12
The Future of Local Government Cybersecurity

12.1 Introduction

This chapter discusses a number of cybersecurity issues that local governments are likely to confront in the near future, as well as many years down the line. Indeed, local governments are faced with addressing many of these issues today, although the issues will certainly evolve over time, presenting these governments with new and ever more difficult challenges. These issues are not listed in any particular order and certainly not in order of importance (which would be highly subjective and likely quite controversial). Readers should draw their own judgments regarding the relative importance of each of them. Readers should understand, too, that what the authors have written in 2021 is likely to change over time and present quite differently in a few years.

To give but a few examples, the contents of this chapter include discussions of more hackers and more hacking, more ransomware attacks, the proliferation of IoT devices, and the impacts of Bring Your Own devices. In addition, the chapter covers continuing cybersecurity challenges related to working remotely, legacy technologies, artificial intelligence (AI), and much more.

12.2 The Cloud

The “cloud” is a term used to refer to information resources stored by third-party organizations separate from the firms or local governments using those resources. Think of outside providers such as Amazon Web Services (AWS), Microsoft Azure, IBM, Google Oracle, and others. Although the cloud can be perceived as data storage floating in the sky, this metaphor is not literally true. There is no actual cloud, just server farms and data centers on terra firma. The cloud is the use of information services, like data storage and software, over the internet. Local government information resources, thus, can be stored not only on local government computers or networks, but instead reside with one or more cloud providers. Most local governments that use the cloud employ cloud-based products and services through third-party contractors such as Dell, CDW, Carahsoft Technology Corp. and SHI (some of which do not receive as much name recognition but are among the top cloud contractors based on numbers of contracts and dollar value), rather than contract directly with major providers like Amazon and Google (Pittman, 2017a).

Remember, the cloud is a fancy term for someone else’s computer – Richard Forno.

Some local governments may choose to create a private cloud, which is a cloud service solely for that local government and not shared by any other entities. Private cloud environments can be located either on site at the local government or hosted by a third party such as those mentioned above. The City of San Diego runs a private cloud in which it controls and operates almost 400 applications such as: permitting; its open data portal DataSD with performance analytics; the city’s mobile app to connect with citizens Get It Done; StreetsSD which allows residents to examine current street conditions and repairs; OpenGov which visualizes the city’s annual budget; and PerformSD which visualizes data for residents to better understand how the city is performing (Pittman, 2017b). Local governments can also choose to use public clouds, which are entirely maintained by third parties, or hybrid clouds, which are a part private and part public cloud. Cloud technologies, whether public or private, provide local governments increased flexibility in providing public-facing services and conducting internal business.

Adoption of cloud technologies by local governments has both benefits and limitations. Major benefits of cloud adoption, as found by a 2021 MeriTalk survey of state and local IT leaders, include: improved data availability and interoperability of systems (37 percent); improved flexibility and agility (37 percent); and improved cybersecurity (36 percent) (2021). In some situations, cloud-based services can provide cost savings to local governments by improving the manageability of information resources and reducing system maintenance costs.

The Center for Digital Government’s 2018 Digital Counties Survey, administered annually to all US counties in conjunction with the National Association of Counties, found four major hurdles to migrating to the cloud including: the presence of legacy, or existing and sometimes outdated, systems; human resource issues; understanding security in the cloud; and determining how to calculate cost savings (Government Technology News Staff, 2021). Almost half of the counties in the survey noted that current and ongoing investments in legacy systems made migrating to the cloud less appealing (Government Technology News Staff, 2021). Human resource issues include ensuring local government IT and cybersecurity employees have the skills necessary to manage a cloud-based environment. Many local governments, or almost a third of respondents to the Digital Counties Survey, did not fully understand how security in the cloud actually works (Government Technology News Staff, 2021). One way to alleviate concerns that the cloud is less secure than keeping IT infrastructure in-house is to utilize vendors rated by StateRAMP, a nonprofit that assesses cloud vendors to ensure they meet certain security measures for state and local governments (Kanowitz, 2021). Finally, IT has historically been classified as a capital expense in local government budgets. Shifting to the cloud also means shifting cloud-related IT costs to the operating budget, which can cause issues in funding availability and support.

Local governments must understand that the cloud does not eliminate their cybersecurity risks. Rather, it shifts them to the cloud services providers who are charged with protecting their clients and their data. The SolarWinds attackers specifically sought access to cloud-based service providers through the software supply chain by targeting the authentication systems of cloud providers, like Microsoft 365. This affected downstream users of Microsoft’s services, such as the US Treasury Department and other federal, state, and local agencies (Budd, 2020).

According to the MeriTalk survey, 57 percent of state and local governments feel they are not getting the most out of their investments in the cloud (2021). Yet, a large majority (79 percent) believed the hybrid cloud is ideal for a resilient government (i.e., one that is prepared to continue operations even if breached), and a slightly larger majority (83 percent) report improvements in their ability to meet the mission. Local governments must now incorporate security of cloud-based services, providers, and third-party contractors into their overall cybersecurity posture.

The future of the cloud for local governments requires strategic planning and risk management. As a result, they should strategically prioritize which systems and applications would be better managed via the cloud and which should remain within the purview and control of the local government itself. Of course, local governments must also ensure they have the connectivity, workforce, and procurement capabilities needed to successfully migrate to a cloud environment and effectively manage their cloud applications.

12.3 Hackers…More of Them and More Hacking

In recent years, there has been an enormous increase in the number of cybercriminals and others who attack information systems. This was especially true during the COVID-19 pandemic, largely because of so many people working remotely. As a result, breaches of information systems have also increased a great deal – since 2018 by 11 percent and since 2014 by 67 percent (Bissell et al., 2019). Last, there has been a reported 300 percent increase in cybercrimes between when the pandemic began in early 2020 and early 2021 (Walter, 2020).

There are at least six major reasons for the growing number of cybercriminals and cyberattacks. First, cybercrime is a business, and at least at the moment it pays well (e.g., Nakashima and Lerman, 2021). Indeed, more than eight in ten cyberattacks are financially motivated (Verizon, 2020). In other words, cybercriminals attempt to steal money or something else valuable or to blackmail organizations for a price. The latter is especially true of ransomware attacks. In the 2021 ransomware attack against Colonial Pipeline, the company reportedly paid their attackers $4.4 million in bitcoin (Bussewitz, 2021). As a result of the large rewards of ransomware attacks, more people of a less-than-ethical inclination are attracted to this field of endeavor.

Second, it is increasingly easy to enter the cybercrime business. In the early days of cybercrime, hackers had to the have technical skills needed to conduct attacks. Today, almost anybody can do it because of the widespread availability on the internet of inexpensive and easy to use do-it-yourself hacking kits and even attack tools that can be rented for a certain period of time (e.g., Patterson, 2018; Stevens, 2018).

Third, many organizations, especially local governments, do a poor job securing their IT systems. The 2016 UMBC-ICMA survey clearly showed how poorly local governments defended against cyberattacks and managed their cybersecurity (Norris et al., 2019). Another survey found that more than three-quarters of organizations had not even developed and implemented incident response plans to improve their ability to respond to cybersecurity emergencies (Milkovich, 2020). This is an especially egregious example of cybersecurity malpractice. If such an organization is breached and is shut down in part or in whole, it would have no guidance or roadmap about how to continue operations or recover from the breach. Think about the Baltimore and Atlanta breaches discussed in Chapter 1.

Fourth, cybercriminals are rarely apprehended and/or punished for their crimes. According to security expert Roger Grimes (2012): “Rob a bank and face a one-in-four or one-in-five chance of doing hard time. Steal someone’s identity and your odds of being caught are almost infinitesimal.” There are various reasons for law enforcement’s lack of success tracking down and punishing cybercriminals, but they all add up to the same result. For the attackers, cybercrime is a fairly low-risk activity today.

Fifth, cybercriminals target people. As discussed in Chapter 8, people are the weakest link in the cybersecurity equation. The great majority of breaches occur because a person, most often accidentally, opens an attachment or clicks on a URL that he or she should not. According to one source, 95 percent of breaches are the result of errors people make (Milkovich, 2020). Cybercriminals know people make mistakes, and this is why, more often than not, they employ phishing or spear phishing attacks, betting that someone somewhere will make that mistake. More than two-thirds of attackers use phishing as the primary method of getting past cyber defenses, with eight in ten security incidents involving phishing (Varonis, 2021).

