New Hampshire Municipal Association
New Hampshire Municipal Association

New Hampshire Town And City

Cybersecurity Best Practices for Municipalities

New Hampshire Town and City, July August, 2019

By Lisa N. Thompson

Data breaches and cybersecurity incidents ike those involving large corporations such as Facebook and Marriott continued to make headlines in 2018. But cyberthreats are not limited to the private sector, one of the biggest cybersecurity stories to make the news last year involved the city of Atlanta, which sustained the largest cyberattack against a major U.S. city.

In March 2018, Atlanta was the victim of a remote ransomware attack in which anonymous hackers disabled online access, encrypted files, and demanded a $51,000 ransom, paid in bitcoin, in exchange for the decryption key to regain access to system files. City officials refused to pay the ransom and recovery from the attack cost the city millions of dollars. The attack took many of the city’s services offline for nearly a week and disrupted services and critical functions. Fallout from the attack included years’ worth of bodycam and police dashcam videos being lost, the municipal court system could not access electronic records, Wi-Fi at Atlanta’s Hartsfield-Jackson International Airport was shut-down, the city’s online bill payment system was disabled, and several departments, including the police, were forced to file reports on paper instead of electronically.  

The rapid proliferation of mobile devices, apps and the Internet of Things (IoT) has impacted virtually every industry and facet of life, including local governments. Technological advances are transforming local governments of all sizes and locations, providing increased transparency and streamlined operations. The application of a wide range of digital and electronic innovations has improved efficiency of government services impacting all municipal employees, from clerks and tax assessors to firefighters and police officers. The Internet has made it possible to interconnect systems, people and digital devices, making various aspects of local government more efficient and accessible. Most municipalities now have websites which allow residents to interact with their local government online, some even provide online billing systems which allow residents to pay property taxes, utilities or other city services online.

With the expansion of digital technologies such as mobile apps, sensors and IoT, municipalities are becoming “smarter”, allowing interconnection between systems, people and devices to improve infrastructure, efficiency and convenience for residents. Many municipalities are starting to invest in “smart” technology and increasingly, those that are not necessarily “smart cities” are evaluating how they can leverage technology to improve services and reduce costs.

A “smart” city is equipped with a number of electronic devices and equipment that collect information through the Internet allowing municipalities to become more electronically connected and data-driven. For example, sensors that monitor traffic can be used to automatically communicate with traffic lights. Adopting “smart” technologies is all about integrating digital solutions (e.g., collecting and using data) in order to optimize infrastructure, improve emergency response and public safety. Many municipalities already utilize systems that are Internet-connected such as law enforcement surveillance systems, traffic cameras, motion sensors for street lights, and waste management monitoring systems.

However, the benefits of technology can also bring disadvantages for municipalities. As local governments become more high-tech, using Internet-connected systems and offering more municipal services online, they increase their vulnerability to a cyberattack. When adopting smart technologies, where various municipal works are connected to a computer network or the Internet, municipalities often fail to ensure the technology is secure before implementation. Without proper security protocols, municipal systems can easily be exploited by hackers by taking control of computer servers and knocking out public services, from traffic lights to water quality.

Cyberattacks against municipalities are increasingly common and becoming more sophisticated and severe. Cybersecurity becomes more urgent as more local governments adopt new technologies and offer services that are integrated with online networks. Atlanta was not the only U.S. city to be hit by a cyberattack in 2018. Cities and towns across the country are being targeted by cybercriminals, nation-states, and hacktivists who seek the path of least resistance by exploiting vulnerabilities in municipal computer networks. In November, two Iranian citizens were indicted for the ransomware attack that paralyzed Atlanta. Prior to the 2016 presidential election, state-sponsored Russian hackers successfully penetrated election infrastructure of several U.S. states.

Local government networks are attractive targets for cybercriminals and particularly susceptible to cyberattacks mainly because of the vast amounts of sensitive data they possess and maintain about infrastructure and their residents, including property tax information, social security numbers, tax and voter records. In addition, by law, government must be transparent, while open government has made access to public records and information easier for citizens, it has also made it easier for cybercriminals to exploit public systems that contain sensitive information. 

