Cybersecurity isn’t a new priority for government, but investment in technologies and responsive policies that protect against attacks has lagged in recent years. Cyberattacks have evolved to become more sophisticated and complex, making it imperative that governments invest in technical and policy solutions that address the dynamic nature of these threats. Indeed, according to the National Association of State Chief Information Officers, cybersecurity was ranked as the number one strategic IT priority in 2015 for state and local agencies.
While experts in information security recognize the dire need for more attention on cybersecurity, it can be challenging to make it a priority throughout an organization. The key is recognizing the prolific threat of cyberattacks. “Living with risk is the new normal, and managing it is as an essential part of achieving optimal performance in digital government,” explains William Eggers, executive director of Deloitte’s Center for Government Insights. To stay ahead, government should evolve and build “strong capabilities for detection, response, reconnaissance, and recovery.”
Cities face challenges in protecting government data, yet investments in cybersecurity vary due to local priorities and strapped resources. Los Angeles, CA, the second largest city in the country, is investing in new technology and partnering with the private sector to spur innovation. The policies Los Angeles implemented can be scaled up or down depending on a city’s size and capacity. Mission Viejo, CA, a suburban city with a population nearing 100,000, serves as a model for how cities can execute a robust cybersecurity plan on a smaller scale.
The chief information security officer (CISO) of Los Angeles, Tim Lee, and the mayor of Mission Viejo, Frank Ury, represent cities that stand out in their efforts to make cybersecurity a top priority in California, a state facing the most network attacks of any other state in the United States, according to Akamai’s a real-time web monitor. Here are the key takeaways from these two very different cities that are both leveraging resources and instituting comprehensive response policies to be cyber resilient.
- Establish a Secure Funding Stream
As government becomes more connected and data-driven, it is crucial that agencies prioritize cybersecurity as a key expense in their IT budget.
Cities can use recent trends on the federal level to justify an increase in cybersecurity investment. A federal budget proposal for fiscal year 2017 revealed that the White House plans to increase its cybersecurity budget by 35 percent. Mayor Ury and CISO Lee encourage local governments to devote 15 percent of their IT budget to cybersecurity.
There is a local push to spend more money on cybersecurity to bolster two key technical efforts: situational awareness and threat intelligence. Situational awareness is a broad term used to describe the internal review process that allows an agency to evaluate the risk associated with all data assets and identify systems that require advanced security measures. Threat intelligence helps agencies understand the complexity and frequency of the different types of cyberattacks. A greater investment in cybersecurity will allow cities to be proactive about protecting government data. This investment also helps keep government running properly. Cities do not expect to function with their network down for a few days, so they should not expect their whole enterprise to be down for that amount of time, either. This scenario is entirely possible if cities undervalue the importance of cybersecurity.
- Hire and Retain Cybersecurity Talent
Government has always struggled to attract and retain tech talent, so it comes as no surprise that this trend persists in such a technical field as cybersecurity.
Bringing in a cybersecurity expert is expensive and many decision makers are unable to see the return of investment on having these experts on retainer. With tight municipal budgets, it can be difficult to plan for low-probability, high-risk scenarios. However, attacks are increasing in frequency and are more likely to penetrate a system that is poorly protected.
Mayor Ury and CISO Lee encourage cities to find room in their budgets for these specialists. Often the best way to do this is to hire a CISO who will work to protect the agency’s information by addressing the significant disconnect between policy and tech and prioritizing cybersecurity. Smaller cities that lack the capacity for a CISO could contract out or hire a part-time specialist.
A third alternative would be to coordinate a joint powers authority with other cities in the region. A shared services model would allow smaller cities to share resources and aggregate their spending to help buy cybersecurity services. In fact, Mayor Ury is working with other cities in Orange County to build a shared services network to support cybersecurity investment.
- Set Up Strong Ties with the Private Sector to Spur Innovation
The private sector is largely leading the way in cybersecurity innovation; therefore, it is essential that cities build partnerships with the sector.
Los Angeles is planning a citywide public-private partnership initiative for cybersecurity. The initiative, a partnership with the Department of Homeland Security and a number of businesses from different industries, will facilitate information, data, and threat intelligence sharing so that the public and private sectors can develop best practices relating to new threats and cybersecurity technologies. The initiative will also provide partners with remote access to the city’s integrated Security Operations Center (ISOC), a centralized system that provides real-time situational awareness and threat intelligence across all city departments.
- Collaborate with Open Data Program to Ensure Citywide Compliance
Open data and digital services teams interact regularly with municipal departments to support departmental efforts in pushing data to open data portals and in using data to measure outcomes and performance. These partnerships are excellent opportunities to discuss all available data and how it is housed to ensure that critical data assets are stored according to the city’s cybersecurity protocols. Cybersecurity and open data teams can collaborate to release data while being proactive in protecting vulnerable source systems that require additional security.
According to Los Angeles Chief Data Officer Lilian Coral, “open data is the other side of the coin of cybersecurity. The more that we work in concert with cybersecurity, the more we can prevent future attacks.”
- Build an Exhaustive Response Policy
To be effective in protecting a city’s information, an elected official should understand the strategic value in putting robust response policies in place.
When it comes to cybersecurity, not every approach is equally effective. According to Mayor Ury and CISO Lee, resilient cities have a pre and post-attack plan in place. Prior to a cyberattack, cities must set up a response policy that includes:
- Pre-established relationships with third party vendors.
- In-depth scenario planning that trains staff for responding to all types of cyber threats.
- Employee security awareness and education programming.
- Business continuity and process playbook which outlines how staff will continue performing job duties in case of attack (e.g., communicating with the mayor through an alternative email exchange if the network email goes down).
Post-attack resiliency should include:
- A systems restoration plan that lays out how to get systems up and running without disrupting the business continuity.
- A thorough investigation of the nature of the breach and an immediate investment in addressing the vulnerability.
- Manage Risk by Improving Training and Culture
Cities can spend large amounts of money on technical solutions and create detailed response plans, but without knowledgeable employees, one wrong click can have detrimental consequences. A Ponemon Institute survey of over 600 privacy and data protection training professionals found that 60 percent of employees are unaware of their organization’s security risks. In addition to this knowledge gap, many employees exhibit poor digital practices, making their organizations more vulnerable to future attacks.
According to the Ponemon Institute, organizations can alleviate risk through effective training and a proactive culture. Changing culture involves both leadership and behavioral incentives to nudge employees to be more cognizant of their choices. The report encourages executives to set the tone for the rest of the organization by requiring cybersecurity training for all employees without exception. Cities can also “gamify” their trainings to make them more engaging for employees.
Finally, the Ponemon Institute recommends cities use data breaches as an educational opportunity “to affirm through training the importance of being conscientious when handling sensitive and confidential information as well as having a real example of the consequences of a data breach.”
Los Angeles and Mission Viejo demonstrate that there is no perfect formula for protecting against future attacks, but there are a number of effective tools cities can use to reduce the likelihood and the potential damage. Cities should share practices to collectively strengthen the security of government information.