Incoming: What Local Governments Can Learn From Federal Cybersecurity Efforts

Long before the federal government charged two defendants in 2018 for ransomware attacks on municipal computer systems—including Atlanta’s—cities found ways to make do during these outages. Police wrote reports by hand, traffic tickets were paid in person and social media kept everyone informed in a way that showcased a city’s resiliency.

But some communities now struggle more than others, especially when incident-response efforts are not designed to address multiple physical or cyber events at the same time. Cities and counties are underfunded and understaffed when it comes to cyber resources. According to a survey by the National Association of State Chief Information Officers, 92 percent of states have developed and taken advantage of security awareness training, but only 65 percent offer security infrastructure or services to local governments.

To fill the gap, local governments can use the support of lessons learned from recent exercises involving corporate, municipal and federal resources.

A case in point is the findings of Jack Voltaic 2.0, a bottom-up approach to critical infrastructure resilience. This experiment, hosted by the City of Houston and including the Army Cyber Institute, analyzed disaster recovery plans and responses from eight critical infrastructure sectors. While most cities don’t have the resources to conduct large exercises, they can take advantage of the recommendations for tightening cybersecurity and adjusting their thought processes for addressing vulnerabilities.

First, a city should find the similarities with its jurisdiction. Every city and county has critical infrastructure, but not all resemble the transportation, power, water and communications systems operated by the federal government. Federal infrastructure has additional safeguards on military bases, for example, and any disruption can be felt outside an immediate jurisdiction. The best approach for local governments is to pick the after-action reports from an exercise that addresses similar critical infrastructure. If a city or county has a maritime port, then its officials should look for reports from the U.S. Coast Guard or large port cities like New York or San Diego. Conclusions from those will be the most relevant.

Next, a jurisdiction should screen findings and apply them appropriately. Some federal reports are very detailed about the takeaways from an exercise, and it’s not practical for jurisdictions to mimic them. Consider this outcome from Jack Voltaic 2.0:

“Growing physical and cyber risk to cities requires a different framework for risk mitigation, due to current frameworks being inadequate to meet the changing and growing threat to urban communities. For the nation to defend itself, U.S. cities need an adaptable and scalable model to improve the cybersecurity posture. A bottom-up approach is required to integrate a risk-management framework that is replicable and adaptive to the rapidly evolving threat to urban communities.”

How should cities view this? Leaders should ensure that their community has an adaptable or scalable model to improve its cybersecurity posture and develop a formal, written cyber incident response plan. They shouldn’t let the lack of a definitive checklist stop them from interpreting some sections and extracting value.

A third action is to look for opportunities to extend recommendations. Report findings will have several recommendations, but they can leave room for growth based on a community’s particular circumstances. For example, under the first finding of Jack Voltaic 2.0, one recommendation reads:

“City and local cybersecurity efforts should better integrate the private sector, particularly critical infrastructure (e.g., electric grid, telecoms, water and transportation). Public-private partnerships should evolve (i.e., move beyond service-level agreements) to induce a cultural change for building trusted relationships and working together.”

For city and county leaders, the question starts with what public-private partnerships exist in the community. But then, leaders must go further. Are these partnerships deliberate and focused, with opportunities to test or challenge and build trust? Are critical cybersecurity experts identified to teach and mentor public officials? Ultimately, it boils down to how the community builds trust with the local citizenry.

Community leaders also must maintain continuous communication. No local cybersecurity plan will work well without the right groups at the table. Leaders should invite first responders, law enforcement, the media and other government employees to a half-day seminar that reviews findings borrowed from the federal government. These meetings also should include leaders from industry, small business, civic organizations, schools and churches. The more people who are involved, become informed and understand the responses, the stronger the public’s confidence will be in local leaders to detect, evaluate and resolve cybersecurity issues.

Often, the cost for cyber attack preparation is the time necessary to conduct analyses and host seminars. The payoff is informed leaders and a greater ability to defend against threats.

Maj. Gen. Jennifer Napper, USA (Ret.), is a vice president in Perspecta’s defense group. She previously served as director of cybersecurity plans and policy for the U.S. Defense Department Cyber Command, and she led the U.S. Army’s Network Enterprise Technology Command (NETCOM).