Concepts

Cities, towns, villages, and boroughs are all incorporated places in the United States. The definition of each, and even the existence of each, varies by state.¹ Connecticut has no minimum population requirement to incorporate a city; conversely, the state of Ohio requires 25,000 citizens for the incorporation of a new city.

As noted in the introduction, this report generalizes the concept of a city to include a broad range of sizes. Very large cities, such as those with a population of over 1,000,000 (there are 398 in the world and ten in the United States²), have access to a wider range of talent, funds, and partners (such as businesses operating in the metro area), but also have responsibility for securing more data, residents, and businesses operating in their jurisdiction.

While there are federal grants available for all cities, it is important to note that only certain cities are eligible for federal assistance under the Urban Area Security Initiative (UASI) in the United States (though local communities receive 80% of the State Homeland Security Program (SHSP) grants given to the states). Urban areas’ eligibility is “determined through an analysis of relative risk of terrorism faced by the 100 most populous Metropolitan Statistical Areas in the United States.”³ There are other federal grants available for all cities; however, UASI grants are available only for eligible urban areas, with ineligible cities left to search out other funding sources. Federal funding and grant options will be explored in greater depth later in this paper.

As stated above, each city has unique characteristics, but in general, cities face similar problems. These challenges are not all confined to local government. Cybersecurity is at its core an architecture, management, and governance issue that is shared by other enterprises and institutions.⁴ However, because of the diverse and critical nature of municipal systems and services, budgetary and fiscal challenges, and the responsibility to provide quality and secure services to their residents, many cities continue to struggle with designing and implementing reliable means of forestalling and remediating a cyber attack.

This paper will review and analyze partnerships that have been demonstrated to assist cities in tackling this problem more efficiently and effectively. Subsequently, we will make a set of specific recommendations to policymakers in cities and at the federal and state level to further address this challenge.

Pressure to Digitize

As consumer society has steamrolled into the electronic age, there has been (and continues to be) pressure for government to digitize its services. This push towards digitization, however, came before the advent of affordable or widespread shared platform technology, pressing cities to develop and host their own applications and systems on proprietary infrastructure, often using hardware and software cobbled together over years or even decades.

Cloud-based systems are no guarantee for security, but if properly configured, they can help decrease risk. Transition to the cloud requires proper expertise in strategy, design, and implementation, and careful personnel management and training. To make the change, urban information security experts must recognize the advantages the cloud-based systems can offer, make the case for the expense of transitioning, and secure funding for all the elements needed for successful implementation.

As a result of these barriers to entry, most cities are still battling legacy systems, some of which have been patched together and/or so heavily customized that they make transition extremely costly and complicated. Some of these systems power critical infrastructure and safety services, further complicating any maintenance or transition period.⁵

Personnel and Authorities

As all organizations, private and public, large and small, are competing for the relatively small pool of skilled and available information security personnel, cities and other local governments struggle to provide competitive salaries and attract qualified talent. Although public sector institutions can attract talent with offers for training opportunities or other perks, they often struggle to retain that talent in the long term.⁶

Additionally, many municipalities lack a Chief Information Security Officer (CISO) position or have only recently created such a position. Even if a city did not have a CISO in the past, work was being done to protect the city’s information systems; however, it does make it more likely that there were fewer resources (personnel, money, and time) invested in that effort and that those activities were pursued in silos. Among the ten largest cities in the United States, the average age of the CISO position is five years, with the most recent having been created in 2018.⁷

Building a constituency in an administration and getting buy-in for security takes time and persuasive power, as does the creation and improvement of incident response protocols and procedures. Each city may take a different approach to addressing the need for information security, but having a centralized and empowered executive focused on that direct issue is essential for success.

Budget

There is no comprehensive or targeted data on cybersecurity challenges for cities as there is for states,⁸ nor is there public information about funds requested by local governments to federal agencies. Anecdotal evidence as presented in interviews conducted for this paper is that budget remains a serious issue. The discrepancy between funds needed and available dollars for IT modernization, configuration, monitoring, and migration is one factor, but so is the ability to plan both short and long term, and adapt to changing technologies and the ever-evolving threat environment in cities where mayoral administrations and city council governance change frequently.⁹

The concepts of security, resiliency, and recovery will be used throughout this paper. It is worth defining these terms at the outset for the purposes of clarity and conformity.

Presidential Policy Directive 21 Critical Infrastructure Security and Resilience defines both security and resiliency as follows:

1. Security—reducing risk by physical means or defensive cyber measures.
2. Resiliency—the ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruptions. Resilience includes the ability to withstand and recover from deliberate attacks, accidents, or naturally occurring threats or incidents.

Recovery, as referenced above, is the final element of resilience—what happens after an event has occurred to restore services to an acceptable state.