Sixth, cybercrime constantly evolves, and cybercriminals evolve along with it. Perhaps the best recent example of this evolution occurred during the COVID-19 pandemic when cybercriminals targeted people working remotely, hospitals, pharmaceutical companies, personal protective equipment (PPE) manufacturers, people and organizations seeking to purchase PPE, and COVID-19 vaccine manufacturers, among others. As history shows, cybercriminals constantly evolve alongside emerging technologies to devise newer and more effective ways of targeting and attacking their victims.

Cybercrime and cyberattacks are here to stay. Cybercriminals are neither stupid nor lazy. They research what they are about to attack, use the best tools they can find, and are relentless in their malicious activities. Their cost of entry to the world of cybercrime is rather low and there is a low probability of discovery, capture, and prosecution. Making their life easier is that unlike traditional criminals, cybercrime activities can be launched or conducted from anywhere in the world against any target in the world, which also creates a challenging legal environment in which to attempt prosecution (e.g., Sjouwerman, 2019).

In all, these reasons explain why the numbers of attackers and attacks continues to increase. They also suggest that the world is unlikely to see a reduction in the numbers of either one anytime soon. Last, they also suggest that laws and law enforcement are not up to the task of preventing cybercrime or catching and punishing cybercriminals.

12.4 Best Practices…Always Follow Them

To ensure that local governments practice the highest levels of cybersecurity possible they must always follow time-tested best practices. There are many reasons why local governments should do so, not the least of which is that deploying anything less than best practices leaves them open to unnecessary cyber risk. Consequently, it is essential that local governments make the adoption and use of cybersecurity best practices a high priority.

Best practices are critical. Although cyber threats constantly evolve, these simple and widely adopted solutions are essential elements in the defense against the constant cyberattacks confronting local governments. NIST’s Cybersecurity Framework, discussed in Chapter 9, provides direction and guidance for local governments to help determine the most appropriate best practices to follow (2018).

Recent trends in cybersecurity best practices include: improvements in identity and password management like multi-factor and biometric authentication; the need to protect increasing numbers of workers operating remotely (e.g., remote access and the cloud); third-party vendor security (e.g., software, applications, cloud providers, etc.); and artificial intelligence (AI) and machine learning (ML) applied to detection and security technologies (Gartner, 2021; Panetta, 2021). Local governments can anticipate these trends affecting them in the future if they haven’t yet already experienced them at some level.

Other future best practices that will likely impact local governments include ensuring security of Internet of Things connected devices, especially those used in smart city initiatives, monitoring users who are authorized to access sensitive systems, especially subcontractors and remote employees, and more. Following the guidance from NIST, CISA, and membership organizations like the International City County Management Association, the National League of Cities, National Association of Counties, and the Public Technology Institute will help local governments stay abreast of and more effectively respond to changes in the field.

The Town of Oldsmar, Florida’s water treatment facility was breached in 2021 because multiple users shared the same password for remote access to the system. Additionally, the facility was utilizing the Windows 7 operating system, which Microsoft no longer supported.

The City of Baltimore did not patch its systems in a timely manner which led to a successful ransomware attack in 2019. The patch had been made available at least two years before the breach.

12.5 Skilled Cybersecurity Worker Shortage

It should come as no surprise to anyone who has been paying attention to cybersecurity over the past several years that there is a large and growing worldwide shortage of trained personnel to fill cybersecurity jobs. According to CyberSeek (n.d.), a website supported by funding from NIST that provides information about the cybersecurity job market, as of 2021 there were more than 956,000 cybersecurity workers in the US. In August of 2021, the Washington Post reported that there were almost 465,000 cybersecurity jobs nationwide that were vacant, which is a deficit of nearly 49 percent. Among federal, state, and local governments, there was a deficit of approximately 36,000 cybersecurity positions. US Department of Homeland Security, which houses CISA, had 1700 cybersecurity vacancies (Marks, 2021).

It gets worse because no available source suggests that much can be done in the short (or possibly even in the long) run to rectify this situation. Experts in the field (e.g., Hospelhorn, 2020; Morgan, 2017, among many others) suggest that the principal causes of the shortage are: the constantly increasing numbers of cyberattacks; the younger generation not being interested (which is thought to be largely because K-12 education does not expose children to cybersecurity, at least from middle school onward); universities are not training and graduating sufficient numbers of students in cybersecurity; organizations failing to cross-train IT employees in cybersecurity; the apparent false hope that the shortage can be solved by the application of artificial intelligence technologies to cybersecurity problems; some IT and cybersecurity leaders not taking the shortage seriously; and burnout – a 2018 survey found that 39 percent of cybersecurity professionals said they were very satisfied with their current job, but, nearly half were only somewhat satisfied and 14 percent were either not very satisfied or not satisfied at all (Oltsik, 2019).

While it appears that there is not a great deal that local governments can do about the shortage, here are a few suggestions that may help, if only on the margins. First, cross-train current IT staff in cybersecurity where practicable and relevant to their duties. However, be aware that if these staff transition into full time cybersecurity work, their IT jobs will need to be filled, and there is also currently a shortage of IT workers (English, 2021). Partnering with K-12 school systems, community colleges, and colleges and universities in their catchment areas might present novel ways to expand the pool of available cybersecurity workers. Perhaps consider engaging with state officials to draw upon the expertise of any National Guard cyber units (in states that have them) to help improve local government cybersecurity practice and readiness and, in the event of a breach, ask the Guard cyber unit to assist in recovery.

Additionally, consider partnering with organizations representing minorities and women because both groups are underrepresented in tech fields, especially in cybersecurity, to increase their presence in local government. Local governments could consider outsourcing some or all of the cybersecurity activities to qualified vendors under appropriate supervision. Perhaps explore partnering with other local governments to share the burden of cybersecurity and share information and best practices. This could be especially useful for small local governments with limited cybersecurity staffing. Finally, within budgetary limits, consider increasing the salaries of cybersecurity staff and new hires and provide incentives and bonuses.

12.6 Ransomware

Chapter 3 contains a discussion of ransomware – what it is, how it works, and what local governments should and should not do if they are on the receiving end of a ransomware attack. This section does not repeat earlier discussions but rather focuses on the likely future trajectory of ransomware as a local government cybersecurity concern. To begin with, readers should know that there is little or no research from any source, popular, professional, or scholarly, that to date has provided any evidence-based projections of the future of ransomware. Most projections simply state that things “are likely to get worse.” Sadly, that is the projection of this section as well, although this section also discusses the rationale for its projection. This is certainly not good news for local governments let alone any other organizations.

At least in the foreseeable future, the number of ransomware attacks and the number of cybercriminals conducting ransomware attacks will increase; the cost of ransom will increase; attacks will escalate during troubled times (as was the case during the COVID-19 pandemic); and while effective governmental regulation is needed, government action will be slow to follow.

What factors support this likely future? The first and perhaps most important is that ransomware attacks are successful and are financially rewarding to cybercriminals. Ransomware is highly profitable, a $1.4 billion business in the US and a $10.4 trillion business globally (Morgan, 2020; Tinianow, 2020). Such profits, in turn, entice more people to join the ranks of this particular variant of cybercrime. And as mentioned earlier, cybercrime, including ransomware, is very low risk for the attacker (see Section 11.2). The sheer number of cybersecurity events in the news further contributes to “breach fatigue,” which reduces the motivation of individuals and organizations to act to combat adverse cybersecurity events (e.g., Sloan, 2020).

Additionally, cryptocurrencies, such as bitcoin and its cousins, enable cybercriminals to escape detection by hiding financial transactions, such as receiving ransom payments, from law enforcement. According to the ransomware incident response and recovery firm Coveware, 99 percent of ransomware payments were made in bitcoin in 2019 (2019).

Phishing attacks have risen 667 percent since the pandemic started and 90 percent of ransomware attacks use phishing (Shi, 2020). Fifth, cybercrime, including ransomware, is easier than ever and newbies with virtually no technical skills can buy pre-packaged attack kits and run attacks.

Finally most organizations, and this is especially true of local governments (see the 2016 survey), do a really poor job protecting their IT assets. Ransomware is a great example of how failure to implement basic IT practices can wreak havoc. Chapter 7 identifies actions that are necessary to help make attacks like ransomware less effective for criminals and less costly for victims, but those tools must be in place before the attack.

Thankfully, there is, perhaps, one trend that is not as grim as those discussed above. According to a Pew survey conducted in October of 2020, 71 percent of workers said that they were working at home most or all of the time (Parker et al., 2020). As work moves back to the office, and other potentially more cyber-secure environments, while the number of ransomware attacks may not decline, there may be fewer successful attacks. Only time will tell.

