1
Why Local Government Cybersecurity?

This book begins with a simple question: why examine cybersecurity among America's local (or grassroots) governments? What's so special about these organizations that they deserve scrutiny? They are, after all, just organizations, and most, if not all organizations have certain similarities, especially the need to maintain effective levels of cybersecurity.

The need for cybersecurity is demonstrated every day and is a common staple in the popular media. And local governments do not differ much, if any, in the need for cybersecurity from organizations such as Microsoft, Target, Home Depot, JPMorgan Chase, the White House, or many others. The similarity to which readers should be aware is that all of these organizations have been successfully hacked.as has a growing number of local governments.

1.1 Most Important Reason

Perhaps the most important reason that cybersecurity among local governments warrants our attention is that these governments are increasingly targets of cybercriminals and are under constant, or nearly constant, attack (Norris et al., 2018, 2019, 2020 ). Moreover, aside from relatively few studies, little is known about the specific vulnerabilities, exposures, practices, and shortcoming of local governments in this matter - yet every local government cybersecurity official who one of the authors (Norris) helped interview in 2013 agreed that their governments were under constant attack. Among local governments responding to a survey that two of the authors (Norris and Mateczun) helped conduct in 2016, 28 percent reported being attacked at least hourly or more frequently, and 19 percent said at least once a day (for a total of 47 percent of all respondents). What is really troubling, however, is that more than a quarter (nearly 28 percent) said that they did not know how frequently they were being attacked (Norris et al., 2019).

Among local government Chief Information Security Officers (CISOs) responding to a 2020 survey of mainly large US local governments, 57 percent said that they were under attack constantly, 29 percent said at least hourly, and 14 percent said daily (Norris, 2021). Last, the frequency and severity of cyberattacks against local governments is expected to continue to grow, not to abate, because these governments have become favorite targets of cybercriminals. A reason for this undesirable outcome is that while many organizations, on average, typically do a poor job with cybersecurity, local governments do it even more poorly.

1.2 Additional Reasons

There are other reasons to be concerned about cybersecurity among local governments. The first is the sheer number of American local governments. As of the 2017 Census of Governments, there were 90,074 units of local government, of which 38,779 are general purpose governments, including 3031 counties, 19,519 municipalities and 16,360 towns and townships. There were also 38,542 special districts, most of which are single purpose districts providing such services as fire protection (5975), potable water (3593), drainage/flood control (3344), etc. Last, there were 12,754 independent public school districts (US Census Bureau, 2017). Taken together, this represents a lot of governments, especially considering that there are only 50 states and one federal government in the US.

A related point is that most general purpose (municipalities, counties, townships) local governments in the US are small. Around three-quarters of the nation's incorporated places had fewer than 5000 residents in 2020 (Toukabri and Medina, 2020). Moreover, the great majority of American cities (78 percent) have populations of 10,000 or less (ICMA, 2013). This does not include the 12,801 municipalities with populations of less than 2500, which constituted 47 percent of all cities in 2017 (Miller, 2018; see also Chapter 13). And, because of their size, small local governments are faced with budgetary constraints not typically experienced by large local governments like those of big cities and counties. This is one reason smaller local governments are unable to to fund adequate levels of cybersecurity. See Table 1.1 that shows the dramatic differences in municipalities by population, with the vast majority (80 percent) having populations of 10,000 or less, not including the number with fewer than 2500 inhabitants (ICMA, 2015). The distribution of county governments is somewhat similar, although not quite as skewed toward those with very small populations.

Table 1.1 Cumulative distribution of US municipalities (over 2500) and counties (all).

Except for the smallest among them, local governments operate information technology (IT) systems that are critical to their ability to function and to provide services to their residents. Cumulatively, they spend billions of dollars each year to support their IT systems. One estimate placed state and local government spending on information technology at over $109 billion per year (GovDataDownload, 2019).

Second, local governments provide essential, often critical public services to their residents and visitors. Consider the following and their importance to the daily lives of everyone involved: public safety (police and fire especially), the courts, election systems, emergency medical services, water provision and wastewater collection and treatment, and emergency and disaster management. Disrupting any of these services or shutting them down altogether would produce serious consequences for local governments. Modern cybercriminals know this and target local governments to steal from them and/or impede their ability to function. As of this book's writing, September of 2021,1 the most recent trend in cyberattacks against local governments involves ransomware. Such attacks are when a cybercriminal obtains access to a local government IT system, locks it down, encrypts its data, and demands payment (ransom, often in the form of cryptocurrency) for the promised return the IT system and its data to the local government unharmed.2

Source: ICMA (2013). The Municipal Yearbook 2013. Tables 2 and 3, pp. xii and xv.

In 2018 and 2019, respectively, Atlanta, Georgia and Baltimore, Maryland were victims of ransomware attacks that, among other things, caused considerable disruption of their ability to perform basic functions and provide public services. (Brief discussions of the incidents in Atlanta and Baltimore appear later in this chapter.)

A third reason to examine cybersecurity among America's local governments is that they receive, utilize, and store volumes of sensitive information, especially personally identifiable information (PII) such as names, addresses, drivers' license numbers, credit card numbers, social security numbers, tax records, and medical information. Such information is valuable to cybercriminals and obtaining it is often the purpose of cyberattacks. In fact, over the past few years, numerous local governments have reported that they lost at least some of their PII as a result of data breaches and subsequent information exfiltration. In some cases, they were threatened with the data being released (or destroyed) unless they paid a ransom.

As noted earlier, in many ways local governments are quite similar to other types of organizations in both the public and private sectors. True enough, but they also have characteristics that set them apart in ways that challenge their ability to provide high levels of cybersecurity. This represents the fourth reason for this book's direct focus on local government cybersecurity.

These characteristics include but are not limited to the fact that local governments are public entities that provide public services; they are subject to politics in ways that private sector entities are not; their structure is often federated; there is never enough money in a local government's budget to cover all needs (real and perceived); and finally their residents are essentially their owners. We will address each of these characteristics briefly below.

Local governments are public entities that provide public services. This means that the "bottom line" is not quarterly or annual profits and maximizing shareholder returns, but rather the delivery of a wide variety of services such as those noted above and others. Few private sector businesses have as wide...