A longer version of this column originally appeared in Government Technology magazine.
As escalating cyberthreats continue to grab global headlines, local governments have been hit particularly hard over the past year. From cities to counties to townships, the breadth and depth of attacks have overwhelmed many jurisdictions.
Last year, Government Technology magazine described “Local Governments' Cybersecurity Crisis in 8 Charts.” And our Internet problems and cyberattacks have only grown worse as we head toward 2020.
So what can be done? How can local governments, and indeed many struggling state government agencies, address these new online threats that consistently address risk in sustainable ways?
For insight, I turned to an industry luminary who is well known in federal, state and local government technology circles — Teri Takai.
Takai is executive director of the Center for Digital Government,* a national research and advisory institute on information technology policies and best practices in state and local government. She worked for Ford Motor Co. for 30 years in global application development and information technology strategic planning. From Ford, she moved to EDS in support of General Motors.
A long-time interest in public service led her to the government sector, first as CIO of the state of Michigan, then as CIO of the state of California, and subsequently the CIO of the U.S. Department of Defense, the first woman appointed to this role. She then served as the CIO for Meridian Health Plan. She is a member of several industry advisory boards.
Teri has won numerous awards including Governing magazine’s Public Official of the Year (Governing is a sister publication of Government Technology), CIO magazine’s CIO Hall of Fame, Government Technology magazine’s Top 25 Doers, Dreamers & Drivers, the Women in Defense Excellence in Leadership Award, and the Department of Defense Medal for Distinguished Public Service.
Followers of my blogs and articles will recognize that I have interviewed Takai in the past. In 2013, I interviewed her on FirstNet, and in 2007, I wrote this blog about her before she became California CIO. Teri was also my boss from 2003 to 2007, while she was the Michigan CIO and I was Michigan’s first CISO. Teri has taught me so much over the past two decades, and she continues to bring fresh insights in 2019.
In addition to a resume that is unmatched in government circles, Teri has a thoughtful, pragmatic approach that has earned her the respect of global leaders in the public and private sectors. She is a sought-after expert by government leaders and company boards of advisers.
Dan Lohrmann (DL): Why do you think many local governments are struggling with their cybersecurity efforts? What are the main factors involved?
Teri Takai (TT): The challenge for local governments with their cybersecurity efforts has been well documented in a recent article by PTI:
- Lack of resources — both the attrition of current staff with knowledge of their technology platforms and the ability to recruit and retain talented individuals, not only in cybersecurity but also in a knowledge of their technology applications and infrastructure
- Aging technology — local government is often running on technology that has either not been maintained to current levels or was custom developed to meet a specific government need. With the rapid pace of the technology, it is often difficult to keep the technology protected from today’s threats
- New technology introduction — with the rush to newer technologies, local governments may be introducing new technology without the knowledgeable technical resources, which can increase the overall threat. In addition, introducing new technology that is not well integrated with the existing technology can also introduce new threats.
- Size and scope of local government — while larger cities and counties have IT organizations that match or exceed capabilities at a state level, it is the smaller jurisdictions that do not have the size and scale to meet today’s cybersecurity challenges. The lack of capabilities extends not just to IT but also to the support organizations like procurement who need an understanding of the technology to support the IT organization.
- Lack of understanding and funding in key local government executive roles — in the end, in order to address the issues above, it requires funding and support at the executive levels. For the smaller jurisdictions, there is still a belief that cybersecurity is either a technology issue or there are not clear definitions of the role that executives play. There must be a recognition that technology is no longer a "back-room" function, that funds must be available to keep the technology up to date, and that there must be a "cyber disaster recovery" plan that has the same focus, funding and resources as any disaster recovery plan. It is also important to convey the ongoing cybersecurity threat — the Internet is here to stay and with it the cyberthreat.
There is no "one-time" spend that makes a jurisdiction 100 percent secure.
DL: As local governments think about technology and security governance, what models tend to work the best in your experience?
TT: The models that are emerging to support cybersecurity efforts are a strong collaboration between state and local governments across technology and public safety and which includes collaboration with federal resources like the National Guard, FBI and DHS. Even stronger, there are models emerging where local government can buy services from either the state, city or county to bring together "economies of scale," but not from the standpoint of just reduced cost but more from the standpoint of utilization of scarce technology expertise.