12.7 IoT Proliferation

Chapter 1 discussed the Internet of Things (IoT) in some detail. This section examines its future. First, a reprise of the numbers. According to Statistica, there are currently 13.8 billion IoT and non-IoT units connected to the internet. That is expected to increase to 30.9 billion by 2025 (Vailshery, 2021). By comparison, there were only 7.9 billion inhabitants of the Earth in May of 2021!

Most of the trade and popular publications envision a rosy future for the IoT (which could be because much of that material is from firms trying to sell services). Indeed, one source flatly states: “The future of IoT has the potential to be limitless” (Ericsson, n.d.) while many others are equally optimistic about various potential uses of the IoT such as in agriculture, smart cities, smart homes, wearable devices, and industrial applications, especially when 5G (fifth-generation mobile networks) and artificial intelligence fully arrive. Rosy scenarios, indeed.

The security company Norton made ten predictions about the future of the IoT (Norton, 2019). Seven of them followed the rosy scenario and were quite optimistic: continued increase of the number of devices on the IoT; growth of smart cities; growth of smart cars; growing importance of AI; 5G leading to more IoT devices; development of more secure and smarter routers; and privacy and security issues leading to legislative and regulatory action. Three of Norton’s predictions addressed security: cybercriminals will use IoT to engage in DDOS attacks, and such attacks will be increasingly dangerous (two points); and the IoT will produce privacy and security concerns. This was a somewhat more balanced view of the future of the IoT, but, like so many other predictions, it was overly influenced by “Rosy” and did not give the dark side (security concerns) of IoT sufficient attention.

For others, while the IoT does, indeed, have such potential, there is a darker side. As the IoT grows and more and more devices have been and will be added, security (or the lack thereof) has been and will continue to be a major concern. Smart doorbells can be taken over, as can sensors that control a variety of important functions such as traffic lights, water filtration and distribution systems, and various electronic gizmos that control the electrical grid and oil and gas pipelines. As the CBS program 60 Minutes demonstrated in 2015, a talented adversary can even commandeer automobiles remotely.

What is the IoT’s likely future? First, there is little doubt that it will continue to grow, possibly astronomically. Second, there will almost certainly be innovative, possibly even game-changing applications of the IoT (e.g., driverless cars that do not crash or hit pedestrians, for example). No one, however, can know the precise directions of the growth or its impacts. Third, there are serious security concerns about the IoT: a) the IoT expands the attack surface of all organizations (including our homes) that deploy IoT devices; and b) adequate security is not built into either the internet or many (perhaps most or close to all) of the devices that are and will be connected to it. As long as this pattern continues, there will be security events (e.g., shutting down the electric grid or a substantial a portion of it, just to mention one possibility). As a result, this seems to be a case of being careful what you wish for. As “limitless” as the IoT may (or may not) be, without adequate security, there inevitably will be problems, possibly some of catastrophic proportions. All one has to do to get a sense of how bad things could be is to run a Google search of “The Dark Side of the IoT” (e.g., Kranz, 2018; Miles, 2019; Richard, n.d.; just to mention a few). Unfortunately, the negative consequences (the dark side of the IoT) are rarely found in the literature discussion of its future.

12.8 BYOD

Chapter 3 discusses the status (at the time this book was completed) of the use of personal devices in local governments, and BYOD policies are further explored in Chapter 7. This section addresses the future of “bring your own device” rules and strategies in local governments.

The use of personal devices can be more efficient, flexible, and provide cost savings in some situations, but such use also inherently raises the level of cybersecurity risk facing local governments. The issue of BYOD may seem passé at this writing in 2021, but the shift towards hybrid offices and working remotely means concerns remain regarding the use of personal devices for work. As discussed throughout the book, personal devices increase a local government’s attack surface because of the increasing number of, often insecure, devices that are added to the government’s IT systems and networks. These personally owned, insecure devices also have access to more websites and apps than governmentally managed devices.

The BYOD market was valued at $186 billion in 2019, and is expected to grow to $430 billion by 2025, up from only $30 billion in 2014 (Global Market Insights, Inc, 2016; MarketWatch, 2021). This is a direct shift from what was a declining market in 2018 (Research and Markets, 2018). While the future of work remains uncertain, both BYOD and working remotely will remain a part, possibly a growing part (at least as compared to pre-pandemic times), of the overall work environment. BYOD policies almost certainly will need to be updated to reflect a hybrid work environment, detailing which devices are accepted and how to be compliant with desired security standards. Local governments can expect policy and compliance changes as the balance of the hybrid office is established and local government and employee expectations are refined. NIST Special Publication 800-124 Rev. 2 (draft) deals with mobile device security within organizations and can be a helpful resource for local government cybersecurity professionals (2020b).

In a 2021 report, Lookout, a cloud security provider, examined the data of their federal, state, and local clients for threats facing US governments (2021). This report is a helpful predictor of future BYOD threats and trends beyond the pandemic. Lookout found that close to 25 percent of state and local government employees use personal devices when teleworking. This can expose local governments to mobile phishing attempts, which can be sent via text message or in a phone call, as well as threats from insecure applications downloaded and used on those devices. Phishing exposure rates for unmanaged devices used by state and local government employees exceed that of managed devices (11 percent versus 6 percent). The purpose of these phishing attempts has shifted from malware delivery (69 percent in 2019 and 31 percent in 2020) to credential harvesting (56 percent in 2019 and 80 percent in 2020), which allows attackers to pose as legitimate users and gain “authorized” access to systems that system administrators may not catch. Threats to mobile apps surged 20-fold during this same period, as well.

Perhaps the most concerning issue with BYOD usage is that many employee devices have outdated operating systems (99 percent of government Android users are exposed to hundreds of vulnerabilities). Unlike desktops and laptops, mobile devices, including tablets, often do not have endpoint security, which protects devices that connect to a network so that they are secure from malicious activity (McAfee, 2021). When 62 percent of workers believe mobile devices aid in productivity, and 36 percent say their use of mobile devices for work has increased during 2020, the potential security implications associated with those devices are profound (Hein, 2021).

12.9 Working Remotely

Telework (working from home, the hybrid office, and all of the ways working remotely is now described) raises a number of concerns for local government cybersecurity such as: the use of insecure personal devices for government business; connecting devices to insecure Wi-Fi networks; and the security of the cloud and third-party vendors used by remote workers. As mentioned in the BYOD section above, the future of the local government office is unclear. However, it is safe to say that in general, work arrangements are unlikely to return to how they were pre-pandemic and local governments can expect to see an increase in telework. The almost overnight shift to telework accelerated many trends, from telework itself, to AI (e.g., facial recognition, automated decision-making, intelligent traffic systems, etc.), online service delivery, and cloud adoption. Many local governments understand the growing pains, benefits, and limitations to working remotely by now and the transition back to the office has shown that, for some, hybrid offices, in which employees can work remotely part time and be in office part time, may be here to stay (Keegan and Greenberg, 2021).

The 2020 State and Local Government Workforce Survey found that telework among state and local government employees was at its peak in 2020 (Center for State & Local Government Excellence [SLGE], 2020). More than one in five governments increased the number of employees eligible to participate in flexible work in 2020, and another one in five increased the range of flexible work arrangements offered. Local government respondents to an ICMA survey found that larger governments are more apt to utilize telework, because smaller governments tend to have more direct interactions with citizens (Vinchesi, 2020). Over half (56 percent) of state and local governments with more than 10,000 employees offer regular telework for eligible positions (SLGE, 2020). The ICMA survey found that some positions are more appropriate for telework than others, such as finance and planning, economic development, and inspectional services (Vinchesi, 2020). Departments typically excluded from allowing at least some of their employees to use flexible work arrangements (meaning flexible schedules, work hours, and telework) include public safety, public works, parks and recreation, public health, social services, and libraries (SLGE, 2020).

Working remotely may be a perk that can help recruit talent to local government, which is especially needed due to existing skill gaps in the IT and cybersecurity workforce. It can also be more efficient for certain positions. But it may also cause less frequent collaboration, where it might have otherwise occurred in office. Local governments must find the appropriate balance of remote and in person work to balance these and other interests.

All local governments, no matter the size, should now expect to adopt and implement security and risk management plans for employees working remotely. Telework agreements for employees are also now necessary. The Municipal Research and Services Center, a nonprofit assisting local governments in the state of Washington, provides an extensive list of example telecommuting policies and other resources that can be adapted by most local governments (2021).

