Sitting Prey: State and Local Governments Struggle to Defend Against Cyber Threats

From a hacker’s perspective, there is a lot to love about the government. In cybercrime, the motto isn’t so much “Go big or go home.” They know larger enterprises and the federal government invest a lot of resources in security. Adversaries know that if they “Go small,” they can win big.

Sophisticated and determined hackers may target intelligence agencies patiently waiting to find an open door, but a persistent attacker doesn’t need patience to hack a government agency. They simply need to target state and local governments. Why? Because they collect and store a wealth of data from credit card information and personally identifiable information (PII) to pension fund information and tax records.

They are digital gold mines challenged by limited financial and staffing resources that limit them from being about to build effective cybersecurity programs to adequately protect the information they collect. When it comes to cybersecurity, state and local governments continue to battle the reality of numerous priorities competing for limited tax dollars. They don’t have the resource needed to address growing threats.

Hackers know this, which is why state and local agencies are attractive targets for cybercriminals. Imagine the financial gains for the hackers who are able to steal, then sell the Social Security and driver’s license numbers from just one little municipality.

If it were one weakness that had an easy fix, these smaller government agencies might not be so vulnerable, but the cards are stacked against them for several different reasons. As the threat landscape expands, concerns continue to mount, especially after Homeland Security notified 21 states that Russian hackers had targeted their voter registration files or websites.

What are the biggest issues that challenge state and local governments?

  • More vulnerable systems. Government are often storing data on older, more vulnerable systems. The are restricted in their ability to modernize outdated systems because of their many budgetary constraints. Multiple products from multiple vendors don’t readily integrate and require prohibitively expensive installation and ongoing management. A typical agency doesn’t have the budget to effectively deploy and maintain all the required components.
  • Competing for Tax Dollars. Local agencies are underfunded. Information technology (IT) accounts for less than 0.1% of the overall municipal budget. Municipalities struggle to offer the competitive salaries that skilled IT professionals demand. There’s often little room in the budget to provide sufficient training so that staff can counter evolving cyber threats.
  • Municipalities need strong security policies. Many smaller government agencies either can’t or don’t segment their network so that an intruder can move laterally, gaining access to highly sensitive information that should be restricted. Because they share a common network with inadequate secure policies, these state and local agencies are making the work easy for the intruder.
  • More and more regulations. In addition to GDPR, several complicated regulations from various agencies have created a wide range of compliance requirements. Compliance can no longer be just a checkbox that meets the lowest level of security required. For small IT organizations with limited security expertise, enforcing compliance with these regulations can be an onerous level of additional overhead on top of their substantial core responsibilities.
  • Cyber threats are more persistent and complex. Defending against those threats has become equally complex. Targeted attacks are very difficult to block with traditional security products. A savvy adversary can leverage technologies that allow them to lurk for months completely undetected.
  • The human element. Human beings are and continue to be the weakest link in the security chain. Security Awareness Training programs have been effective in combating those accidental human errors, but delivering the training comes at a price. Employees require both training and oversight, which isn’t always where funding is allocated in tight budgets.

Major breaches to the federal government over the past few years have proven that despite the best efforts to security systems, no government agency is impervious. Yes, threats are more complex, and limited resources challenge security, but state and local governments looking to secure the data entrusted to them can work with a partner.