Reducing the Cyber Risk to Cities

In March of this year, some Atlanta city government employees had to switch to paper operations after ransomware encrypted their computer systems. All in all, it will reportedly cost the city over $17 million to recover, upgrade, and improve its systems and processes.

During the course of this incident, and in its aftermath, Atlanta reached out to its partners for assistance. Together with experts, they’ve helped get systems back online, ensure that others didn’t go down as well, and make improvements that will increase security going forward.

The services affected by the ransomware attack in Atlanta—such as the systems that serve Atlanta’s courts—weren’t immediately life-or-death situations, but there have been other cases, such as the cyber-infection that afflicted the Baltimore 911 system the same week as the Atlanta incident, that could have affected citizens’ basic safety.

These two incidents get at the takeaway of a recent New America event: that the importance of cities lies in the fact that they’re our form of government closest to citizens—and that because of this, it’s crucial that they ensure the continuity of core services. At the event, I was joined by Karen Jackson, the former Virginia Secretary of Technology; Jacob Finn, the Policy Manager for Cybersecurity for Mayor Eric Garcetti of Los Angeles; and Michael Garcia, National Governors Association (NGA) Senior Policy Analyst, as we discussed ways to reduce cyber risk to cities, both by independent action and by working with federal, state, and private-sector partners.

Los Angeles is, in many ways, an exemplar of how cities might re-conceptualize cybersecurity. More specifically, it’s been one of the most forward-thinking cities in recent years, overhauling its cybersecurity program in 2012 to define cybersecurity as a “public function of city government,” Finn explained. “Just as citizens pay taxes for fire services, they should also receive cybersecurity as a function of government.”

To fulfill this mandate, Los Angeles has joined all of its city departments in the integrated strategic operations center (ISOC) to share threat intelligence and cooperate to protect citizens. It has also founded an innovative center, the LA Cyber Labs, which will be formed into a regional Information Security and Analysis Center (ISAO) that can share information with private sector organizations in the Los Angeles area as well. Both of these initiatives have been founded and built with federal dollars—the Urban Area Security Initiative (UASI) receives funding from FEMA and the Department of Homeland Security dollars for ISAO formation.

In addition, as both Finn and Garcia underscored, Los Angeles shares information with the state of California via the California Cybersecurity Integration Center (Cal-CSIC), an information-sharing program.

Crucially, the information harnessed through this local innovation isn’t necessarily confined to a single person or place—increasingly, organizations have sought to share this knowledge, in hopes that it might extend across states. The NGA, for instance, has been working with states on cybersecurity through the Center of Best Practices, where Garcia is based. “Although states so far have mostly been focused on getting their own houses in order, there are some states that are running some very innovative programs aimed at helping local governments,” Garcia said.

In particular, he highlighted three programs: Michigan’s Cyber Civilian Corps, which has 50 information security individuals deployed throughout the state to assist a public sector institution in case of a governor-declared emergency; Indiana, which is developing a risk-assessment tool for small, local governments with minimal staffing for IT or IT security; and Missouri’s public vulnerability disclosure program, which aims to contact local governments and private-sector institutions in Missouri about known vulnerabilities in their private-facing infrastructure.

These programs, and others like them, will be essential in the years ahead. “Ultimately, the citizen is in the local level. Their first touchpoint will probably be in the local entity,” Jackson said. “Given how interconnected networks are, the security of every stop on the chain from citizens on up is important. They each have to figure out how they respond when there is a problem and be proactive guarding their networks and that of their partners.”

Exercises are essential to this preparation. The federal government sponsors many such events every year and also provides resources to cities that are planning events themselves. Working through cyber or cyber-physical scenarios and implementing the best practices, though, lies in the cities themselves. Of course, this effort starts with workforce development, which is necessarily a local responsibility in cooperation with state government, but these programs can benefit greatly from utilizing federal and nonprofit resources.

“No city should feel that they are an island,” Jackson emphasized. “There are resources out there to help cities and organizations such as NASCIO that connect IT and security leaders to each other. The time to build those relationships is before an incident occurs.”