12.10 Defense in Depth

Defense in depth is a time-tested strategic concept in cybersecurity management, where layers of defensive protocols are put in place to protect sensitive data and systems through redundant fail-safes that attempt to counter attacks at each level of penetration. As discussed earlier in the book, these layers protect the confidentiality, integrity, and availability of the local government’s information assets. Each measure is intended to address various vectors of attack, such as: firewalls to block network attacks; intrusion detection and prevention systems to alert officials to suspicious network activity; network segmentation to split and organize networks by the level of security required; and more. Multiple layers of security are required to effectively address the plethora of attack styles and methods seen today. Ideally, when one defensive layer or tool fails to counter the attack, a different measure established at another attack vector might succeed, with each successive layer helping further secure the network.

Defense in depth is organized into three categories: physical, technical, and administrative. Physical controls, which are discussed in Chapters 7 and 10, help protect information systems at the physical point of entry, such as access control systems, video surveillance, and locks to a server room. Technical controls include the local government’s methods of user authentication, and how data is stored (e.g., encrypted). The principle of least privilege, that users are assigned to only the systems that are required for them to perform their duties, is a recommended component of defense in depth. Finally, administrative controls deal with the local government’s cybersecurity policies like those discussed in Chapter 7.

This defensive approach was created by the National Security Agency (NSA) and is an established requirement for federal agencies set forth in NIST Special Publications 800-161 (2015), and 800-53 Rev. 4 (2014). It was originally a military strategy of delaying the advancement of attackers by giving up space on the battlefield to buy time to respond. The layers help stall the attacker’s momentum. Many companies offering cybersecurity products and services advertise their defense in depth methods, indicating that employing the strategy as a single organization is costly, which may very well be the case for many local governments. The first step is to understand the baseline status quo of the local government’s information systems, policies, and strategies to see which layers may need to be addressed or refined.

With the documented increase in cyberattacks and attackers and the direct and collateral damage they cause, local governments should incorporate a defense in depth strategy in their cybersecurity policies and strategies now and maintain it as strongly as possible well into the future. Local governments may also anticipate that aspects of this approach may be mandated by the federal or state governments at some point in the future. Federal agencies are already required to do so.

The defense in depth strategy is itself future-oriented, in that the true purpose of employing it is to be able to scale, as each layer of defense (physical, technical, and administrative) is adaptable and can be adjusted to address threats in the future. The strategy is frequently cited as a recommendation to addressing the ongoing plague of ransomware attacks (PhishLabs, 2021; Sophos, 2021). Sophos found that local governments are the most likely of all sectors to have its data encrypted in a ransomware attack (2021). Defense in depth and layered security measures can help local governments address emerging threats like these by having trained IT staff capable of defending against attacks and various technologies and policies in place to enable them to do so.

However, given the evolution of cybersecurity risks, the defense in depth concept, while still extremely useful, is being enhanced by a new form of security thinking that doesn’t even trust the people and devices within that trusted enclave, as discussed next.

12.11 Zero Trust

In today’s age of increasing technological complexity, local governments are likely to have multiple information systems and networks that connect multiple locations and end users; employ mobile devices and allow users to connect their own devices to their network(s); and employ cloud technology. Configurations with these and greater levels of complexity vastly expand the attack surface of local government information systems and greatly increase the vulnerability of these governments’ systems and data. Consequently, according to many sources, all organizations, including local governments, should look beyond traditional methods of securing systems and networks (e.g., password protection) and adopt what is known as a Zero Trust (ZT) approach to network and data security (e.g., NIST, 2020a; NSA, 2021; Warner, 2021).

Zero Trust means what it says – no user and no device should be trusted to connect to a device or network until fully and continually authenticated. In the words of the NSA: “The Zero Trust security model eliminates implicit trust in any one element, node or service and instead requires continuous verification…The Zero Trust security model assumes that a breach is inevitable or has already occurred, so it constantly limits access to only what is needed and looks for anomalous malicious activity” (NSA, 2021, p. 1).

NSA further states that under a ZT “mindset,” organizations should assume that “all requests for critical resources and all network traffic may be malicious”; and that “all devices and infrastructure may be compromised” (NSA, 2021, p. 3). In other words, trust nothing and no one until they are fully verified.

In 2020, NIST issued Special Publication 800-207 entitled Zero Trust Architecture, in which the agency described Zero Trust this way (p. 1): “A ZT approach is primarily focused on data and service protection but can and should be expanded to include all enterprise assets (devices, infrastructure components, applications, virtual and cloud components) and subjects (end users, applications and other non-human entities that request information from resources)” (Rose et al., 2020). In other words, and as NSA and numerous others have said, every person, device, application, etc., that attempts to connect to an organization’s IT system or network must be verified, and verified each and every time they attempt to connect. Under EO 14028, CISA has also begun developing guidance documents for a federal government Zero Trust architecture (CISA, n.d.).

Implicit in this approach is the understanding that, for end users, simple password verification is insufficient, and, for devices and applications, the fact that they may be owned or “rented” by the organization is insufficient as well. More complex methods of verification are essential. These may and should include multi-factor authentication (MFA) and other advanced methods such as biometrics (e.g., facial scans, retina scans, fingerprints). Multi- factor means that two or more items must be verified before a user is allowed access. For example, when one signs into a remote account with a password, the account holder will ask one or more security questions (What is your Mother’s maiden name? In what town did you grow up?) and/or send a code to the user which the user must enter to complete the sign in process. MFA and biometrics make authentication a bit more complicated for end users but much more secure for the organizations and their networks and data.

There is no need to provide accurate answers to these questions. A user might say his or her mother’s maiden name might be “tennis” and the pet dog’s name might be “Kentucky.” When answering these questions, the only thing that matters is providing a correct response, not whether the answer actually makes sense. Taking a more creative approach to these questions can make it more difficult for attackers to commandeer accounts via the lost-password feature.

Simply put, Zero Trust should be the future of cybersecurity for all organizations, local governments included, that are serious about protecting their information assets.

12.12 Increased Governmental Regulation of Cybersecurity

Currently, neither the federal government nor states engage in much, if any, regulation of local government cybersecurity (or, indeed, of the cybersecurity practices of most organizations). However, this can be expected to change, although perhaps slowly, in coming years, and local governments can expect to face a much more rigorous regulatory environment. As more and more local governments and agencies dealing with critical infrastructure are breached, a stronger federal response is likely. Indeed, this has already begun with President Biden’s Executive Order on Improving the Nation’s Cybersecurity, which is discussed further later in Section 12.15 of this chapter. Hopefully, increased attention will also come with increased support for funding for cybersecurity, including employee training as well as actions to expand the pool of qualified cybersecurity workers. At the very least, as issues of local government cybersecurity become more politically salient and, if they remain nonpartisan or bipartisan, increased support for cyber is made all the more possible. Major policy areas concerning local government cybersecurity that are likely to see increased regulation include: information sharing with external organizations; public notice requirements; federal grant funding to incentivize state and local government cybersecurity spending; prohibiting ransomware payments; the use of artificial intelligence; and privacy and data protection.

First, information sharing and public notice requirements. Outside of industry-specific laws discussed in Chapter 10, the federal government does not require that local governments share information about breaches to agencies like the FBI or CISA, let alone disclose breaches to the public. To be clear, all 50 states do have security breach and PII disclosure notification laws covering private and some governmental entities, meaning that some local governments do have public notice requirements (see Chapter 10). However, local government notification to and engagement with the FBI and CISA occurs on an entirely voluntary basis.

In the future, local governments can expect to be required to maintain closer relationships with these and other federal agencies involved in cybersecurity, and to notify them and potentially the public of breaches. Notification of breaches to other local governments may also be prioritized. Information sharing about cybersecurity threats with organizations such as the Multi-State Information Sharing & Analysis Center (MS-ISAC) will likely also be a priority. Ultimately, a federal strategy of providing and sharing resources with local governments may be created. At least one can hope!

Second, federal and state grants to local governments to improve cybersecurity can help incentivize adequate and consistent spending for cyber by these governments. The federal government can also mandate that local governments adopt specific policies and standards and meet other requirements in order to receive said funds. Third, local governments can expect increased regulation around whether and when they are allowed to pay ransom in the event of ransomware attacks. As of this writing, legislatures in New York, North Carolina, and Pennsylvania are considering banning state and local agencies from paying ransoms (Bergal, 2021). As seen in the 2021 hack of Colonial Pipeline, the company paid a hefty $4.4 million ransom and still needed to rebuild systems and reboot from back-ups after the decryption tool provided by the hackers was too slow (Bussewitz, 2021; Eaton and Volz, 2021). However, the FBI was able to trace and identify a virtual currency wallet used by the hackers in the blockchain and recover the ransom, which had reduced in value to $2.3 million (US Department of Justice, Office of Public Affairs, 2021). Many local government police departments and 911 centers have chosen to make ransomware payments in order to restore critical systems as quickly as possible and to protect against disclosure of sensitive or life-threatening information. At least 11 law enforcement agencies have been impacted since 2020 (Suderman, 2021). This said, paying ransom may no longer be an option for local governments under either state and/or federal law in the not-too-distant future.