Because local governments maintain sensitive personally identifiable information, they have a fiduciary duty to safeguard that information. As large-scale data breaches continue to make headlines, local governments must make cybersecurity a priority. Any city or town, regardless of size, is at risk for a cyberattack. To keep pace with the constantly evolving threats and tactics of cybercriminals municipalities must be proactive, not reactive, about cybersecurity.

Another reason municipalities are seen as prime targets by hackers is, unlike private businesses, they are less prepared for an attack. Local governments typically have limited budgets for upgrading networks and security systems, often use outdated technology and may not have dedicated IT staff to implement organizational safeguards to protect against the ever-increasing risk of a cyberattack.

A 2016 survey on cybersecurity issues by the International City/County Management Association (ICMA), a professional organization for local government administrators, showed that local governments around the country are unprepared to respond to cyberthreats. The survey found that 70% of respondents had not developed a formal cybersecurity plan and only 34% had written incident response plans. The survey also found that 67% of respondents reported experiencing a cyberattack where their network security was compromised at least once a year. However, since a majority of respondents (54%) do not track how often their systems are attacked, these numbers are probably much higher. Perhaps most concerning is the high percentage of respondents that did not know how often they were attacked (27%) and experienced a breach (41%). The same survey found that 52% of respondents cited lack of funding as a barrier to achieving high levels of cybersecurity.

The smooth functioning of municipal services is crucial for local governments. In exchange for paying taxes, citizens expect local governments to provide a range of services such as public transportation, building/maintaining roads and infrastructure, supplying sanitation, supervising elections and operating libraries. However, as the cyberattack that shut down Atlanta’s servers illustrates, local governments are vulnerable, potentially leaving hundreds or thousands of residents without municipal services.

The potential impact of a cyberattack against local governments is considerable. As local governments expand the connectivity of computer systems and networks, they become more exposed to the increasingly sophisticated attacks that exploit software and systems vulnerabilities.

The reliance on computer systems by local governments means that critical infrastructure such as traffic management or sanitation systems are more exposed to attacks that could lead to large-scale service disruptions. Unless proactive steps are taken to implement a comprehensive cybersecurity program, municipalities will continue to be at risk. Creating a culture of cybersecurity awareness at all levels of local government is necessary to combat the evolving threat landscape.

Cyberattacks on local governments have become so commonplace that municipalities are being advised to disclose cybersecurity risks in municipal bond offering documents. According to S&P Global Ratings, a cyberattack could result in a lower a municipal credit rating. While S&P has yet to downgrade municipal credit because of a cyberattack, analysts view cyberthreats as similar to natural disasters or other catastrophic events, where the duration and severity of the event could have a subsequent impact on credit rating. Much like disaster planning, analysts have begun questioning municipalities about their cybersecurity defenses and assessing their preparedness for a cyberattack or data breach.

For the most part, local governments can take steps to improve cybersecurity without spending a lot of money. While there are no overarching cybersecurity guidelines for local governments, there are numerous resources, programs and tools available for managing cyber risks. For example, the U.S. Department of Homeland Security (DHS) designated the Multi-State Information Sharing & Analysis Center (MS-ISAC) of the Center for Internet Security (CIS) as the central resource for state and local governments regarding cyberthreat prevention and recovery. It provides a centralized forum for information sharing and cybersecurity resources. There is no cost to be a member.

Additionally, the National Institute of Standards and Technology (“NIST”) has created a voluntary Cybersecurity Framework that consists of guidelines and recommended practices to manage data security risk. The NIST Resource Center is a valuable resource providing information on the best practices and security standards which municipalities can use to develop their comprehensive cybersecurity strategy.

With the cyberthreats against municipalities only increasing, local governments cannot be complacent. Planning for a cyberattack is no longer optional and it is critical that local governments understand how to assess, mitigate, and prepare for those risks. Cybersecurity encompasses processes, standards, technology and education, to protect computers, networks, systems, including hardware, software and data, from a cyberattack or unauthorized access. There are numerous technologies that local governments can implement, however, the most effective way to defend against cyberattacks is a layered approach that combines people, processes and technology.

