The importance of building cyber resilience at a local level.
State and local governments in the United States are taking steps to bolster their cybersecurity defenses in the face of growing threats. A key component of these efforts is mandatory, annual cybersecurity awareness training for all government employees, combined with enhanced incident reporting and data protection standards [1][2][3].
This approach, often referred to as the "whole of government" model, aims to blur traditional responsibility boundaries between state and local agencies. It encourages information sharing and coordination, recognising that smaller, less-resourced local governments are especially vulnerable [1][2][3][4].
Key aspects of the "whole of government" model include mandatory reporting of all cybersecurity incidents within 72 hours and ransomware payments within 24 hours to state homeland security offices. It also involves setting standardised data protection rules for state technology systems and providing grant funding for local governments [1][2][3][4].
However, these initiatives face several challenges. Resource constraints at local governments, where fewer trained IT and cybersecurity professionals are available, are a significant hurdle. Recruiting and retaining qualified cybersecurity personnel is also difficult, limiting the ability to implement and maintain robust defenses [4].
Managing legacy IT systems and technical debt, which complicates modernization efforts and adoption of cloud and SaaS solutions, is another challenge. The uncertainty about future federal funding, as key cybersecurity grant programs may not be reauthorized post-2025, is another potential funding gap [4].
Ensuring consistent compliance and participation across diverse local agencies with varying capacities and priorities is another challenge. Local governments often operate with constrained budgets, aging systems, and limited cybersecurity expertise [4].
Despite these challenges, state and local governments are moving towards federally supported, coordinated, and legally mandated cybersecurity training programs paired with incident reporting frameworks. However, difficulties in personnel, funding stability, and IT modernization remain significant hurdles that influence the effectiveness of these training and cybersecurity initiatives [1][4].
Local government and business leaders should consider conducting comprehensive cybersecurity assessments to understand their current readiness. The financial impact of a successful cyberattack on a small municipality can be devastating, with the average cost of ransomware recovery in 2024 standing at $2.73 million [4].
Cyberattacks on state and local governments have been increasing, with incidents reported from coast to coast. In February, a cyberattack in Mission, Texas, disrupted police operations, and in March, Union County, Pennsylvania, experienced a ransomware attack exposing sensitive personal information of thousands of residents [5][6].
Exploiting industrial Internet of Things (IoT) vulnerabilities in water treatment facilities could put public health systems in jeopardy. Malware attacks involving remote access trojans against state and local governments increased by 148%, according to the Center for Internet Security [4].
The top three barriers to effectively defending against cybercrime are the inability to pay competitive salaries to cybersecurity employees, an insufficient number of cybersecurity staff, and a lack of funds [4].
In conclusion, strengthening cybersecurity in U.S. state and local governments requires a multi-faceted approach that addresses resource constraints, recruitment and retention challenges, legacy IT systems, and funding stability. Effective cybersecurity requires comprehensive, ongoing training that constantly evolves with the threat landscape.
Dara warned of the need for local governments to be vigilant about ransomware payments, insisting that such payments within 24 hours, as mandated by the "whole of government" model, should be reported immediately to state homeland security offices to avoid potential cybersecurity threats.
The importance of annual cybersecurity awareness training for all government employees, as part of the "whole of government" approach, is emphasized due to the growing risks in cybersecurity technology, especially for smaller, less-resourced local governments that are particularly vulnerable.
