Securing Cities: The Fight Against Local Level Cyberthreats

Imagine waking up to news of a city plunged into chaos. The water supply has been disrupted, emergency services are offline, and local transportation is at a standstill. A ransomware attack has crippled local government, holding critical infrastructure hostage. Sensitive personal data, from Social Security numbers to medical records, are at risk of being leaked to criminal organizations. Citizens wonder what they should do and how long it will take for their community to recover. This is not a hypothetical scenario but a stark reality that cities across the country face. City officials must ask themselves if they are doing enough to protect their communities from these invisible yet devastating threats. The need has never been greater for robust cybersecurity at the local level as a matter of survival. 

Society’s interconnected nature means that a breach in one small system can have far-reaching consequences. Cybersecurity is a critical issue at the local level (city and county government agencies and private-sector entities) that encompasses cybersecurity training, cyber hygiene practices, cybersecurity resilience, and incident response. Cybersecurity resilience is crucial for safeguarding critical infrastructure and information systems. State and local governments manage essential services such as water supply, electricity, transportation, and emergency response, which are vital for public safety and economic stability. 

Local governments in the United States (U.S.) are as plentiful as the cybersecurity risks they face. In 2022, the U.S. Census Bureau reported 90,837 local governments, including county, township, municipal, and special purpose entities. These entities are highly susceptible to and are constantly at risk of cyberattacks, given the vast amounts of sensitive information they maintain, constrained resources, limited funding, level of awareness, inadequate training, and antiquated information systems. Notable cyberattacks targeting state and local governments include the following: 

• Atlanta (Georgia) Ransomware Attack (2018) – A significant ransomware attack affected multiple city departments, including the police and courts. The attack caused widespread disruption and cost the city an estimated $17 million to recover. 

• Baltimore (Maryland) Ransomware Attack (2019) – A ransomware attack crippled thousands of computers and disrupted city services for weeks. The attackers demanded a ransom of 13 bitcoins (around $76,000 at the time), which the city refused to pay. 

• Cyberattack on Texas State and Local Governments (2019) – A coordinated ransomware attack targeted 22 local government entities in Texas. The attack disrupted services and required a significant coordinated response from state and federal agencies. 

• New Orleans (Louisiana) Cyberattack (2019) – New Orleans declared a state of emergency after a ransomware attack forced the city to shut down its computer systems. The city was forced to rebuild its IT infrastructure. 

• Ransomware Attack on Baltimore County (Maryland) Public Schools (2020) – A ransomware attack led to the shutdown of the county’s public school network systems, resulting in class cancellations for 115,000 students. 

• Dallas County (Texas) Cybersecurity Incident (2023) – This event followed a ransomware attack five months prior, which compromised the personal information of 26,212 City of Dallas employees. The ransomware attack impacted benefits-related information maintained by the city’s human resources department. The hacker group Royal threatened to leak sensitive information, including names, addresses, Social Security numbers, medical information, and health insurance information. 

• Michigan and New York Ransomware Attacks (2024) – City governments experienced service disruptions and had to shut down some facilities after cyber incidents. 

• 10 Major Cyberattacks and Data Breaches (2024) – In the first half of 2024, 10 major events stand out, but more are likely to occur.  

The growing threat of cyberattacks on state and local governments emphasizes the need for comprehensive, robust cybersecurity measures, and preparedness. The risks of not taking these steps include increased exposure and vulnerability to cyberattacks, financial losses, damage to critical infrastructure, company branding and reputational damage, legal consequences, and national security risks. 

Common Vulnerabilities in Government Systems 

A robust cybersecurity framework helps protect these services from malicious attacks, such as ransomware and data breaches, which can disrupt operations and compromise sensitive information. By implementing strong security measures, state and local governments can ensure the continuity of essential services, maintain public trust, and prevent costly and potentially catastrophic consequences. Common vulnerabilities in government systems that cyber attackers can exploit include: 

• Outdated Software and Unpatched Systems – Many government systems run on software that has not been updated or patched, making them vulnerable to known exploits. 

• Weak Authentication Mechanisms – Poor password policies and lack of multi-factor authentication can facilitate attackers’ unauthorized access. 

• Phishing Attacks – Government employees are often targeted by phishing attacks, which can lead to credential theft and unauthorized access to sensitive information. 

• Insufficient Network Segmentation – Without proper network segmentation, access to one part of the network can enable attackers to move laterally to other parts, increasing potential damage. 