Every local government is unique, in order to effectively respond to a cyberattack, it must understand the different threats and the potential impact particular to their organization. A good starting point in preventing cyberattacks and developing a comprehensive municipal cybersecurity program is to establish a baseline understanding of all network and system vulnerabilities. Local governments cannot afford to view cybersecurity as solely an IT issue or a problem that can be solved by technology alone. Cybersecurity should be viewed as shared responsibility across the entire organization and requires a top-down approach that must include the entire chain of appointed and elected officials in local government. Local officials must be aware of the responsibilities that they have to ensure that the security of personal information and sensitive data they maintain.

Cybersecurity Assessment. The first step in improving cybersecurity is recognizing vulnerability. Most local governments do not have a complete picture of the security gaps in their systems and networks. To develop a cybersecurity program, municipalities must first conduct a comprehensive risk assessment across all departments, identifying potential risks, exposures and areas for improvement. If a municipality cannot identify its cyber vulnerabilities it cannot expect to effectively defend against them. The risk assessment should identify the categories of risk that apply to the municipalities people, processes, systems, and vendors.

Local governments that do not assess their security weaknesses on a regular basis are most vulnerable. Oftentimes hardware, network equipment, software, and wi-fi access points are weak points. At a minimum, the assessment should identify the types of sensitive information that each department collects, where it is maintained, and who has access to that information within the organization. The assessment should also entail conducting an inventory of all hardware and software components to determine the types of hardware and software the organization is currently using and identifying any risks to data and existing hardware and software. In addition, before committing to new hardware, software or e-government program, local governments should ensure that all cybersecurity issues have been considered before implementation.

Once the risk assessment is finalized and potential vulnerabilities are identified, municipalities can create actionable and appropriate solutions to address weaknesses in their system and direct resources to shore up security. Local governments should use their assessment as a focal point to bring together stakeholders to develop a comprehensive cybersecurity strategy. In order for any cybersecurity initiative to be effective it must be integrated throughout all departments of an organization.

Preventing a Cybersecurity Breach

Cybercriminals target municipalities not only because of the valuable information they maintain, but because they are perceived as soft targets, often underfunded and unprepared. To be effective, cybersecurity risk mitigation requires both defensive and offensive strategies. While there is no one-size-fits-all approach that can prevent a cyberattack, there are several cost-effective strategies that municipalities can establish to manage cybersecurity risks. Below are a few best practices municipalities can implement to reduce the likelihood and potential damage of a cyberattack.

Password Management Policy. One of the most important steps a municipality can take to prevent a data breach is to establish and enforce a password management policy for all employees. Employees should create unique hard-to-guess passwords for each account, computer, mobile device or wireless network, with at least 10 characters, containing a mix of upper- and lower-case letters, numbers and symbols. The same or similar passwords should never be used for different accounts or applications and sharing of passwords should be prohibited. In addition, it is essential that that all personal mobile devices that access municipal networks and systems be password protected. For added security, passwords should be changed regularly (e.g., every 60-90 days) and never repeated. Also, imposing strict session timeouts so that if a user leaves an account or application unattended for an extended period of time while logged in, the session will automatically time out and log the user off, requiring the user to re-enter their password to log back on. All local government computers and systems should have a lockout feature, which after a certain number of successive attempts of entering the incorrect password the user is automatically locked out.

Multi-Factor Authentication. Since passwords are easy to crack, a password alone is not enough to protect municipal networks and systems from being breached. Implementing multi-factor authentication is an easy way to keep municipal networks secure. Multi-factor authentication is a security enhancement that requires a user to supply additional information besides just a username and password before being allowed to login to an account or gain access to a network or system. Even if a password is cracked or stolen, access is thwarted because of multi-factor authentication.  In order for the authentication to be complete, a user must enter their login/password and then when prompted provide a passcode or security code, usually a temporary code sent by email or text (it can also be a fingerprint) to gain access. Multi-factor authentication is highly recommended whenever employees request remote access to municipal networks and systems. While many apps and programs such as Office 365 already support multi-factor authentication, it is important not to overlook other critical software programs that are used by various departments. Local governments can install multi-factor authentication apps such as Authy, Google Authenticator, or Salesforce Authenticator, or hire a third-party vendor such as Duo Security or PingID that offer cloud-based multi-factor authentication services.