Fourth, local governments may also find an increase in regulation of the use of AI and ML. Typical uses of AI include facial recognition, helping to better understand the data already generated by local governments, automated decision-making based on that data, intelligent traffic systems, and other systems management. As discussed in this chapter’s sections on Increased Automation (12.14) and AI and ML (12.17), local governments can boost their cybersecurity by using AI for network traffic analysis and data encryption. Perhaps the most discussed application of AI by local governments is the use of facial recognition by law enforcement. After the tragic death of George Floyd in 2020, many local governments and private providers such as Amazon and Microsoft reassessed the use of facial recognition in response to the movement to address police violence. The state of Maine banned the government use of facial recognition in most situations, with an exception for when police have probable cause that an unidentified person committed a serious crime, or in order to prevent fraud (Gershgorn, 2021). Yet, rules around storage and use of body camera and other footage generally remain unclear in many situations. The European Union has been more aggressive than the US in its discussion and planning around accepted uses of artificial intelligence in general, and by governments, especially in terms of automated decision-making (see European Location Interoperability Solutions for e-Government (ELISE), 2021). While most regulation of US local government use of AI and ML may take place further down the road, it should still be on the radar of local government officials and managers.

Finally, local governments can also anticipate potential regulations around data privacy, monitoring, and management as seen in the EU’s General Data Protection Regulation (GDPR), which is further discussed in Chapter 10. Although data privacy and protection may not immediately seem to be cybersecurity issues, they are in terms of local government compliance. The GDPR has been replicated and modified in the recently adopted Colorado Privacy Act. These laws cover how organizations maintain and secure the information they gather on visitors to their websites, and govern rights consumers have over their information. The data must be stored and processed for specific purposes, in a specific way, and for only certain periods of time. While it is unlikely that the federal government will implement such wide sweeping regulations (at least in the near future), legislation may be considered and adopted in other American states that is similar to that adopted by Colorado and the EU.

It is important to remember that technology and how it is used evolves much more quickly than law, policy, and regulation.

12.13 Building Cybersecurity Into All New Hardware, Software, and Anything that is Connected to the IT System

Planning in governments at all levels and in all fields must deliberately and purposively include cybersecurity. This includes, for example, planning for physical systems like elevators and Heating, Ventilation and Air Conditioning (HVAC) systems, developing databases or loading information onto public-facing websites, implementing new technologies like body cameras, contracting with a new organization for services, and more. Including cybersecurity in planning processes is a best practice for organizations with distributed and diverse responsibilities such as local governments. It is a foundational element of each of the five functions of NIST’s Cybersecurity Framework discussed in Chapter 9 (2018). Without continual planning, which must be followed by regular assessments, the critical framework functions are not likely to be achieved, meaning that local governments will fail to provide high levels of cybersecurity.

Cybersecurity should be included in all aspects of local government activities, especially when new services, procedures, operations, and technologies are being considered for adoption or existing ones are being modified. Indeed, before any new or modified services, procedures, operations, and technologies are permitted to go live, all aspects of their cybersecurity must be assessed and addressed. Similarly, when any unit within a local government considers creating such things as web portals, developing or acquiring apps, or storing sensitive information on the government’s IT system, the unit must involve the IT or cybersecurity department (preferably both). In this way, IT and cyber staff will be able to lend their expertise in the planning process to ensure that cybersecurity concerns are addressed, and that local government cybersecurity policies and procedures are followed.

If these steps are not taken prior to developing or implementing new services, procedures, operations, and technologies, local governments will be blind to areas of risk associated with those services. Including cybersecurity in organizational planning at the earliest point in the decision-making process is key to effective cybersecurity management. And, incorporating cybersecurity in the planning and development of local government services, procedures, operations, and technologies can help address potential future threats as they evolve.

Local governments should anticipate that, at some point in the future, they will likely be required to include cybersecurity in all areas of planning. This is true regardless of whether mandates come from the state or federal governments or from local government leaders as part of a process of developing and maintaining a culture of cybersecurity.

In 2021, the Office of Inspector General of the US Defense Department reported that the operating systems used by 75 percent of the Pentagon’s 3D printers were out of date. Incorporating cybersecurity in the planning into the 3D printer project could have ensured a policy of regular updates and patches, making this a completely avoidable threat (DOD Office of Inspector General, 2021). Although not a local government example, such entities would be wise to learn from this incident to ensure they are not caught in a similar situation themselves by making sure cybersecurity is part of all technology deployment plans.

12.14 Increasing Automation

Automation of cybersecurity involves implementing security tools and technologies that help local governments monitor traffic on their networks and protect the data and information within their control. These technologies can help remove the need for human intervention in the monitoring and detection processes, reducing employee workload and potential for human error in often repetitive, time-consuming tasks. Rather than have employees analyze threats and comparing it to threat intelligence, deciding how to respond and then individually resolving the issue, the entire process can be automated. Considering the number of threat alerts facing organizations like local governments, it would be nearly impossible to address every threat by hand, especially with limited cybersecurity staff. With automation, staff can be redeployed to other high priority tasks. While not every cybersecurity task can be automated, automation can provide cost savings, improve efficiency, and reduce error in local government cybersecurity.

Many tools of automation utilize AI and ML to boost ease of analysis. Local governments can automate aspects of their cybersecurity utilizing Robotic Process Automation (RPA) to engage in automatic: threat detection; triage decision-making/workflows; response determination; and threat resolution. Local governments can create standardized incident response processes and workflow logics that can quarantine devices, block URLs, geolocate IP addresses, and delete suspected malware (Splunk, n.d.). This can be accomplished by using two related automation technologies: security information and event management (SIEM), and security orchestration, automation, and response (SOAR). SIEM technologies are tuned to collect and aggregate event data to differentiate between anomalous and normal activity, whereas SOAR systems combine this data from all platforms with automated workflows into one location for ease of analysis, investigation, and automated response (Kirtley, 2020). Typical aspects of these technologies include: alert triage and prioritization; orchestration and automation (coordinating workflows); case management and collaboration; dashboard and reporting; and threat intelligence and investigation.

The future of automation in cybersecurity involves continued automation of detection, decision-making, and response to anomalous events. The most common use for SOAR technologies is to triage suspected phishing emails. However, these automation technologies are most commonly utilized by larger organizations with mature security operations centers, traits that are not common among most local governments. It is expected that by 2022, 30 percent of organizations will utilize these tools, compared to only 5 percent in 2019 (Neiva et al., 2019 ). Local governments will likely follow this same trend, and shift towards incorporating automation technologies into their cybersecurity in the coming years. As with other aspects of cybersecurity that organizations outsource, SIEM and SOAR technologies are becoming embedded with other products offered by security vendors. Local governments can anticipate further development in the use of AI/ML in automation technologies so that devices can learn to defend themselves.

12.15 Software Supply Chain Risks

Two of the most notable successful cyberattacks in recent years, SolarWinds (2020) and Kaseya (2021), highlight the growing risk of downstream cyberattack through the software supply chain. Both SolarWinds and Kaseya offer different software and services to thousands of organizations around the world. Unfortunately, these software and platforms suffered vulnerabilities that allowed the attackers to access the systems of the users of the software (SolarWinds) and send out ransomware to the company’s customers and subsequently those customer’s clients (Kaseya). The CISA labeled the Kaseya attack as a “supply-chain ransomware attack” (CISA, 2021a). The Kaseya attack ultimately affected more than 1500 organizations, including US local governments such as Leonardtown and North Beach, Maryland whose computers and networks were disabled (Freed, 2021). Often these attacks hijack software updates, undermine the integrity of the software’s code, or compromise open-source code (CISA, 2021b).

President Biden’s 2021 Executive Order 14028 on improving the nation’s cybersecurity specifically addresses these risks by directing NIST to develop standards and best practices to enhance the security of the software supply chain (NIST, n.d.). NIST then published guidance outlining security measures for critical software, and guidelines recommending minimum standards for vendors’ testing of their software source code. Among other things, when using critical software, local governments should apply practices of least privilege, network segmentation, and proper configuration to limit access to sensitive information resources and systems to those who need access to fulfill the responsibilities of their job (NIST, 2021). Network segmentation is the process by which networks are split into different networks according to the level of sensitivity, and therefore security, involved. Proper configuration of the networks means that the networks, and the protocols involved in their operation, are configured appropriately for their intended use.

