Weak or nonexistent cybersecurity programs represent a massive organizational risk for county and municipal government agencies in the United States. County and municipal executives are often unaware of these risks because they assume that their IT director, their CIO or an external vendor is managing security and addressing the risks. It is rare that such an assumption is correct.
While the Ponemon Institute[i] found that “federal organizations have a stronger cybersecurity posture than state and local organizations,” the Brookings Institute[ii] concluded that “the vast majority of public agencies lack a clear cybersecurity plan.” Much of the available research is based on small samples and I believe that these studies may understate the scope of the problem. Based on my 23 years of working with public-sector organizations, I can state with confidence that most lack any cybersecurity plans at all.
Your job as a municipal executive is to provide leadership and management in order to get the big picture right throughout your organization. What follows is advice on how to ensure that an appropriate cybersecurity program is established and functional in your organization. I recommend that you, the municipal executive assume high-level responsibility for cybersecurity oversight. You don’t need to know the technical details, but you must know whether or not the infrastructure, policies and procedures are in place and working correctly.
The need for information security is as old as civilization and possibly as old as life on earth. Information security (infosec) was invented to protect the first secret — whenever and whatever that was. Infosec is not solely a human artifact — my great Dane always felt the need to maintain security concerning the location of his favorite bones and dead woodchucks. Techniques, methods and models for protecting information haven’t changed all that much, and the methods of cybersecurity are largely based on models for protecting physical information.
Information security refers to the discipline of and processes for protecting the confidentiality, integrity and availability of all your information, regardless of form. Cybersecurity is a subset of information security and applies to digital data. In this article, I may use those terms interchangeably even though they are not technically interchangeable, but counties and municipalities need an infosec plan that includes cybersecurity.
Municipal data — a pot of gold
County and municipal networks are treasure chests overflowing with priceless gems. Mortgage documents, deeds, births, deaths, ugly divorces, medical records, Social Security numbers and military discharge documents are among the many types of publicly accessible documents that may contain PII (personally identifiable information), PHI (personal health information) or other sensitive data. Constituents turn over all this information naively assuming that you are doing everything in your power to protect it from theft and misuse. Are you a worthy steward of this treasure?
Root causes and obstacles
Let’s discuss eight of many root causes of failure to establish appropriate information security programs in local government organizations. Subsequently, we’ll move on to a methodical, practical approach you can initiate immediately to improve your cybersecurity posture.
“A lack of skilled personnel is a challenge at both federal and state and local organizations.”[iii] One problem is that many public-sector IT directors and CIOs don’t have the knowledge, training and background to plan and deliver acceptable, standards-based comprehensive information security programs. They are often unaware of widely accepted standards, guidelines and frameworks that are readily available, so cybersecurity planning is often amateur and homebrewed. Moreover, HR and hiring managers often don’t understand the required skills[iv] and look for the wrong people.
The largest municipal agencies may employ a CISO (chief information security officer), but the vast majority of public-sector organizations do not have a dedicated information security executive and staff, nor should they necessarily require one.
IT staff members are rarely trained in or even familiar with relevant statutory compliance requirements. I have come to expect a deer-in-the-headlights look from public-sector CIOs and IT staffers when inquiring about security policies, privacy policies and other matters of security and compliance. Questions about compliance with HIPAA security rules, for instance, are almost always met with, “What’s that?”
A jumble of regulations
Municipal organizations may have dozens of departments, divisions or lines of business that must comply with varying regulatory requirements from numerous federal and state agencies. Municipal governments do a lot. They may be involved in building bridges, managing traffic signals, providing water, waste, electric and sewer services, supervising elections and recording deeds while providing physical and mental health services and dental care.
A typical county government may have to comply with regulations like HIPAA[v] (the Health Insurance Portability and Accountability Act) and 42 CFR[vi] while also complying with policies from CJIS[vii] (criminal justice information services) in addition to following state regulations from organizations such as an office of mental health or a department of health. Additional requirements for records management from state archives agencies add to those complexities and often contradict other regulatory requirements.
Departments with vastly different information security and regulatory compliance requirements often coexist on a shared network where the security posture is designed for the lowest common denominator rather than for the highest. Often, municipal IT staff members don’t have clearly defined policies and procedures for reviewing information such as security logs and system events. Even if they do record these events, their stance is usually reactive rather than proactive.
Silos and turf wars
Counties and municipalities may have highly distributed management structures that function as silos rather than as a cohesive team. In some states, the silos may be a “feature” of constitutional government, where elected officials manage some departments and may not be accountable to central executives. One result of this is that a county executive, and consequently the county IT department, may not have global control of IT and information security because other elected officials choose not to cooperate. Some real world examples I have seen include:
County judges and their staff members refusing to sign and abide by acceptable use policies.
County sheriffs refusing to cooperate with an IT security audit, claiming their security policies and processes are “secret.”
Social services commissioners unilaterally declaring that HIPAA regulations don’t apply to their operations.
Silos in organizations create massive gaps in security management. When multiple parties are responsible for security, no one is responsible.
Most security problems are internal
90% of breaches occur because of an internal mistake[viii], and 60% of breaches are a result of internal attacks[ix]. Unfortunately, county and municipal information security programs often treat outside threats as 100% of the problem rather than focusing on more probable internal threats.
Insufficient budget is often used as an excuse for low-quality IT services and lack of security in public-sector organizations. It’s usually a red herring. In my experience, there is no correlation between budget and quality in the public sector. I have seen small, low-budget organizations build excellent security programs. I have also seen large organizations with eight-figure tech budgets fail to establish even the most elementary components of an information security program. A cybersecurity program will cost money, but it doesn’t have to bust your budget.
In local government, critical management positions are often filled based on political considerations rather than the quality of candidates. Expertise in information security should be a major component in your CIO’s tool kit.
Tech versus strategic thinking
If you think in terms of technology, stop it! I am always a little suspicious of industry professionals who fall in love with a particular technology. Technology is rapidly replaced or superseded, so think strategically instead. There is no such thing as a technology problem; there are only business problems. Identify and solve for the business problem and the appropriate technical solution will reveal itself.
Check back next week for the second installment, where I will discuss solutions you can use to address your municipal or county cybersecurity problems immediately. Also, feel free to leave a comment.
Jeff has worked with organizations in nearly every sector, including the Department of Defense and other federal, state and local government agencies, as well as nonprofit organizations and small businesses and Fortune 500 and 100 companies in the insurance, publishing, manufacturing, medical and transportation industries.
Jeff re-engineers business and technology processes, systems and services for county and municipal governments, nonprofits, and small and midsize businesses to improve services and lower costs.
He holds a master of arts degree from the University of California, Riverside (Regents' fellow, Graduate Council fellow, 1992), and is also a graduate of the Defense Language Institute (Korean, honor graduate 1986), the U.S. Army Electronic Warfare School (distinguished graduate, 1986), and the U.S. Army Intelligence School (1986). Jeff's resume includes extensive training and experience in many areas.
The opinions expressed in this blog are those of Jeffrey Morgan and do not necessarily represent those of IDG Communications Inc. or its parent, subsidiary or affiliated companies.