Connecting state and local government leaders
Local government IT executives are reluctant to even ask elected officials for more, according to the group behind the survey, knowing requests will likely be rejected.
Local governments say they don’t have enough money to sufficiently prepare for cyberattacks, and while many reported in a new survey that funding increased this year, leaders reported that they are still concerned about their ability to keep up with continually evolving threats.
Sixty-four percent of local government IT executives said their organization’s cybersecurity budget is inadequate to support cyber initiatives, according to an annual survey by the Public Technology Institute, which offers IT training to local governments. That figure is virtually unchanged from last year’s edition.
The survey, which is intended to provide a snapshot of cybersecurity programs, issues and priorities in cities and counties, also found that cybersecurity planning ranked as the top priority of the 30 local government IT executives that participated. The result shows a renewed focus on planning at the local level given the $1 billion in federal cybersecurity grants available to state and local governments.
In addition to ranking cybersecurity strategy as their top priority for the next 12 months, participants also said conducting risk assessments and malware detection mitigation were areas of focus.
Just over half—55%—of IT leaders said their cyber budgets had increased compared to last year. But PTI’s Executive Director Alan Shark downplayed the result. He said that local IT leaders are so hamstrung by strapped budgets that they do not request certain funding levels or resources, as they know from pre-budget instructions by elected officials that they will likely be turned down.
This creates a “demoralizing effect,” Shark said, and is part of a “bigger picture” where all manner of public services are under financial strain at the local level.
“The local governments are pressed; they're not rich, they're feeling a lot of stress,” he said. “Their tax revenues are lower than they should be because of vacancies in office buildings and business income, so there's a lot of headwinds facing local governments that are causing them to tighten up their budgets. While cyber suffers, there are other parts of local government that probably suffer as much, if not more.”
Shark said it can be hard to convince elected officials and senior staff to pay for cybersecurity protections before an attack, especially as cyber insurance premiums skyrocket and the amount of coverage is less. But given the vulnerabilities of state and local governments, leaders “are going to pay one way or the other” if they are attacked, he said. The consequences of a cyberattack go beyond the purely financial and include the erosion of public trust, especially if data is leaked online.
The problem of inadequate cyber resources is magnified by the increasingly sophisticated cyber threats that local IT managers face every day, which they said in the survey was the biggest barrier to addressing cybersecurity challenges. Trying to keep up with those threats, which includes attacks driven by artificial intelligence, can create a feeling that cyber defenses will never be adequate.
But Shark said he is hopeful that an approach required in exchange for funding under the $1 billion State and Local Government Cybersecurity Grant Program will counter that feeling: the whole-of-state cybersecurity strategy, which encourages better intergovernmental collaboration and information sharing.
A cornerstone of that grant program under the Cybersecurity and Infrastructure Security Agency is that it emphasizes the need for states and localities to have a planning process in place for their cyber posture. It also requires states to collaborate more closely with their local governments.
“We need to rethink cyber governance at all levels of government,” he said. “If we look at this as a whole-of-government approach, I think there is a better chance of defending all these local governments and all these public institutions across the country.”
Shark cited the example of Texas, which has piloted regional security operations centers anchored by a college or university that provide cyber support to local governments.
Progress could still be slow, however. It hasn’t traditionally been the domain of executive level officials like the chief information officer to work with local governments. One solution in addition to a more regional approach could be for states to appoint an IT executive focused on local governments, Shark said.
“Only when we start thinking like that will we have success in state and local government cooperation and strategic planning in cyberspace,” he said.