Government Technology

    Digital Communities
    Industry Members

  • Click sponsor logos for whitepapers, case studies, and best practices.
  • McAfee

Special Report: Cybersecurity Handbook for Cities and Counties



December 10, 2012 By

This report is based on the activities of the Digital Communities program, a network of public- and private-sector IT professionals who are working to improve local governments’ delivery of public service through the use of digital technology. The program — a partnership between Government Technology and e.Republic’s Center for Digital Government — consists of task forces that meet online and in person to exchange information on important issues facing local government IT professionals.

More than 1,000 government and industry members participate in Digital Communities task forces focused on digital infrastructure, law enforcement and big city/county leadership. The Digital Communities program also conducts the annual Digital Cities and Digital Counties surveys, which track technology trends and identify and promote best practices in local government.

Digital Communities quarterly reports appear in
Government Technology magazine in March, June, September and December.


Anyone responsible for the security of city or county information systems has reason for concern. Not only are hackers accelerating their attacks, but nations — including the United States, according to a recent New York Times article — also are joining in with new, well bankrolled attacks so sophisticated that it can take years to spot them. It is almost routine now to read of attacks that expose Social Security numbers, passwords, credit card information, medical records and more.

Even banks, supposedly the gold standard for IT security, have been hacked, and in one exploit — called Operation High Roller — a coordinated cyberattack against 60 different banks netted hackers some $78 million. Chiming in to the growing discord are “hacktivist” groups determined to make political or social points by attacking their opponents. What was once seen as a somewhat benign activity of young nerds has become much more serious.


Photo: Hackers and security researchers once mixed amiably at the annual DefCon hacker conference, but things are becoming more serious.


“The first 20 years in the war between hackers and security defenders was pretty laid back for both sides,” said Kevin Poulsen in a 2009 Wired magazine article. “The hackers were tricky, sometimes even ingenious, but rarely organized. A wealthy anti-virus industry rose on the simple countermeasure of checking computer files for signatures of known attacks. Hackers and security researchers mixed amiably at DefCon [a hacker conference] every year, seamlessly switching sides without anyone really caring. From now on, it’s serious,” he warned. “In the future, there won’t be many amateurs.”

Poulsen — who served prison time for hacking and is now news editor for Wired.com — knows what he’s talking about. Attacks have become more sophisticated and numerous, creating real economic damage as Americans spend more time and money online. Consumer Reports said that in 2010, malware cost Americans $2.3 billion, and globally the annual price tag of consumer cybercrime is $110 billion, according to the 2012 Norton Cybercrime Report.

The threats have accelerated, and costs have spiked just as cities and counties struggle to emerge from the recession in which budgets were cut, IT staff slashed and new hiring virtually stopped. Chief information security officers are in short supply and only some larger jurisdictions can afford them, leaving information systems vulnerable.

But it’s not just smaller jurisdictions that are having trouble. When Eastern European hackers broke a weak password and grabbed 800,000 records from the Utah Department of Health, the state’s highly regarded CIO took the fall. Utah Gov. Gary Herbert said hackers mounted 1 million attacks per day on the state’s IT systems prior to the breach.

And according to a 2011 report from the U.S. Government Accountability Office, “Weaknesses in information security policies and practices at 24 major federal agencies continue to place the confidentiality, integrity and availability of sensitive information and information systems at risk. Consistent with this risk, reports of security incidents from federal agencies are on the rise, increasing 650 percent over the past five years.”

Is there an end in sight? Will someone create a solution that will solve the problem and give everyone some much-needed relief? Not according to security experts. Some, including Internet pioneer Vint Cerf, have suggested that security might improve with better authentication although that may compromise privacy, while others see only a continual escalation of attack and defense.

In 2009, for example, Columbia University computer science Professor Steven Bellovin said, “The odds on anyone ... finding a magic solution to the computer security problems are exactly zero. Most of the problems we have are due to buggy code, and there’s no single cause or solution to that.”

In a recent interview with Government Technology, Bellovin — who is now the Federal Trade Commission’s chief technologist, but spoke for himself and not the FTC — said his viewpoint remains the same: The complexity of millions of lines of computer code is too difficult a problem to have a single solution. “I think we need to build systems with different architectures, ones that are designed under the realization that there will be security failures,” Bellovin said. “Authentication won’t do it. In most breaches, the bad guys go around the strong authentication, not through it. My own working philosophy is that programs will have security bugs — then what?”

By these accounts, it appears we are condemned to an eternity of infuriating, expensive and seemingly intractable cybersecurity attacks. Fortunately, however, there are things that can be done to improve security and prevent most — if not all — attacks. It’s similar to health, said several experts. No one can guarantee perfect health, but specific steps can be taken now to prevent the majority of illnesses and improve health while science works to eliminate disease. And that’s the practical approach to security advocated by many experts interviewed for this special section.


| More

Comments

Add Your Comment

You are solely responsible for the content of your comments. We reserve the right to remove comments that are considered profane, vulgar, obscene, factually inaccurate, off-topic, or considered a personal attack.

In Our Library

White Papers | Exclusives Reports | Webinar Archives | Best Practices and Case Studies
Digital Cities & Counties Survey: Best Practices Quick Reference Guide
This Best Practices Quick Reference Guide is a compilation of examples from the 2013 Digital Cities and Counties Surveys showcasing the innovative ways local governments are using technological tools to respond to the needs of their communities. It is our hope that by calling attention to just a few examples from cities and counties of all sizes, we will encourage further collaboration and spark additional creativity in local government service delivery.
Wireless Reporting Takes Pain (& Wait) out of Voting
In Michigan and Minnesota counties, wireless voting via the AT&T network has brought speed, efficiency and accuracy to elections - another illustration of how mobility and machine-to-machine (M2M) technology help governments to bring superior services and communication to constituents.
Why Would a City Proclaim Their Data “Open by Default?”
The City of Palo Alto, California, a 2013 Center for Digital Government Digital City Survey winner, has officially proclaimed “open” to be the default setting for all city data. Are they courageous or crazy?
View All