As local governments continue to utilize software offered by third parties, outsource to security vendors, and move to the cloud, they will continue to face risks imposed by the software supply chain. Dependence on these products and services means that, unfortunately, it is almost impossible to avoid these risks. Risks in the software supply chain are only slated to grow in the future, as it is an efficient mode of attack to reach many potential victims. Instituting a defense in depth strategy and incorporating the supply chain into local government risk management are helpful tools to guard against the effects of such an attack.

12.16 Legacy Technology

Think of legacy technology as the old stuff, such as hardware, devices, software, and systems that are outdated and obsolete (or nearly so). For example, a local government in 2022 should not be running computers or other devices based on Microsoft Windows 98, an operating system long since deprecated by Microsoft that is now unsupported and rife with security and stability problems. Many organizations, local governments included, have and still use legacy technologies, some going back many years, and those systems perform important tasks within the organizations.

Moreover, because of the rapid pace of technological change, technologies that were acquired only a few years ago could be made obsolete by newer technologies that far out-pace their dated cousins and/or because manufacturers no longer support the older technologies rendering them obsolete. Organizations continue to use legacy systems for various reasons including the fact that many legacy systems are or appear to be doing exactly the jobs for which they were purchased and also because of the cost and difficulty of upgrading them (e.g., Be Informed, 2021; Sawant, 2020).

There are good reasons, however, for local governments to consider replacing legacy systems or legacy components of their information systems, especially for reasons of cybersecurity. Legacy systems are likely not well-enough equipped to withstand modern cyberattacks, and they may not be capable of being upgraded or adapted to defend against such attacks (e.g., Synchrony, n.d).

This produces a conundrum of what local governments should do regarding legacy systems. The best advice is for these governments to seriously examine the pros and cons, including costs, of upgrading (if possible) or replacing all of the legacy systems that they operate in order to ensure the highest levels of cybersecurity for their information systems. Doing so will require careful and thorough analysis of the risks posed by legacy systems as well as identification of reasonable and cost-effective alternatives to them.

During the COVID-19 pandemic, 19 states suffered extensive delays in processing unemployment claims due to legacy systems, often dating from the 1980s, many of which were incompatible with federal unemployment IT systems (Charette, 2020).

12.17 Artificial Intelligence and Machine Learning

One definition of artificial intelligence (AI) is “the ability of a digital computer or computer-controlled robot to perform tasks commonly associated with intelligent beings. The term is frequently applied to the project of developing systems endowed with the intellectual processes characteristic of humans, such as the ability to reason, discover meaning, generalize, or learn from past experience” (Copeland, n.d.). Although there are many definitions of AI, this one does a very good job of capturing the key elements of AI and showing that its purpose is the use of computers to mimic some of the most important functions of the human brain, which will then provide the device the ability to act autonomously or independently (in whole or in part) of humans.

In the world of cybersecurity, AI can be used by attackers as well as defenders of computer systems. Moreover, whichever group is more proficient at using AI will have definite advantages over the other. Hackers will use AI in the future to penetrate IT systems more easily, and defenders will use AI to anticipate and to identify and ward off attacks more effectively. As one might imagine, the payoffs for both sides are considerable. Success for attackers means money and other valuables while success for defenders is measured by identifying and defeating attackers.

AI properly used by attackers can make social engineering attacks much more powerful and successful. AI can be used to “to spot patterns in behavior, understanding how to convince people that a video, phone call or email is legitimate and then persuading them to compromise networks and hand over sensitive data” (Durbin, 2020). AI can also be used to more rapidly and effectively search for new vulnerabilities in information systems and digital devices and then exploit those vulnerabilities.

Defenders, on the other hand, can use AI to improve the automated monitoring of systems and networks to identify anomalies and attacks in progress more quickly and to shut down attacks. Defenders can also use AI to improve anti-virus software and to model user behavior to identify unusual or suspicious patterns (Shakeel, 2021). The AI battle will likely continue well into the future, and local governments need to be aware of it and make plans to incorporate AI into their cybersecurity defenses.

Machine learning (ML) can be defined as “an application of artificial intelligence (AI) that provides systems the ability to automatically learn and improve from experience without being explicitly programmed. Machine learning focuses on the development of computer programs that can access data and use it to learn for themselves” (Expert.ai Team, 2020). Contemporary examples of ML include such things as image recognition (e.g., facial recognition), medical diagnosis (e.g., reading digital exams such as X-rays and MRI results), speech recognition (e.g., Amazon’s Alexa, Apple’s Siri, and Google’s Nest devices) and more.

According to one source, “Today, it’s impossible to deploy effective cybersecurity technology without relying heavily on machine learning. At the same time, it’s impossible to effectively deploy machine learning without a comprehensive, rich and complete approach to the underlying data.” Machine learning also requires massive amounts of data and the data must be accurate and comprehensive. ML is used to analyze the data in order, among other things, to learn patterns and from those patterns make decisions to assist in quickly identifying cyberattacks and stopping them. ML, thus, “can make cybersecurity simpler, more proactive, less expensive and far more effective” (Perlman, n.d.).

In short, AI and ML have the potential to be an extraordinary tool for improving operational cybersecurity. Unfortunately, as with many other information technology developments, they also provide new capabilities for adversaries to develop innovative and potentially more dangerous and successful attacks.

12.18 Conclusion

This chapter has presented a number of evidence-based predictions about the future of local government cybersecurity in order to make local government officials and their cybersecurity staff aware of impending trends. These predictions, however, are likely to have a short shelf life. This is because, at this writing, and no matter where the evidence has pointed, one thing is certain: cybersecurity is a discipline that is changing constantly, often in unpredictable ways.

New threats will almost certainly arise, and cybercriminals will devise new and more ingenious ways to ply their trade. However, defenders will develop and deploy new and more effective ways of protecting against these threats. IoT expansion will not be stopped (or possibly even slowed down), but perhaps software and device developers (on their own or under governmental pressure) will begin to build cybersecurity into their products. Working remotely will continue but perhaps at a considerably reduced rate once the COVID-19 pandemic has passed. And perhaps organizations and governments of all sizes will be able to identify, train, teach, fund, hire, and manage enough qualified cybersecurity professionals to make a positive impact on local government cybersecurity going forward.

These are just a few of the reasons why local government officials and their cybersecurity staffs must constantly scan the cybersecurity horizon to identify new threats, methods of defense, and opportunities to improve their government’s practice of cybersecurity. The future is always uncertain, but the best way to meet the challenges of tomorrow is through effective planning today. For local governments, their citizens and businesses, this is their most important task.