Encryption. Local governments are tasked with safeguarding sensitive government data and personal information. Many employees routinely use laptops, USB drives and mobile devices to store and transmit sensitive data through e-mail, instant messaging, and other forms of digital communication. Lost or stolen laptops, USB drives and mobile devices that contain unencrypted data are a main cause of  data breaches. While a password can prevent someone from logging into a lost or stolen laptop or mobile device, other means can be used to access and copy stored files and data. Encryption is an easy way to safeguard against unauthorized access to confidential data when a laptop, USB drive or mobile device is lost or stolen or when a message is intercepted by a third party. Encryption is a vital security control for local governments and should be enabled on all municipal computer systems, USB drives, files stored in the cloud, laptops and mobile devices. Encryption is where readable text, documents, or other data are converted into unreadable, scrambled code that can only be read by those authorized to access it with a password or security key. When developing a cybersecurity strategy, local governments should consider encryption to protect sensitive data. Data stored on hard drives, laptops, mobile devices, servers, USB drives and stored in the cloud, known as “data a rest,” can be a vulnerable target for hackers. Local governments should consider what is called “full-disk” encryption, which can be used to encrypt data at rest. Full disk encryption protects data if a laptop, USB drive or mobile device is lost or stolen. Most newer desktop computers, laptops and mobile devices come with operating systems that offer ways to fully encrypt stored data. For example, both Apple and Microsoft offer built-in encryption software which allows for full encryption of an entire drive. Apple’s operating system for desktop and laptop computers, Mac OS X, comes standard with FileVault and BitLocker is included with Microsoft Windows 10 Professional. Some operating systems have encryption enabled by default and others require users enable encryption on an individual file, directory or drive basis. In addition, there are third-party cloud-based, hardware and software encryption solutions that can be used throughout an organization on servers, desktop computers, laptops and mobile devices.

Stay Current with Updates. Routinely installing security updates as soon as they are released is an essential component to any cybersecurity program and can greatly improve a municipalities cyber resilience. Local governments that do not regularly install security patches and software updates on all devices, hardware and applications (e.g., antivirus software, browsers, desktop computers, laptops, mobile devices, operating systems, printers, routers, etc.) are vulnerable to attack. For example, the cyberattack that hobbled Atlanta was due to the exploitation of a system that had not been updated. It only takes a single computer or device that has not been updated or patched for a local governments’ entire network to be compromised. Much like how thieves check for unlocked windows or doors to break into a house, cybercriminals are constantly scanning for security vulnerabilities to exploit so that they can gain access to critical systems that have valuable data. Local governments should prioritize raising awareness about importance of installing updates and require all employees that have access to municipal networks and systems to regularly update all personal devices and apps as soon as they are available. In addition, software that is no longer supported with updates and security patches present weaknesses that can be easily exploited and should be disabled or deleted (e.g., Windows XP, Internet Explorer versions 10 and older).

Education and Training. Protecting local government networks from cyberattacks requires more than technological solutions. When it comes to cyberattacks, studies show that one of the biggest risks in any organization are its own employees. Cybercriminals often specifically target employees with phishing emails designed to get them to release sensitive information or click a malicious link. However, when they receive regular training on cybersecurity best practices and potential scams, employees can also be the first line of defense. Too often cybersecurity strategies focus on preventing external threats without addressing internal threats. The cornerstone of any comprehensive cybersecurity strategy is training.

According to Verizon’s 2018 Data Breach Investigations Report, ransomware is used in nearly 40% of all cyberattacks. Ransomware is a malicious software designed to encrypt data on affected systems, blocking access to computer files unless a ransom is paid. However, ransomware and other cybersecurity incidents can be avoided through regular cybersecurity training, security assessments and strong security policies.

It is imperative for local governments to implement comprehensive security awareness training and testing for all employees (including contractors, appointed and elected officials, and interns) and anyone who interacts with its networks and systems. Effectively training all municipal employees on cybersecurity issues is an essential component of any comprehensive cybersecurity program and should, at a minimum, include educating employees on how to recognize risks and potential cyberthreats such as phishing scams, malware and ransomware. Local governments should also consider creating training manuals for employees. Regularly educating employees on the risks of downloading attachments from unknown sources, using insecure networks, sharing passwords and social engineering can greatly reduce the threat of a cyberattack. Since cyberthreats are constantly evolving, creating a culture of awareness requires ongoing education and training and is not something that can be done just once. Continuing cybersecurity education should be mandatory for all municipal employees throughout the duration of their employment.

