Tightening Cybersecurity at State and Local Governments
A new federal law aims to help states and municipalities fight cyberthreats, as a Mimecast report shows public agencies under siege.
Key Points
- President Biden recently signed a cybersecurity law directing federal collaboration with state and local governments.
- The new support could help close major gaps identified by Mimecast research in public agencies’ visibility, protections, and training.
The U.S. government will strengthen information sharing, provide training, and increase overall collaboration with state and local agencies, under the recently signed State and Local Government Cybersecurity Act. The new federal support comes at a crucial time: A recent Mimecast survey revealed that two-thirds of state and municipal governments expect to suffer a negative impact from an email-borne attack this year.
The Threat to State and Local Governments
Mimecast’s State of Email Security in U.S. Public Administration (SOES Public Administration) describes relentless cyberthreats overcoming inadequate defenses. Public agencies in states and cities are targeted far more than most organizations — in part because cybercriminals value their rich databases of personal information on the citizens they serve. Nation-state actors also attack these institutions to undermine public trust.
At the same time, agencies are chronically understaffed and short of cybersecurity funding, making them easy targets. Compounding the threat has been the flash-cut, pandemic-driven transition of remote workers and government services from legacy technologies to the cloud. With more than eight in 10 state CIOs saying that these changes are here to stay, security improvements are a top priority.[1] As one municipal CIO said in a published interview: “It’s now a time for catching up…to make sure we’re secure from the rapid changes we made.”[2]
Against this backdrop, SOES Public Administration survey respondents reported experiencing a growing volume of email-related attacks of all kinds. Their biggest complaint involved phishing emails that carry malicious links or attachments, which in turn drop malware, steal passwords, or launch attacks such as ransomware.
According to Verizon’s 2022 Data Breach Investigations Report, attacks on state and local governments are also growing more complex, leveraging a combination of several different methods.[3] SOES Public Administration respondents concurred, with 61% reporting increasingly sophisticated attacks. One resulting data breach, at a state insurance department, has already made a Top 10 list of breaches for 2022, exposing the Social Security numbers, birth dates, and other personal information of 1.8 million citizens.[4]
Federal Cyber Agency Steps In
The new federal law directs the Cybersecurity and Infrastructure Security Agency’s National Cybersecurity and Communications Integration Center to take several key steps, including:
- Establish real-time information sharing of threat indicators, cybersecurity risks, and incidents across federal, state, and local agencies.
- Provide information to state and local governments on tools and best practices.
- Help agencies effectively implement these tools and procedures.
- Provide cybersecurity training.
- Conduct joint exercises to prepare for threats and attacks.
The law follows the passage of funding measures last year, including a State and Local Cybersecurity Grant Program to deliver $1 billion over four years.[5]
Budgeting and Staffing for Better Cybersecurity
While acknowledging some improvements in state and local cybersecurity funding, SOES Public Administration survey respondents said their budgets still fall nearly 20% short, on average. This gap keeps them from fully staffing their security teams and making much-needed technology upgrades.
Staffing is a particularly difficult problem. Although one-third of public sector survey respondents said they need to hire more security specialists, they can’t compete with private-sector salaries.
SOES Report Identifies Four Gaps
The SOES Public Administration survey reveals gaps in four essential components of public agencies’ cyber strategies:
- Multilayered protection: Many government agencies have protections in place at the perimeter of their networks but don’t use “defense in depth” strategies for attackers that “land and expand” once inside.
- Employee awareness training: Only about six in 10 conduct employee awareness training monthly, and far fewer train on an ongoing basis, which is considered a best practice.
- Visibility: Public agency security leaders often lack the ability to anticipate threats. For example, only about one-third use the Domain-based Message Authentication, Reporting and Conformance (DMARC) protocol to analyze the validity of emails and accept or reject them accordingly.
- Microsoft 365 vulnerability: Many rely on only the security tools provided with Microsoft 365, but eight in 10 survey respondents said their operations had been impacted anyway by at least one M365 outage in the past year. About nine in 10 said additional levels of cybersecurity are needed to make M365 “completely secure”.
Working Smarter, Not Harder
To address these gaps, many state and local governments are looking to integrate and automate their security systems to work smarter, not harder. Nearly nine in 10 cited a preference for working within an integrated security ecosystem that combines “best-of-breed” solutions, per the SOES Public Administration report. By orchestrating tools and intelligence across gateways, endpoints, and other security systems, teams can manage their infrastructure more easily, as a unified whole.
The Bottom Line
Mimecast’s SOES Public Administration report reveals serious gaps in state and local governments’ cyber defenses as attacks grow in volume, variety, and complexity. Now, a new federal law is poised to close some of these gaps. The State and Local Government Cybersecurity Act aims to dramatically increase intelligence sharing among public agencies, while providing states and municipalities with technical support and training. Read the Mimecast report for a closer look at state and local government cybersecurity today.
[1] “2021 State CIO Survey,” National Association of State Chief Information Officers
[2] “City CIOs No Longer in 'Crisis Mode,' But There's No Going Back to Normal,” StateScoop
[3] “2022 Data Breach Investigations Report,” Verizon
[4] “The 10 Biggest Data Breaches of 2022 (So Far),” CRN
[5] “State and Local Cybersecurity Grant Program,” Department of Homeland Security
Subscribe to Cyber Resilience Insights for more articles like these
Get all the latest news and cybersecurity industry analysis delivered right to your inbox
Sign up successful
Thank you for signing up to receive updates from our blog
We will be in touch!