• Misconfigured Systems – Incorrectly configured systems and services can expose vulnerabilities that attackers can exploit. 

• Lack of Employee Training – Employees who are not adequately trained in cybersecurity best practices can inadvertently expose systems to attacks. 

• Remote Work Vulnerabilities – The increase in remote work has introduced new vulnerabilities, particularly in virtual private networks and remote access systems. 

• Third-Party Vendor Risks – Government agencies often rely on third-party vendors, which can introduce vulnerabilities if those vendors do not have robust security measures. 

In addition to defending against external threats, cybersecurity resilience also addresses the risks posed by human error and insider threats. Employees at all levels can inadvertently expose systems to vulnerabilities through actions such as clicking on phishing emails or misconfiguring security settings. However, the threat does not only come from negligence. Intentional and unintentional insider threats can be just as damaging. Disgruntled employees or others with access to sensitive systems can misuse their privileges, either out of malice or carelessness, leading to significant breaches. 

Comprehensive training programs, continuous monitoring, and a culture of cybersecurity awareness are essential to mitigate human error and insider threats. By fostering a proactive approach to cybersecurity, state and local governments can reduce the likelihood of incidents caused by internal vulnerabilities, ensuring that critical infrastructure and information systems remain secure and resilient in the face of evolving threats. Addressing these risks requires a comprehensive approach, including regular software updates, strong authentication practices, employee training, thorough security assessments, and close monitoring of internal access to sensitive systems. Government agencies can improve their cybersecurity posture with the following tools and actions: 

• Implement Zero-Trust Architecture – Adopting a zero-trust model (strong authentication practices) ensures that no one inside or outside the network is trusted by default. This approach requires continuous verification of user identities and access permissions. 

• Regular Software Updates and Patch Management – Maintaining software and systems with the latest patches helps protect against known vulnerabilities. 

• Multi-Factor Authentication (MFA) – Enforcing MFA adds an extra layer of security and restricts unauthorized access. 

• Employee Training and Awareness Programs – Training with regular sessions help employees recognize and respond to phishing attempts and other social engineering attacks. 

• Continuous Monitoring and Incident Response – Implementing monitoring tools and a robust incident response plan helps rapidly detect and mitigate threats. 

• Network Segmentation – Dividing the network into segments limits the spread of malware and restricts unauthorized access to sensitive information. 

• Secure Cloud Services – Moving to secure cloud services and ensuring proper configuration can enhance security and resilience. 

• Collaboration and Information Sharing – Sharing threat intelligence and collaborating with other agencies and private-sector partners improves overall cybersecurity defenses. 

• Endpoint Detection and Response (EDR) – Deploying EDR solutions can help agencies detect and respond to malicious activities on endpoints across the network. 

Collaboration in Action 

State and local governments can enhance their cybersecurity resilience through several collaborative efforts. One effective approach is to establish regional cybersecurity alliances or task forces that bring together various government entities, private-sector partners, and academic institutions. 

These alliances facilitate the sharing of threat intelligence, best practices, and resources, enabling a more coordinated and comprehensive defense against cyberthreats. Regular joint training exercises and simulations can also help identify vulnerabilities and improve response strategies, ensuring that all participants are prepared to handle potential incidents. 

A key aspect of collaboration is the development of standardized cybersecurity policies and frameworks. By adopting common guidelines and protocols, state and local governments can ensure a consistent and unified approach to cybersecurity across different jurisdictions. This includes implementing shared cybersecurity tools and technologies, conducting joint audits and assessments, and participating in mutual aid agreements to provide support during cyber incidents. Additionally, leveraging federal resources and programs, such as those offered by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), further strengthens local efforts and provides access to valuable expertise and funding. Through these collaborative measures, state and local governments build a more resilient and secure cyber environment. 

One successful example of state-level collaboration on cybersecurity resilience is the Multi-State Information Sharing and Analysis Center. This organization provides a central resource for gathering and sharing information on cyberthreats among state, local, tribal, and territorial governments. The center offers services such as threat intelligence, incident response, and cybersecurity training, helping to enhance the overall security posture of its members. 

