Cyber security in
the government
sector: The role
of state and local
governments

A quick scan of the significant cyber incidents of 2021 could give the impression that cyber security in the government sector is only a concern for the federal government, due to references to federal agencies or because cyber attacks seemingly only originate overseas. Yet this would be misleading—Barracuda Networks research indicates that 44% of global ransomware attacks in 2020 targeted municipalities. Public sector cyber security is very much a concern for state and local governments, with experts describing them as "under siege."

A 2020 International City/County Management Association (ICMA) report on local government cyber security identified five key reasons these governments are targeted:

1. Number of local governments: There are 90,075 different local governments in the US, making it harder to produce and implement a unified public sector cyber security strategy.
2. Holders of sensitive information: Local and state governments store considerable amounts of sensitive personal information, such as names, addresses, driver's license numbers, credit card numbers, Social Security numbers and medical information. In addition, they store contractual, billing and financial information of the governments themselves. Obtaining personal information is a particular priority for cyber criminals using ransomware.
3. Inadequate cyber security: The ICMA report found that local government systems usually aren't well defended, particularly in relation to federal government systems. The Institute for Security and Technology's report on combating ransomware recommends addressing this imbalance in cyber security in the government sector.
4. Financial constraints: According to the global study of cybersecurity professionals by the Information Systems Security Association (ISSA) and Enterprise Strategy Group (ESG), which surveyed over 500 cybersecurity professionals, it was reported by organizations that, “More than three-quarters said it was extremely or somewhat difficult to recruit and hire security professionals, but 38% said their organisation doesn't offer competitive compensation, while 29% said their HR department doesn't understand the skills needed for cybersecurity and 25% said that job postings at their organisation tended to be unrealistic.”
5. Use of Internet of Things (IoT) technology: Local governments have adopted many of the benefits of IoT and smart cities technology by deploying internet-connected devices to provide, monitor or manage services such as traffic lights, water meter reading, security cameras and solid waste collection. While these services benefit citizens, they also introduce new vulnerabilities and risks for local governments.

According to the Verizon 2021 Data Breach Investigations Report (DBIR), the public sector had the second most attacks after the entertainment industry. The 15th anniversary edition of the DBIR is available May 24th, 2022, sign up here. 

Notably, the report treats education and healthcare as different sectors, some of which are also government operated. Examples of recent state and local public sector cyber security attacks include:

• Some state and local government networks were compromised prior to U.S. Election Day in 2020.
• At least 2,323 local governments, schools and healthcare providers were affected by ransomware in 2021.
• The Baltimore County Public Schools system was shut down by a ransomware attack that hit all its network systems, prompting two days of class cancellations for 115,000 students.
• Police and fire department systems were offline following cyber attacks across the country, including in Massachusetts, California and Washington, D.C.
• In Virginia, a ransomware attack shut down some of the Hampton Roads Sanitation District's business information systems.

According to the 2021 DBIR, social engineering is the most common attack method in relation to cyber security in the government sector.  In the 2021 DBIR, over 69% of breaches were due to social engineering, with phishing emails the most prominent vector. The report found that the public sector is particularly vulnerable to attackers who can craft a credible phishing email. Public sector attackers were overwhelmingly interested in obtaining credentials, with 80% of incidents attempting to steal logins and passwords that would further the attacker's presence in the intended victim's network and systems.

After phishing, miscellaneous errors placed a distant second as a cause of public sector cyber security incidents. Those errors consisted of misconfiguration and misdelivered emails and paper documents. Other critical threats to cyber security in the government sector include state-sponsored cyber attacks and improper internal usage of systems.

For the latest statistics and findings, download the 2022 DBIR here. 

According to a 2021 Fastly report, about 45% of cyber security alerts are false positives. This can create an issue for public safety, as it's difficult to determine the difference between malicious and benign behavior. These alerts could also prompt false alarms, such as the cyber equivalent of the Hawaii missile alert, when in reality they may simply be a system or human failure.

Here are some tips on how to mitigate the number of false positives when it comes to cyber security in the government sector:

1. Review each alert rule with as many eyes as possible, preferably security experts.
2. Silently test rules whenever possible.
3. Adapt alerts to handle special situations where abnormal traffic is expected.
4. Modify alerts when false positives arise.
5. Be as specific as possible with alerts, minimizing "any/any" type rules.
6. Automate incident detection and response with artificial intelligence (AI).
7. Be proactive with threat hunting as opposed to relying on known signatures.