On February 5, 2021, a water treatment plant in Oldsmar, Florida was hit with a cyberattack in an attempt to poison the municipal water supply. The attack was stopped before the drinking water could be contaminated, but it highlighted the concern about infrastructure and government operations being impacted by cyber actors. Cybersecurity is a discipline, an essential part of the professional environment, and a set of ever-changing principles that can no longer be solely in the realm of IT and high-tech professions.
Residents, businesses, public and private institutions, and governments are all potential targets. At every level, each organization and individual needs to employ measures and best practices to protect themselves from cyberattacks.
While the effort to protect oneself, organization, and even friends and loved ones from cyberattacks can appear daunting, there are very discrete steps to take, types of software to use, and best practices to employ. Cybersecurity tools and policies can strengthen an enterprise, communicate threats, and coordinate with state and federal partners to work toward preventing cyberattacks and apprehending cybercriminals.
Why is Cybersecurity Important for Local Government?
The initial threats that spring to mind when you hear “municipal cybersecurity” may be to critical infrastructure: electricity, gas, water, phone and internet lines, and so on. While these are potential targets for cyberattacks, as shown with the example of the Oldsmar attack, there are other elements of government that can be infiltrated and compromised as well.
Payroll and timekeeping systems, sensitive records, public-facing webpages, and internal networks are some examples of potentially vulnerable systems. Your community may benefit from a cybersecurity specialist, an IT professional with cybersecurity experience, as well as savvy employees throughout the organization. At the end of the day, everybody plays a role in preventing attacks on these critical networked systems.
SEMCOG, as part of the effort to implement the Broadband in Southeast Michigan: Expansion, Engagement, and Equity Framework, recognizes that an increase in high-speed internet and internet-enabled device access means an increased risk of cyberattacks and social engineering. This has culminated in a strategy to provide resources, educational materials, and information on funding programs coming through state and federal agencies. Namely, the following funding programs have recently launched through the Infrastructure Investment and Jobs Act (IIJA):
- State and Local Cybersecurity Grant Program (SLCGP) – A $1 billion program through the Cybersecurity and Infrastructure Security Agency (CISA) to “help states, local governments, rural areas, and territories address cybersecurity risks and cybersecurity threats to information systems.” The Michigan Department of Technology, Management, and Budget (DTMB) has submitted its State Cybersecurity Plan, and is awaiting approval from CISA before authorizing sub-grants to local governments.
- Rural and Municipal Utility Advanced Cybersecurity Grant and Technical Assistance Program (RMUC) – A $250 million funding program through the Department of Energy’s Cybersecurity, Energy Security, and Emergency Response (CESER) Office that provides funding to help rural, municipal, and small investor-owned electric utilities to “improve operational capabilities, increase access to cybersecurity services, deploy advanced cybersecurity technologies, and increase participation of eligible entities in cybersecurity threat information sharing programs.”
- Cyber Response and Recovery Fund (CRRF) – A funding program for CISA that provides resources to help with bolstering cybersecurity and recovering from cyberattacks for federal, state, local, and Tribal entities.
Partners, Best Practices, and Creating a “Zero Trust” Environment
On October 19, 2022, SEMCOG hosted a webinar-the first of two-talking about municipal cybersecurity and the importance that local government plays in protecting residents, businesses, visitors, and institutions. We heard from Jacque’l Lake, SEMCOG IT Manager, as well as two major players in the statewide cybersecurity space: Phil Bertolini, Senior Vice President of Government Technology, and Andy Brush, Michigan Cyber Partners Program Director with the Michigan Department of Technology, Management, and Budget (DTMB).
Among partners and industry, an increasingly common practice is one of Zero Trust. As the Center for Digital Government defines it:
Zero Trust is a security framework requiring all users/devices to be authenticated, authorized, and continuously validated before being granted access to applications and data.
To paraphrase a Russian proverb: do not trust until it is verified. This mindset equips all workers within an enterprise, government or otherwise, to be careful about activities online, what software to install, and how to identify phishing scams and other social engineering attempts. According to CDG reporting in 2021, Zero Trust as a principle was in use in 32% of counties and 32% of cities in the U.S. In 2022, this grew to 36% of counties.
In addition to increased adoption, the budget for cybersecurity has increased across the board. In 2021, 31% of counties and 41% of cities spent 6-10% of their IT Budgets on cybersecurity. In 2022, county spending grew by 10%. Michigan as a whole also maintains a robust cybersecurity network and spends 3.5-4% of its IT budget on cybersecurity; helping the state maintain an “A” grade on Government Technology’s 2022 Digital States Survey.
While there is no easy way to correlate the amount spent to the effectiveness of cybersecurity efforts, it remains a high priority to prevent cyber actors from infiltrating and compromising government data. Additionally, DTMB’s Cyber Partners Program highlights the importance of a collaborative framework to approaching cybersecurity between communities, counties, the state, and the federal government. As Mr. Brush states in his presentation, “cybersecurity is a team sport.”
This framework is a sum of its parts: the communities making up Michigan, the Michigan Department of State, State Police, National Guard, and the FBI, CISA, and more generally the Department of Homeland Security. This collaborative environment aids communication about different programs such as SLCGP, as well as best practices, Dos and Don’ts, and situational awareness updates for different programs and activities making up the cyber threat space.
There were a few key takeaways from our speakers for consideration by all staff in local and county governments:
- Cybersecurity is everyone’s responsibility, regardless of role or technology usage, as the workplace becomes increasingly more connected or even entirely remote.
- Cyber threats continue to be a challenge and need to be prioritized and adequately funded; organizations should give greater credence to Zero Trust.
- Update software and systems when possible; change default passwords; and use multi-factor authentication for devices.
- Activate your network – talk cyber with people across your enterprise, in other communities and organizations, and even friends and family! This helps increase a resilient network of people with the right knowledge and tools to avoid and mitigate cyberattacks.
- If you are a local government, consider a .gov domain system for your website. It is a secure platform that benefits from security evaluations from CISA against standards set by the National Institute of Standards and Technology (NIST).
For more information, please watch the SEMCOG University Webinar below and view the slides as a PDF.
Questions? Contact Noah Bussell, Planner, SEMCOG Economic and Community Vitality.
Leave a Reply