References

  1. Be Informed (2021). Legacy technology: 5 most asked questions. https://www.beinformed.com/blog/legacy-technology-5-most-asked-questions
  2. Bergal, J. (2021, July 26). States consider legislation to ban ransomware payments. Government Technology. https://www.govtech.com/policy/states-consider-legislation-to-ban-ransomware-payments
  3. Bissell, K., LaSalle, R.M., and Cin, P.D. (2019, March 6). Ninth annual cost of cybercrime study. Accenture. https://www.accenture.com/us-en/insights/security/cost-cybercrime-study
  4. Budd, C. (2020, December 23). How the SolarWinds hackers are targeting cloud services in unprecedented cyberattack. GeekWire. https://www.geekwire.com/2020/solarwinds-hackers-targeting-cloud-services-unprecedented-cyberattack
  5. Bussewitz, C. (2021, May 19). Colonial Pipeline confirms it paid $4.4M to hackers. Associated Press. https://apnews.com/article/hacking-technology-business-ed1556556c7af6220e6990978ab4f745
  6. Center for State & Local Government Excellence (2020, April). State and local government workforce: 2020 survey. https://www.slge.org/assets/uploads/2020/04/workforcesurvey2020.pdf
  7. Charette, R.N. (2020, August 28). Inside the hidden world of legacy IT systems. IEEE Spectrum. https://spectrum.ieee.org/inside-hidden-world-legacy-it-systems
  8. Copeland, B.J. (n.d.). artificial intelligence. Britannica. https://www.britannica.com/technology/artificial-intelligence
  9. Coveware (2019, November 1). Ransomware payments rise as public sector is targeted, new variants enter the market. https://www.coveware.com/blog/q3-ransomware-marketplace-report
  10. Cybersecurity and Infrastructure Security Agency (CISA), US Department of Homeland Security (n.d.). Moving the US government towards Zero Trust cybersecurity principles. https://zerotrust.cyber.gov
  11. Cybersecurity and Infrastructure Security Agency (CISA), US Department of Homeland Security (2021a, July 02). Kaseya VSA supply-chain ransomware attack [press release]. https://us-cert.cisa.gov/ncas/current-activity/2021/07/02/kaseya-vsa-supply-chain-ransomware-attack
  12. Cybersecurity and Infrastructure Security Agency (CISA), US Department of Homeland Security (2021b, April). Defending against software supply chain attacks. https://www.cisa.gov/sites/default/files/publications/defending_against_software_supply_chain_attacks_508_1.pdf
  13. CyberSeek (n.d.). Heat map. https://www.cyberseek.org/heatmap.html
  14. Durbin, S. (2020, October 13). How criminals use artificial intelligence to fuel cyber attacks. Forbes. https://www.forbes.com/sites/forbesbusinesscouncil/2020/10/13/how-criminals-use-artificial-intelligence-to-fuel-cyber-attacks/?sh=7fcbc2955012
  15. Eaton, C., and Volz, D. (2021, May 19). Colonial Pipeline CEO tells why he paid hackers a $4.4 million ransom. Wall Street Journal. https://www.wsj.com/articles/colonial-pipeline-ceo-tells-why-he-paid-hackers-a-4-4-million-ransom-11621435636
  16. English, L. (2021, June 01). The tech talent war has no end insight: Here’s what you need to know. Forbes. https://www.forbes.com/sites/larryenglish/2021/06/01/the-tech-talent-war-has-no-end-in-sight-heres-what-you-need-to-know/?sh=22e627005f2d
  17. Ericsson (n.d.). Future IoT. https://www.ericsson.com/en/future-technologies/future-iot#:~:text=The%20future%20of%20IoT%20has,diverse%20use%20cases%20at%20hyperscale
  18. European Location Interoperability Solutions for e-Government (ELISE) (2021, June 10). Artificial intelligence in the public sector. https://joinup.ec.europa.eu/collection/elise-european-location-interoperability-solutions-e-government/artificial-intelligence-public-sector
  19. Exec. Order No. 14028, 86 Fed. Reg. 26633 (2021, May 12).
  20. Expert.ai Team (2020, May 6). What is machine learning? A definition. https://www.expert.ai/blog/machine-learning-definition
  21. Freed, B. (2021, July 08). Maryland towns impacted in Kaseya ransomware breach. StateScoop. https://statescoop.com/kaseya-revil-ransomware-leonardtown-north-beach-maryland
  22. Gartner (2021, May 17). Gartner forecasts worldwide security and risk management spending to exceed $150 billion in 2021 [press release]. https://www.gartner.com/en/newsroom/press-releases/2021-05-17-gartner-forecasts-worldwide-security-and-risk-management
  23. Gershgorn, D. (2021, June 30). Maine passes the strongest state facial recognition ban yet. The Verge. https://www.theverge.com/2021/6/30/22557516/maine-facial-recognition-ban-state-law
  24. Global Market Insights, Inc. (2016, March 22). Bring your own device (BYOD) market size worth USD 366.95 billion by 2022: Global Market Insights Inc. [press release]. https://www.globenewswire.com/news-release/2016/03/22/822021/0/en/Bring-Your-Own-Device-BYOD-Market-size-worth-USD-366-95-Billion-by-2022-Global-Market-Insights-Inc.html
  25. Government Technology News Staff (2021, June 02). The state of cloud in state and local governments. Government Technology. https://www.govtech.com/cloud-different/the-state-of-cloud-in-state-and-local-governments
  26. Grimes, R. (2012, January 10). Why Internet crime goes unpunished: Until we make the Internet secure, cyber criminals will continue to pull off high-value, low-risk offenses. CSO Magazine. https://www.csoonline.com/article/2618598/why-Internet-crime-goes-unpunished.html
  27. Hein, D. (2021, February 08). Employees believe mobile devices play a key role in productivity. Mobility Management Solutions Review. https://solutionsreview.com/mobile-device-management/employees-believe-mobile-devices-play-a-key-role-in-productivity
  28. Hospelhorn, S. (2020, March 29). Solving the cybersecurity skills shortage within your organization. Varonis. https://www.varonis.com/blog/cybersecurity-skills-shortage
  29. Kanowitz, S. (2021, March 02). StateRAMP: How state and local governments accelerate cloud adoption. GCN. https://gcn.com/articles/2021/03/02/stateramp-readies.aspx
  30. Keegan, M.J., and Greenberg, S. (2021, April 13). The future of work in local governments post pandemic. IBM Center for The Business of Government. https://www.businessofgovernment.org/blog/future-work-local-governments-post-pandemic
  31. Kirtley, E. (2020, July 09). What is SIEM? What is SOAR? How are they different? Swimlane. https://swimlane.com/blog/siem-soar
  32. Kranz, M. (2018, September 28). Overcoming the dark side of IoT. Cisco. https://blogs.cisco.com/innovation/overcoming-the-dark-side-of-iot
  33. Lookout (2021). US government threat report: Telework exposes government to high mobile risk. https://www.lookout.com/info/government-threat-report-lp
  34. MarketWatch (2021, April 12). Bring-your-own-device (BYOD) market size, share, industry, analysis, price, trends, growth, report and forecast 2020–2025 [press release]. https://www.marketwatch.com/press-release/bring-your-own-device-byod-market-size-share-industry-analysis-price-trends-growth-report-and-forecast-2020-2025-2021-04–12
  35. Marks, J. (2021, August 2). The cybersecurity 202: The government is facing a severe shortage of cyber workers when it needs them the most. https://www.washingtonpost.com/politics/2021/08/02/cybersecurity-202-governments-facing-severe-shortage-cyber-workers-when-it-needs-them-most
  36. McAfee (2021). What Is Endpoint Security? https://www.mcafee.com/enterprise/en-us/security-awareness/endpoint.html
  37. MeriTalk (2021). Hybrid at hyperspeed: Cloud strategy for the new reality of government. https://www.meritalk.com/wp-content/uploads/2021/01/hybrid-at-hyperspeed-report.pdf
  38. Miles, S. (2019, February 14). Cybercriminals take aim: The dark side of IoT. IoT For All. https://www.iotforall.com/cybercriminals-take-aim-dark-side-iot
  39. Milkovich, D. (2020, December 23). 15 Alarming cyber security facts and stats. Cybint. https://www.cybintsolutions.com/cyber-security-facts-stats
  40. Morgan, S. (2017, December 11). 5 reasons the cybersecurity labor shortfall won’t end soon. Dark Reading. https://www.darkreading.com/risk/5-reasons-the-cybersecurity-labor-shortfall-wont-end-soon/a/d-id/1330575
  41. Morgan, S. (2020, November 13). Cybercrime to cost the world $10.5 trillion annually by 2025. Cyber Crime Magazine. https://cybersecurityventures.com/hackerpocalypse-cybercrime-report-2016/#:~:text=A%202017%20report%20from%20Cybersecurity,figure%20rose%20to%20%2411.5%20billion
  42. Municipal Research and Services Center (2021, May 19). Telecommuting. https://mrsc.org/Home/Explore-Topics/Management/HR-Management/Telecommuting.aspx
  43. Nakashima, E. and Lerman, R. (2021, May 15). Ransomware is a national security threat and a big business: And it’s wreaking havoc. Washington Post. https://www.washingtonpost.com/technology/2021/05/15/ransomware-colonial-darkside-cyber-security