Backing Up Data. A backup of municipal networks and systems is the best way to avoid data loss and can be invaluable if a catastrophic event such as a ransomware attack, fire, theft, natural disaster, server crash, or user error occurs. In fact, one of the easiest ways municipalities can protect their networks from ransomware includes keeping regular backups of their systems offsite. Regular backups are one of the easiest and least expensive cybersecurity precautions that a local government can take to mitigate the risks of an incident involving data loss. A backup is a stored copy of important municipal data and systems, which can be recovered if the original data is lost or corrupted.

Local governments should ensure that all important data and systems are routinely backed up. Backups should be encrypted so that they are protected from ransomware. Local governments should maintain their backup at a secure off-site location and make sure to backup all data that is stored in the cloud as well. Also, just as important as the backup itself, is the periodic testing of backups to ensure that data can be restored. Backup systems can be stored on-premises using an external hard-drive or flash drive, or off-site using a cloud provider. Having one back-up copy is not sufficient – to be safe it is advised to enable two backup options with at least one copy off-site or on a different server in case of an on-premise disaster or outage. It is important to note that while most local governments regularly back up their systems, employees are less likely to back up their local drives or mobile devices. To prevent the loss of data in the event of a cyberattack, local governments should require employees that use mobile devices such as smartphones, tablets and laptops to routinely perform full backups of both data as well as program filesCybrese

Cybersecurity Policies and Procedures.  Cybercriminals exploit both human and technical weaknesses, to manage those risks local governments should consider developing written cybersecurity policies and procedures for all employees to follow. In addition, all cybersecurity policies should be shared with everyone with access to municipal systems and networks to ensure that they are adopted and followed. Developing an effective cybersecurity policy requires proactive planning by all municipal departments, identifying risks, explaining roles and responsibilities. When developing their cybersecurity policies municipalities should consider adopting the NIST cybersecurity framework. The framework proposes a common set of best practices and risk management principles that can be applied across a broad range of organizations. Documented policies provide the foundation for effective governance of any cybersecurity program and provide clear guidelines and processes. It is important to establish and enforce data security policies and procedures that address acceptable use of email, file sharing, the Internet, laptops, remote access and social media. Since employees increasingly use their personal mobile devices for work, it is important to have a mobile device policy to protect municipal networks and systems. Another way local government can improve cybersecurity is by having an access management policy, granting access to confidential data and critical IT systems only to those employees who need it as necessary to fulfill their job responsibilities. It is important to keep in mind that as technology and cyberthreats change, security policies and training should be updated on an annual basis. Also, local governments should periodically review their policies to ensure compliance with all applicable laws and regulations.  

Vendor Management. Many smaller municipalities often outsource functions and rely on third-party service providers and other vendors for a range of services such as credit card processing and payroll services. To combat cybersecurity threats local governments must conduct adequate due diligence and risk management assessments on all third-party vendors that have access to any confidential data and that interact with municipal networks and systems, verifying that they are capable of complying with all relevant data security laws. This can easily be accomplished by having vendors complete a comprehensive due diligence questionnaire. In addition, municipalities should require all vendors to provide security documentation. Furthermore, municipalities should impose contractual obligations on vendors, requiring up-to-date on-time patching of vulnerabilities, prompt reporting of potential cyber incidents, cooperation in investigating an incident and preserving relevant evidence, etc. As part of their ongoing third-party due diligence, local governments should evaluate vendors for compliance and risk on an annual basis. To effectively manage vendor risk, local governments should consider creating a vendor database to collect and store due diligence information, risk ratings, and monitoring information. The database could also include current and past versions of contracts as well as exceptions to vendor policies and procedures. By constantly maintaining and updating vendor records, municipalities can further minimize their cybersecurity risks.