Another notable example is the Texas Cybersecurity Framework, which was developed by the Texas Department of Information Resources. This framework provides a standardized approach to cybersecurity across state agencies and local governments, promoting consistency and collaboration. It includes guidelines for risk management, incident response, and security awareness training, ensuring that all entities are equipped to handle cyberthreats effectively. Various states have implemented laws, policies, and structures to govern cybersecurity as an enterprise-wide strategic issue. These efforts include collaboration with public- and private- sector stakeholders to enhance overall cybersecurity governance. They highlight the importance of collaboration in building a resilient cybersecurity infrastructure at the state level. By working together, states can leverage shared resources, expertise, and best practices to better protect their critical systems and data. 

Public-Private Partnerships in Cybersecurity 

Public-private partnerships play a crucial role in enhancing state-level cybersecurity by leveraging the strengths and resources of both sectors. These partnerships foster information sharing, which is essential for identifying and mitigating cyberthreats. The private sector often has access to advanced technologies and expertise, while the public sector can provide regulatory support and coordination. By working together, they can create a more comprehensive and effective cybersecurity strategy: 

• Strengthen cyber protections – In January 2024, the Center for Internet Security reported that cyberattacks against state and local governments rose in 2023. However, it found that some of those agencies have begun strengthening their cyber protections against future attacks (e.g., identity management, cybersecurity awareness training, and implementation of mitigation and recovery strategies). 

• Boost election system security – In February 2024, the U.S. Cybersecurity and Infrastructure Security Agency introduced a program to conduct more cybersecurity reviews for election offices across the country. 

CISA has programs to help protect critical infrastructure. For example, the Cyber Innovation Fellows Initiative allows private-sector experts to work alongside government teams, enhancing mutual understanding and capabilities. Additionally, public-private partnerships can help develop and implement standardized cybersecurity practices, ensuring a consistent approach across sectors and jurisdictions. This collaboration not only improves the overall security posture but also builds trust and resilience within the community. State and local governments can effectively address cybersecurity challenges through innovative and collaborative approaches. 

Strategies for building cyber resilience cost money. State and local government officials must implement the use of risk assessments, security policy development, employee training, software updates, network protection, data backup and recovery, incident response planning, regular testing, vendor scrutiny, and continuous improvement efforts. These actions by state and local governments are often hampered by lack of funding. However, funding sources and grants are available to states and local governments for cybersecurity training: 

• State and Local Cybersecurity Grant Program – Managed by CISA and the Federal Emergency Management Agency (FEMA), this program provides significant funding to help state, local, tribal, and territorial governments address cybersecurity risks and threats. For FY 2023, approximately $374.9 million was available. 

• Tribal Cybersecurity Grant Program – Also managed by CISA and FEMA, this program specifically supports tribal governments in enhancing their cybersecurity posture. In FY 2023, around $18.2 million was allocated for this purpose. 

• Homeland Security Grant Program – This program includes the State Homeland Security Program and the Urban Area Security Initiative, which provide funds to enhance the ability of state and local governments to prevent, protect against, respond to, and recover from terrorist attacks and other disasters, including cyber incidents. 

• Edward Byrne Memorial Justice Assistance Grant Program – Administered by the Bureau of Justice Assistance, this program provides funding to support a range of activities, including cybersecurity initiatives, to improve the functioning of the criminal justice system. 

These and other programs offer valuable resources to help state and local governments strengthen their cybersecurity capabilities and protect critical infrastructure and information systems. Cybersecurity training for local and state government agencies is vital. Programs like the Federal Virtual Training Environment offer no-cost, online cybersecurity training, highlighting the accessibility of resources for enhancing the cyber-ready workforce. State and local entities must adopt cyber hygiene practices to protect against common threats. 

Building Collective Digital Safety and Security 

Cybersecurity at the state and local levels is a critical component of a secure and resilient society. As the digital threats against local governments and private entities grow more sophisticated, the need for action becomes urgent. Cybersecurity is a shared responsibility. At the state and local levels, it forms the bedrock of the collective digital safety and security of all. Governments cannot afford to leave their communities vulnerable to attacks that could cripple essential services, compromise sensitive information, and disrupt daily life. The path forward is clear. Through comprehensive cybersecurity training, vigilant cyber hygiene, resilience-building, and swift incident response, local governments can fortify their defenses. Every citizen, agency, and organization must play a part in this effort. The stakes are too high to ignore, especially with global adversaries seeking to undermine U.S. vulnerabilities. The country’s collective digital safety and security depend on the decisions municipalities make today – because the next cyberattack is not a matter of if, but when.