  44. Neiva, C., Lawson, C., Bussa, T., and Sadowski, G. (2019, June 27). Market guide for security orchestration, automation and response solutions. Gartner. https://www.gartner.com/en/documents/3942064/market-guide-for-security-orchestration-automation-and-r
  45. Norris, D.F., Mateczun, L., Joshi, A., and Finin, T. (2019). Cyberattacks at the grassroots: American local governments and the need for high levels of cybersecurity. Public Administration Review, 79(6), 895–904. https://doi.org/10.1111/puar.13028
  46. Norton (2019, August 28). The future of IoT: 10 predictions about the Internet of Things. https://us.norton.com/internetsecurity-iot-5-predictions-for-the-future-of-iot.html
  47. Oltsik, J. (2019, April). The life and times of cybersecurity professionals, 2018. Enterprise Strategy Group. https://cdn.ymaws.com/www.members.issa.org/resource/resmgr/surveys/esg-issa-2018-survey-results.pdf
  48. Panetta, K. (2021, April 05). Gartner top security and risk management trends for 2021. Gartner. https://www.gartner.com/smarterwithgartner/gartner-top-security-and-risk-
trends-for–2021
  49. Parker, K., Horowitz, J. M., and Minkin, R. (2020, December 9). How the coronavirus outbreak has – and hasn’t – changed the way Americans work. Pew Research. https://www.pewresearch.org/social-trends/2020/12/09/how-the-coronavirus-outbreak-has-and-hasnt-changed-the-way-americans-work
  50. Patterson, D. (2018, September 26). The dark web is where hackers buy the tools to subvert elections. CBS News. https://www.cbsnews.com/news/campaign-2018-election-hacking-the-dark-web
  51. Perlman, A. (n.d.). The growing role of machine learning in cybersecurity. Security Roundtable. https://www.securityroundtable.org/the-growing-role-of-machine-learning-in-cybersecurity
  52. PhishLabs (2021). Ransomware playbook: Defense in depth strategies to minimize impact. https://www.phishlabs.com/blog/ransomware-playbook-defense-in-depth-strategies-to-minimize-impact-2
  53. Pittman, E. (2017a, May 31). Cloud players: Who’s who in the government market. Government Technology. https://www.govtech.com/biz/Cloud-Players-Whos-Who-in-the-Government-Market.html
  54. Pittman, E. (2017b, May 31). How should IT strategies evolve to capitalize on the cloud’s potential today? Government Technology. https://www.govtech.com/computing/how-should-it-strategies-evolve-to-capitalize-on-clouds-potential-today.html
  55. Research and Markets (2018, April 04). Global mobile device management (MDM) market 2018–2023: Decline of bring your own device (BYOD) devices expected to act as the restraining factor for the growth of the market [press release]. https://www.globenewswire.com/news-release/2018/04/04/1460141/0/en/Global-Mobile-Device-Management-MDM-Market-2018-2023-Decline-of-Bring-Your-Own-Device-BYOD-Devices-Expected-to-Act-as-the-Restraining-Factor-for-the-Growth-of-the-Market.html
  56. Richard, C. (n.d.). What is the dark side of ioT? Security Informed. https://www.securityinformed.com/insights/dark-side-of-internet-of-things.1578417703.html
  57. Rose, S., Borchert, O., Mitchell, S., and Connelly, S. (2020, August). Zero trust architecture. National institute for Standards and Technology (NIST).
  58. Sawant, V. (2020, December 28). A brief guide to legacy system modernization. Rackspace Technology. https://www.rackspace.com/blog/brief-guide-legacy-system-modernization
  59. Shakeel, I. (2021, April 6). Use AI to fight AI-powered cyber-attacks. AT&T Business. https://cybersecurity.att.com/blogs/security-essentials/use-ai-to-fight-ai-powered-cyber-attack
  60. Shi, F. (2020, March 26). Threat spotlight: coronavirus-related phishing. Barracuda Networks. https://blog.barracuda.com/2020/03/26/threat-spotlight-coronavirus-related-phishing
  61. Sjouwerman, S. (2019, December 23). Seven reasons for cybercrime’s meteoric growth. Forbes. https://www.forbes.com/sites/forbestechcouncil/2019/12/23/seven-reasons-for-cybercrimes-meteoric-growth/?sh=2641e0415fa2
  62. Sloan, K. (2020 March 12). The problem with data breach fatigue. Cybintsolutions. https://www.cybintsolutions.com/the-problem-with-data-breach-fatigue
  63. Sophos (2021). The state of ransomware in government in 2021. https://secure2.sophos.com/en-us/medialibrary/Gated-Assets/white-papers/sophos-state-of-ransomware-in-government-2021-wp.pdf
  64. Splunk (n.d.). What is security automation? https://www.splunk.com/en_us/data-insider/what-is-security-automation.html#overview
  65. Stevens, G. (2018, December 7). Dark web phishing kits: Cheap, plentiful and ready to trick you. Security Boulevard. https://securityboulevard.com/2018/12/dark-web-phishing-kits-cheap-plentiful-and-ready-to-trick-you
  66. Suderman, A. (2021, May 09). Ransomware gangs get more aggressive against law enforcement. Associated Press. https://apnews.com/article/ransomware-gangs-hacking-police-cybercrime-pipeline-3a38c27c4fafe0c39461fb71bf91a42a
  67. Synchrony Systems, Inc. (n.d.). 5 Ways your legacy systems may add to cybersecurity risks. https://sync-sys.com/5-ways-your-legacy-systems-may-add-to-cybersecurity-risks
  68. Tinianow, A. (2020, July 1). Bitcoin demand drives $1.4 billion ransomware industry in the U.S. Forbes. https://www.forbes.com/sites/andreatinianow/2020/07/01/bitcoin-demand-drives-14-billion-ransomware-industry-in-the-us/?sh=601541f532d8
  69. U.S. Department of Defense, Office of Inspector General (2021, July 01). Audit of the cybersecurity of department of defense additive manufacturing systems (DODIG-2021-098). https://www.dodig.mil/reports.html/article/2683843/audit-of-the-cybersecurity-of-department-of-defense-additive-manufacturing-syst
  70. U.S. Department of Justice, Office of Public Affairs (2021, June 07). Department of Justice seizes $2.3 million in cryptocurrency paid to the ransomware extortionists darkside [press release]. https://www.justice.gov/opa/pr/department-justice-seizes-23-million-cryptocurrency-
paid-ransomware-extortionists-darkside
  71. U.S. National Institute of Standards and Technology (NIST) (2014). Special Publication 800–53 Rev. 4. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
  72. U.S. National Institute of Standards and Technology (NIST) (2015). Special Publication 800–161. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161.pdf
  73. U.S. National Institute of Standards and Technology (NIST) (2018 April 16). Framework for improving critical infrastructure cybersecurity version 1.1. https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
  74. U.S. National Institute of Standards and Technology (NIST) (2020a). Special Publication 800–207. Zero trust architecture. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf
  75. U.S. National Institute of Standards and Technology (NIST) (2020b). Special Publication 800–124 Rev. 2 (Draft). https://csrc.nist.gov/publications/detail/sp/800-124/rev-2/draft
  76. U.S. National Institute of Standards and Technology (NIST) (2021, July 9). Security measures for “EO-Critical Software” use. https://www.nist.gov/itl/executive-order-improving-nations-cybersecurity/security-measures-eo-critical-software-use–2
  77. U.S. National Institute of Standards and Technology (NIST) (n.d.). Executive Order 14028, Improving the nation’s cybersecurity. https://www.nist.gov/itl/executive-order-improving-nations-cybersecurity
  78. U.S. National Security Agency (NSA) (2021, February). NIST Special Publicatin 800-207mbracing a zero trust security model. https://media.defense.gov/2021/Feb/25/2002588479/-1/-1/0/CSI_EMBRACING_ZT_SECURITY_MODEL_UOO115131-21.PDF
  79. Vailshery, L.S. (2021, March 08). Internet of Things (iot) and non-iot active device connections worldwide from 2010 to 2025. Statistica. https://www.statista.com/statistics/1101442/iot-number-of-connected-devices-worldwide/#:~:text=The%20total%20installed%20base%20of,that%20are%20expected%20in%202021
  80. Varonis (2021). 134 Cybersecurity statistics and trends for 2021. https://www.varonis.com/blog/cuybersecurity-statistics
  81. Verizon (2020). 2020 Verizon data breach investigations report. https://enterprise.verizon.com/resources/reports/2020-data-breach-investigations-report.pdf
  82. Vinchesi, P. (2020, May 14). After Covid-19: Is there a place for telework in local government? ICMA. https://icma.org/articles/article/after-covid-19-there-place-telework-local-government
  83. Walter, J. (2020, May 2) Covid-19 news: FBI reports 300% increase in reported cybercrimes. https://www.imcgrupo.com/covid-19-news-fbi-reports-300-increase-in-reported-cybercrimes
  84. Warner, J. (2021, May 6). What is zero trust security? Crowd Strike. https://www.crowdstrike.com/cybersecurity-101/zero-trust-security
  85. Watts, S., and Raza, M. (2019, June 15). SaaS vs PaaS vs IaaS: What’s the difference and how to choose. BMC Blogs. https://www.bmc.com/blogs/saas-vs-paas-vs-iaas-whats-the-difference-and-how-to-choose
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.137.151.61