Incident Response Planning. A common refrain in the cybersecurity industry is “it’s not if, but when” a cyberattack will occur. Just as local governments routinely prepare plans for the continuity of operations in the event of a natural disaster, they must also prepare plans to restore critical computer systems and networks as quickly as possible in the event of a cyberattack. The time to develop an incident response plan is not in the wake of a cyberattack. Prior to a cyberattack, local governments must proactively develop a comprehensive written incident response plan. Only with a documented incident response plan can consistent action and mitigation measures be taken. An incident response plan is a set of procedures designed to identify, investigate and respond to a cyberattack in a way that reduces the impact and allows the municipality to return to normal operations as quickly and efficiently as possible. Local governments should consider using resources like the NIST cybersecurity framework when developing an incident response plan. An effective incident response plan should include a step-by-step plan to determine the nature and extent of the incident, specifying the actions to be taken and identifying the roles of key employees, vendors, and other stakeholders for each step in the plan.

Every local government relies on critical services and communication systems, that would significantly impact its ability to function if compromised. Communication is crucial during any disaster or emergency, including a cyberattack. In the event of a cyberattack that knocks out municipal servers, electronic communications such as email, instant messaging, and texting may be shut down, potentially impacting the delivery of critical public safety services such as emergency medical personnel, fire and police, which rely on access to computer systems and networks to communicate. Local governments need to be prepared to communicate using different forms of communication during a cyberattack. It is critical that, as part of their incident response planning, local governments include procedures on how the organization will communicate and coordinate after a cyberattack, including how to inform residents which services may be impacted.

Cyber Insurance. As cyberattacks become more sophisticated, despite preparation and employee training, municipal computers and networks can still be compromised by an unforeseen vulnerability. However, one way that municipalities can offset some of the risks and limit their exposure is through cyber liability or cybersecurity insurance. Local and state governments across the country are purchasing cyber insurance policies to cover losses resulting from a cyberattack. It is important to note that cyber insurance is intended to complement, not replace, a municipal cybersecurity program. Furthermore, cyber insurance will not remove the threat of a cyberattack, but it can help cover the costs arising from a cyberattack, including breach notification, regulatory fines, forensics, legal fees, and other expenses. Policies vary, but cyber insurance can also cover the cost of restoring data affected by a cyberattack and for legal liabilities such as the cost of claims made against the municipality for failing to protect personal data. Insurance companies that offer cyber insurance often perform evaluations of an organizations’ security practices and policies to determine whether adequate procedures are in place to mitigate potential cyberattacks. Local governments that do not meet certain standards can expect to pay higher premiums for a cyber insurance policy - premiums are higher for municipalities that have not implemented safeguards to protect themselves from cyberattack. It is critical that municipalities assess what their cyber insurance policy actually covers. As with other types of insurance, cyber policies often contain a variety of exclusions buried in the policy that can limit coverage. Common exclusions to be aware of include outdated software, unencrypted data and devices, certain types of social engineering scams, and acts of foreign governments. Furthermore, when selecting an insurance policy, local governments should carefully consider whether all contractual conditions of the policy are fulfilled, or the insurer will attempt to rescind coverage or deny claims in the event of a cyber incident. Lastly, as cyberattacks continue to evolve, local governments should periodically assess their specific exposure to threats to determine whether the amount and scope of their cyber insurance policy is sufficient to cover losses resulting from a cyberattack.

Cybersecurity is a critical issue for all municipalities regardless of size or location. While many local governments may cite lack of funds or resources for not being cyber resilient,  as discussed above, many security measures are simple and low-cost, such as having a password policy, keeping software, browsers and operating systems updated, and providing on-going staff training and education to prevent cyberattacks.

As local governments leverage new technologies, it is critical to understand not only the new security risks that go with them but the growing cybersecurity challenges as well. Cybersecurity is a permanent state of vigilance and is not something that local governments can achieve with a “one and done” approach. As cyberattacks on local governments become more commonplace, municipalities should view cybersecurity as the new normal. Just as the technologies used to provide municipal services evolve, the threat of cyberattacks are constantly evolving.  Municipalities must continuously update their defenses staying aware of current cyberthreat trends.

Lisa N. Thompson is chair of the New Hampshire Bar Association Intellectual Property Section and an attorney with Hage Hodes, PA in Manchester. Her practice focuses primarily on business and intellectual property matters. She can be reached at Lthompson@hagehodes.com

< Back to Town And City Home