US Department of Homeland Security (2019, November 14). Security Tip (ST04-001) What is cybersecurity?https://us-cert.cisa.gov/ncas/tips/ST04-001
2. Fruhlinger, J. (2020, February 10). The CIA triad: Definition, components and examples. CSO Magazine. https://www.csoonline.com/article/3519908/the-cia-triad-definition-components-and-examples.html
3. IBM (2021). Cost of a data breach report 2021. https://www.ibm.com/downloads/cas/OJDVQGRY
4. Judge, M. (Director). (1999). Office Space [film]. 20th Century Studios.
5. McCumber, J. (1991). I..nformation systems security: A comprehensive model. 14th National Computer Security Conference (pp. 328–337). National Institute of Standards and Technology/National Computer Security Center.
6. McKenzie, A. (2009, December 4). Early sketch of ARPANET’s first four nodes. Scientific American. https://www.scientificamerican.com/gallery/early-sketch-of-arpanets-first-four-nodes
7. Norman, J. (n.d.). There are 213 hosts on Arpanet. HistoryOfInformation.com. https://www.historyofinformation.com/detail.php?id=98#:~:text=In%201981%20there%20were%20213,added%20approximately%20every%2020%20days
8. Statista (2020, November). Internet of Things (IoT) and non-IoT active device connections worldwide from 2010 to 2025. https://www.statista.com/statistics/1101442/iot-number-of-connected-devices-worldwide
9. Stoll, C. (1989). The Cuckoo’s Egg. Doubleday.
10. Timberg, C. (2015, May 30). A flaw in the design. The Washington Post. https://www.washingtonpost.com/sf/business/2015/05/30/net-of-insecurity-part-1
11. U.S. National Institute of Standards and Technology (2018, April 16). Framework for improving critical infrastructure cybersecurity: Version 1.1. https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
12. U.S. National Institute of Standards and Technology (2021, June 03). Critical infrastructure resources. https://www.nist.gov/cyberframework/critical-infrastructure-resources
13. U.S. National Institute of Standards and Technology (n.d.). Risk management framework. https://csrc.nist.gov/Projects/risk-management
14. West, D.M. (2008). State and federal electronic government in the United States, 2008. Brookings Institution. https://www.brookings.edu/wp-content/uploads/2012/04/0826_egovernment_west.pdf