State and Local Governments’ Cybersecurity Challenges

Published July 1, 2024
by Dave Stenger

Each of the 50 States in America has a governing body, while the U.S. Census Bureau also identifies nearly 91,000 local government units. Both state and local governments share the responsibilities of protecting sensitive citizen data, earning citizens’ trust, and maintaining essential services. The cybersecurity threats faced by the public sector and the solutions required to combat them are uniquely nonconventional. 

Unique Cybersecurity Challenges

For State Governments

For the 10th consecutive year, the 2023 State CIO Survey conducted by the National Association of State Chief Information Officers ranks cybersecurity and risk management as the top priority for state CIOs. Top cybersecurity challenges for state government include:

  • Scale and Complexity: State governments manage extensive networks that store vast amounts of sensitive data across multiple departments. The complexity of these networks makes for high-value targets for cyber threats, including state-sponsored attacks and advanced persistent threats.
  • Resource Allocation: State government offices often have more substantial budgets compared to local governments, enabling them to invest in advanced cybersecurity technologies, training, and skilled personnel. However, states may face challenges in managing resources and allocating funds from federal grants due to the broad scope of state-level operations.
  • Interdepartmental and Interagency Coordination: With numerous departments and agencies, state governments face the challenge of ensuring all units are uniformly protected and security protocols are applied consistently. Complexities across multiple cloud networks, hybrid work schedules, or remote work environments can increase state systems’ vulnerabilities. More municipalities are rapidly adopting interconnected Internet of Things (IoC) devices. A lack of standardization in regard to device manufacturers across departments makes systems challenging to monitor and update.
  • Compliance and Regulatory Requirements: States must comply with federally mandated regulations, including the Health Insurance Portability and Accountability Act (HIPAA) and Payment Card Industry Data Security Standards (PCI DSS). To be compliant, robust cybersecurity measures are required by the state and third-party suppliers.

For Local Governments

Local governments often handle less volume of data compared to the state level, but their services remain a critically high priority in citizens’ everyday lives. According to the Public Technology Institute’s (PTI) 2023 Local Government Cybersecurity National Survey, while cybersecurity is a significant concern for many cities and counties, nearly two-thirds of officials believe their budgets are too small to support their cyber programs adequately. Top cybersecurity challenges for local governments include:

  • Rising Cyber Threats: In the PTI’s survey, local government officials identified the growing sophistication of cyber threats as their foremost cybersecurity challenge. Cybercriminals are increasingly targeting local governments with ransomware attacks, which may lock essential services such as courts, hospitals, police departments, transportation, and schools. These attacks often involve ransom demands that can complicate the situation further. Local governments are responsible for the continuity of many essential services citizens rely on daily., making the immediate impacts of breaches and cyber incidents can be particularly disruptive.
  • Decentralized Infrastructure: Many local governments have decentralized operations without a unified approach to cybersecurity. This approach can lead to gaps in the security posture and challenges in implementing comprehensive cybersecurity measures.
  • Limited Budgets and Resources: Local governments often operate with more constrained budgets and fewer cybersecurity-specific resources compared to state governments. This can result in understaffed IT departments, inadequate cybersecurity training, outdated technologies, and a slower response to cyber threats.

Cybersecurity Solutions

For State Governments

  • Integrated Cybersecurity Frameworks: Implementing centralized cybersecurity frameworks such as NIST will help standardize security measures across all departments. This unified approach facilitates better management of resources and a cohesive response to threats.
  • Collaboration with Federal Agencies: To share information and enhance cyber resiliency capabilities, state cybersecurity officials benefit from collaborating with federal agencies, such as the FBI and the Department of Homeland Security’s Cybersecurity & Infrastructure Agency.
  • Advanced Threat Detection Systems: Investing in sophisticated threat detection and response systems mitigates the risks associated with complex network environments and high-value data targets.
  • Statewide Cybersecurity Training Programs: Developing comprehensive training programs for all state employees will increase overall cybersecurity awareness and readiness, reducing the risk of breaches caused by human error.

For Local Governments

  • Cybersecurity Awareness Training Programs: Comprehensive initiatives designed to educate government employees and the public about cybersecurity best practices to reduce the vulnerabilities that entice cybercriminals to strike. According to research by the Coalition of City CISOs, maintaining a culture of cybersecurity is one of the top five actions local government officials should take to improve cybersecurity.
  • Federal Grants: Fortunately, more federal grant funding is becoming available to help fill gaps in cybersecurity at the local level. The 2022 State and Local Government Cybersecurity Grant Program (SLCGP) provides $1 billion in funds over four years. States taking advantage of the program are sub-granting funds to local government partners. Some states pass all funds directly to local governments while most prefer a shared or hybrid model that addresses state initiatives while incorporating feedback to help meet cities’ and towns’ specific needs.
  • Shared Services and Collaboration: To help overcome resource limitations, local governments often participate in shared services agreements or form regional partnerships to access better cybersecurity solutions. Contracting third-party vendors to outsource cybersecurity solutions is an option for smaller governments with limited cybersecurity staffing or funding.
  • Targeted Ransomware Strategies: Developing specific strategies to combat ransomware, including regular data backups, segmentation of networks, and emergency response plans, is crucial for local governments.

 

Avoid Making Headlines on the Path Forward with RAMPxchange

Working with cybersecurity providers and consultants experienced with state and local governments’ unique challenges creates more effective policies and strategies. The RAMPxchange cybersecurity marketplace will assist state and local government officials find proven, peer-reviewed providers with a strong commitment to cybersecurity excellence. From achieving StateRAMP certification to finding suppliers with previous government experience to outsourcing options to improve security posture on a limited budget, RAMPxchange helps the public sector find providers who meet their government’s cybersecurity needs. Reach out to a RAMPxchange representative to learn more and join today.