Are Local Government Managers Finally Getting Real on Cybersecurity?

The use of new technologies has exploded in local governments in the last several years. But in all the rush to adopt solutions aimed at improving the effectiveness and efficiency of services, the underlying question of the security of highly connected digital tools and the data that powers them was lost. 

Local governments have been behind the curve on cybersecurity for quite some time. In 2016, the International City/County Management Association (ICMA) and the University of Maryland, Baltimore County, conducted the first survey to assess local government attitudes, actions and experiences with cybersecurity. The report disturbingly found that local governments were largely unaware of cybersecurity issues and underprepared for a cyber incident.

But the recent run of high-profile ransomware attacks in places such as Atlanta, Baltimore and more than 20 Texas municipalities—along with the associated costs of responding to these events—may finally have been the tipping point that is altering local managers’ mindsets on their role in cybersecurity. During the 2019 ICMA Annual Conference, several city and county managers discussed the shift they are seeing in the mindset of local managers. As Tad McGalliard, ICMA Director of Research and Policy Expert on Local Government Cyber Security, stated, “Cybersecurity is no longer an IT problem, but a holistic organizational problem.”

Previously, one of the major problems cited with understanding the significance of cybersecurity was that it was discussed in a highly technical manner. Todd Selig, town administrator of Durham in New Hampshire, described how the IT director in his jurisdiction would discuss cybersecurity, but he felt as though he needed that explanation translated to him. Essentially, Selig felt he was reliant on a tech-savvy person whose solutions were very costly and did not help him understand what the true needs were. What has changed for managers is that the security of cyber networks is an integral component of their business operations. For instance, city and county managers are now viewing their digital networks as a piece of infrastructure in the same way as roads and water and sewage are. That connection of digital networks to infrastructure has helped to underscore the importance of cyber networks and that their protection is essential to the business of government. Selig laid out all the ways that municipalities are starting to understand the high stakes of doing nothing in cybersecurity—loss of continuity of operations, loss of critical data, loss of confidentiality and the loss of public trust.

But for some city and county managers, cybersecurity is personal. Mike Land, city manager of Coppell in Texas, acknowledged that when most people hear cybersecurity, at first it seems like a very high-level “out of this world” problem. However, when a cyber incident occurs in a city or town the manager is squarely in the middle. Land said “If at the end of the day my citizens get hit, I get hit.” He went on to say if managers think in those terms the impact and value of cybersecurity will resonate.

Although city and county managers desire to become more proactive than reactive, the realities of being behind the curve still exist and the game of catch up has ensued. One challenge in changing gears and becoming more proactive are the policies previously in place, particularly those related to government transparency. In the last decade, local governments have made moves to provide more information to meet the demands of citizens who want to hold government accountable. As a result of that, cities and counties began to put more information into the public sphere than ever before. But that has now put them in an awkward position.

Cities and counties have worked to create more accessibility for citizens with city government employees. One example is of providing contact information such as email and phone numbers directly on websites. And while that has helped with transparency it has opened the door for bad actors to use those emails in phishing attempts. As Land said, “The idea of transparency is great but when used against you, you have to take action.” City and county managers will have to find ways that allow them to stay true to transparency but also have an eye to security.

As with most things, the way to handle this conundrum will be education. The best place to start this education is with elected officials and the staff of city and county government. As Xavier Hughes, ICMA Chief Technology and Innovation Officer said, “You need to educate on cyber as much as you educate on procurement practices.” One way that Selig suggested city and county managers start having these conversations is to simplify them by discussing what is needed and why it is needed. When he did that, it allowed him to talk more about cybersecurity in the same way he discusses increases to the police force or building a new fire department.