Cybersecurity at the Grass Roots: Examining cybersecurity among American Local Governments
PI: Donald F. Norris, Laura Mateczun, Anupam Joshi, Tim Finin, Richard Forno
Executive Summary
This project involves an ongoing examination of cybersecurity among American’s grassroots, or local governments. Our first effort in this area occurred in 2013 when we conducted a focus group of the CIOs or CISOs of several Maryland counties, the city of Baltimore and the state of Maryland. The results have been published in the Journal of Homeland Security and Emergency Management. Next, in 2016 we conducted the first ever nationwide survey of cybersecurity officials in American local governments. Two papers have been published from this work: one in Public Administration Review and one in the Journal of Urban Affairs. We intend to conduct a follow-on nationwide survey in 2021 to determine, among other things, if local government cybersecurity has improved in the five years since the initial survey.
Challenges and activities
We chose local government cybersecurity because it is an understudied area in both computer science and the social and policy sciences. We also decided to examine local government cybersecurity because these governments are under constant, or nearly constant, attack (see also: Norris, et al., 2018, 2019 and 2020). Among the local governments responding to our survey, 28 percent reported being attacked at least hourly or more frequently, and 19 percent said at least once a day (for a total of 47 percent of all respondents). What is troubling, however, is that more than a quarter (nearly 28 percent) said that they did not know how frequently they were attacked.
In addition to advancing scholarly knowledge about this important subject, our findings also enable us to make recommendations to local governments regarding their practice of cybersecurity. Our findings and recommendations can be found in the papers mentioned above and in our related outreach.
Thus far our team has conducted one focus group and one survey with a second survey planned for 2021. Team members attended and helped facilitate a meeting of city CISOs in San Francisco, CA in February 2020 that resulted in the establishment of an organization representing city CISOs, the Coalition of City CISOs, the purpose of which is to share cybersecurity issues, problems and best practices among the CISOs of the nation’s largest 30 cities. At the request of this organization, two of our team members developed a White Paper for CISOs to use to educate city elected and appointed officials, department heads and staff on the need for high levels of cybersecurity and on their appropriate behaviors and roles in it. This White Paper is free for anyone’s use and we are in the process of disseminating it more broadly through various local government organizations across the United States.
In 2019 we also provided testimony to Maryland legislators about state and local government cybersecurity issues and offered recommendations to help fill the critical gaps in their cybersecurity workforce and cyber emergency preparedness.
Potential impact
The impact of our work will be found among two groups: local governments and scholars of cybersecurity, local government and public policy and administration. To the first group, our findings will be informative and our recommendations for improvements in the practice will be helpful. To the second, our research is nearly unique as there are few scholarly works in computer science and the social sciences that directly address local government cybersecurity. To our knowledge, we are the only team of researchers in the country focusing on local government cybersecurity. Thus, our findings have begun and will continue to fill a gap in the scholarly literature about this topic.