It is not a secret that the American people remain in danger of massive, crippling cyberattacks that could impact financial services, utilities, health care, and just about every other area of modern life.
What is not often discussed about the danger, however, is that one of the primary reasons that the United States, as a country, remains ill-prepared for fending off cyberattacks, is that decentralized State and Local government agencies, and not the centralized Federal government, run or oversee a tremendous portion of our critical infrastructure, yet, those same State and Local governments lag way behind their federal counterparts from a cybersecurity-readiness perspective.
The impact of cybersecurity failures at the State and Local level can be devastating.
Consider, for example, the potential history-changing impact of adding “people” to, or removing people from, voter registration databases – especially in an era in which people can vote by mail. Or the impact on national security of a hacker exploiting cyber-vulnerabilities to access driver-license systems and create phony IDs. Such risks are even more troubling when one considers that the federal government has taken all sorts of actions to remove various Chinese-made hardware from its various environments due to national security reasons, but State and Local governments have generally not followed suit.
In fact, there are far less glamorous examples of improperly-secured systems overseen or operated by State and Local governments – and such situations often pose even greater dangers than the ones mentioned earlier. Consider, for example, sewage processing systems. Wastewater management is certainly not a function of government that most people think about on a regular basis – and it is certainly not the primary focus of most discussions about crippling cyberattacks. The reality is, however, that properly processing wastewater is critical to maintaining human health as well as the health of animals and the environment in general, and the results of a cyberattack on sewage treatment facilities can be absolutely devastating.
Sewage contains not only human waste, but also all sorts of oils, soaps, chemicals, and small pieces of animals and plants left over from kitchen activities. If sewage is not properly treated, not only can viruses and bacteria within it infect large numbers of animals and humans, but chemicals within the wastewater can end up in the food supply – this includes not only potential carcinogens, but also medications that find their ways into plants and animals that are and ultimately consumed by humans. Additionally, organic matter within wastewater can wipe out fish populations by using up the life-sustaining dissolved oxygen in lakes and rivers.
Cyberattacks on sewage treatment plants can easily create dangerous situations for large numbers of people – and we have already seen such cyber-attacks on sewage processing facilities succeed, even when the attacks were opportunistic, and not even targeting wastewater processing.
Likewise, many transportation agencies have been deploying various technology-based systems to give management real-time visibility into the locations and conditions of public-transportation vehicles such as buses and trains, and to provide real-time instructions to the drivers and conductors of such vehicles. While such systems can clearly help public transport operators avoid hazardous situations or traffic congestion, hacker actions against such systems can potentially create catastrophes – potentially even fatal train accidents and car crashes. Even the ability of hackers to simply create traffic jams or otherwise disrupt transportation management systems could lead to deaths, injuries, and property damage by undermining the ability of emergency workers to efficiently reach people in need of urgent assistance. Of course, the risk from State and Local government impacts even the portions of our infrastructure that are overseen by the federal government or private companies operating on an interstate basis: consider our ATM and credit card networks, for example – how well can they function without the electrical power generated by utilities under State and Local supervision?
State and local governments face multiple fundamental challenges when it comes to implementing critically-needed cybersecurity: They often do not have adequate cybersecurity budgets – as the cost of cybersecurity has risen, and will continue to rise, far faster than the rate of inflation often used by lawmakers when establishing annual tax-revenue requirements. While the State and Local Cybersecurity Improvement Act authorizes the Federal government to help State and Local governments achieve greater levels of cybersecurity, far more funding is needed if we are going to get to where we need to be.
Additionally, even if they had larger budgets, State and Local entities face major challenges on at least two other fronts – even with various efforts in place to increase the number of students graduating from America’s colleges with cybersecurity degrees, there is a shortage of to begin with, and, various regulations often prevent government agencies from offering compensation packages that can compete with the private sector. Also, many State and Local government agencies continue to utilize antiquated systems that are either no longer supported by their creators or otherwise hard to secure – even more so when they are connected to the Internet with all sorts of “work arounds.” In the short term it is clear that State and Local governments need outside help – something that many agencies seem to have historically been averse to seeking.
Thankfully, the recent Infrastructure Investment and Jobs Act provides funding intended to assist State and Local governments ramp up their cybersecurity operations. If we want America to be prepared to defend itself against cyberattacks, we need all levels of government – and the operations that they supervise – to be ready. We can get there – if we stop ignoring obvious danger, and start acting accordingly.
This post is sponsored by Microsoft. To learn more about Microsoft solutions designed to help state and local government agencies engage citizens, deliver trusted and secure services, and build a resilient, sustainable future, please visit Government Solutions | Microsoft Industry.