But this is a cultural change for local government — sharing of resources can be seen as a loss of control. It is important that these barriers be addressed to achieve the benefits.
The model for individual jurisdictions is a whole of government approach — regardless of size of city or county. Important is the development of a cybersecurity disaster recovery plan that covers everything from data protection, data backups, practiced data recovery scenarios, and roles and responsibilities for the activities and the communication to the citizens. Much attention is given to how to protect and prevent a cyberincident — while important, it is just as essential to understand how to deal with an incident when it occurs.
DL: How can the private-sector technology partners/vendors help?
TT: Private-sector partners can help by offering solutions for local government but ensuring that they do not oversell their capabilities. In the end, it is the responsibility of the buyer — local government IT and procurement — to ensure that the local government data are protected.
Secondly, the private-sector partners can often complicate the technology environment by selling solutions that local government cannot implement or integrate with their current technology. There is too much technology spend out there that is not providing real value. As much as the technology partners can be "trusted partners" to local government rather than "vendors," their contribution is critically important.
DL: Does outsourcing cybersecurity functions offer a good solution for most local government organizations?
TT: It is important to realize that government cannot outsource cybersecurity responsibility. It is always the responsibility of government to ensure that citizen data are protected and secure. Outsourcing does have a place — there are functions in the technology infrastructure, in operations and even in cybersecurity monitoring and detection where the private sector is important. For smaller local government, however, it is essential that they have the capability to vet any technology company and solution to ensure that they can provide the protection necessary. In some cases, it may make sense to first move to shared services where there are several local governments coming together and bringing their shared expertise and buying power to a potential technology partner. This is also where collaboration with state and local government can provide essential knowledge in both the technology but also in the procurement of services.
Another aspect of outsourcing is the move to buying software as a service rather than buying software and maintaining a technology infrastructure. We are seeing more and more government entities moving in this direction. This approach does provide a significant benefit but with it comes the need to understand how to implement in a new way of operating where there is less control and more standardization.
DL: What other partnerships are most successful in your experience?
TT: To combat the cybersecurity threat, local government must look at the threat across all of the departments and agencies — not just as a technology issue. For example, the ability to combat a ransomware attack means identifying those data that are essential to the local government and prioritizing the funding to ensure that those data are protected. That goes beyond what IT and the CIO can do. It means the recognition and partnership across government to combat the threat.
DL: Is running a local government's IT like running a small or medium-size business? How are they different?
TT: Interestingly, small and medium-size businesses run into the same issues — small scale, lack of funding, aging technology, and ability to secure the environment. The big difference for local government is the scope of the data that they are responsible for. While a medium-size business may hold data for their customers, local government is responsible for the data for all of the citizens in that geographic area.
DL: What other recommendations do you have for local governments to consider?
TT: It is important for the CIOs and technology leaders to move away from their responsibility for the technology to lead the entire government organization in understanding the cybersecurity threat and helping their jurisdiction put in place the funding and process to protect the citizen data. Cybersecurity is no longer a problem to be "solved," but an ongoing effort.
But the protection of data also requires some basic "blocking and tackling":
- Patch, maintain and replace hardware and software
- Back up data
- Ensure adequate ongoing training
- Establish cyberdisaster recovery strategies, plans, training — and practice
- Don’t buy tools for the sake of more technology — use what you have
- It’s about the infrastructure — not just new tools and capabilities
DL: Anything else you want to add?
TT: Just to emphasize again — there is no magic bullet that "solves" the cybersecurity "problem." The protection of data will be an ongoing part of the way that we implement technology in the future. As the sophistication of technology increases, so will the sophistication of the threats. The ability of smaller organizations to address the threats without collaboration, shared resources and support of the technology partners is a thing of the past.
This is the first in a short series of blogs that I plan to write over the coming year on cybersecurity recommendations, tips and strategies for small to medium-size government organizations. As Teri pointed out, many of the same challenges are being faced by local governments and small businesses, and several white papers will be coming out as we head into 2020 that I plan to highlight.
This blog on ransomware from earlier this year also offers helpful data and tips, and North Dakota’s case study can also help larger counties and other states that are experiencing similar challenges.
*The Center for Digital Government is part of e.Republic, parent company of Techwire and Government Technology magazine.