When Cyber Threats Loom, What Can State and Local Governments Do? Josephine Wolff (bio) and William Lehr (bio) State and local governments in the United States often struggle to muster sufficient funds and technical expertise to tackle the cybersecurity threats they face. A 2016 survey of 464 state, local, tribal, and territorial government entities conducted by the Multi-State Information Sharing and Analysis Center (MS-ISAC) found that these groups "show slow growth in their cybersecurity maturity" and are hindered primarily by a lack of resources.1 Allocating more resources for cybersecurity is therefore a crucial step for governments, but given the budget constraints public sector institutions face, it is not realistic to expect them to tackle every component of a comprehensive cybersecurity strategy on their own. Ideally, state and local governments would receive support from the federal government and regularly partner with federal agencies to address these threats and augment their limited resources. However, instead of fostering productive partnerships, these different levels of governments have found themselves at odds in the aftermath of serious cybersecurity incidents, hindering the ability to work together toward defending critical cyber infrastructure against attacks and mitigating the impacts of computer security breaches. Nevertheless, local, state, and federal governments should prioritize their strategic strengths when it comes to cybersecurity and invest their resources accordingly, relying on other levels of government to reinforce their weaknesses and provide additional funding and expertise as needed. For instance, in 2012, after the South Carolina Department of Revenue's (SCDOR) [End Page 67] computer systems were breached by intruders who stole 3.5 million tax records containing personal information of more than 75 percent of the population of South Carolina, the state government of South Carolina placed blame for the incident on a federal government agency, the Internal Revenue Service. Then-governor of South Carolina Nikki Haley insisted at the time of the breach, "There wasn't anything where anyone in state government could have done anything to avoid it."2 Instead of taking responsibility on the state government, she faulted the IRS for failing to require state revenue departments to encrypt their sensitive tax records, calling the IRS rules for data protection "archaic."3 The IRS, in turn, lashed out at South Carolina for failing to follow security standards recommended by the National Institute of Standards and Technology (NIST).4 This back-and-forth captures some of the challenges of promoting strong cybersecurity partnerships between the federal government and state or local governments: despite a common goal, they are often suspicious of each other's motives and eager to cast blame for failures and breaches because of both political and liability issues. More recently, this dynamic has given rise to tensions around the protection of voting systems, with some states rejecting the help proffered by federal government agencies such as the Department of Homeland Security (DHS) in 2018 to help assess and secure their voting technology.5 Government officials in several other states expressed suspicion in 2016 when DHS considered reclassifying voting technology as "critical infrastructure" for the purposes of enhanced protection.6 While all levels of government presumably share the goal of administering secure elections, their wariness of any interference and sense of mutual distrust has hindered attempts to partner effectively and pool their resources and expertise. In this paper, we consider how state and local governments can better leverage their particular strengths and capabilities to help mitigate the economic impact of cybersecurity incidents and data breaches. The first section identifies cybersecurity strengths and weaknesses of different levels of government and recommends how they should invest their resources and when they should look to other government entities for assistance. The second section focuses on the emerging classes of threats in cyberspace that state and local governments need to be better prepared to address, especially in light of the weaknesses identified in the first section. We emphasize how criminal business models are changing with the rise of threats such as ran-somware, extortion, and insurance fraud, and the ways in which state and local governments must adapt their policing and defensive efforts to these new types of threats and the associated schemes for monetization of stolen or compromised data...
Read full abstract