IT security and government services: Balancing transparency and security
Government information technology leaders find themselves at a challenging balance point: On one end of the scale are increasing threats from cyber actors, bolstered by advanced technology like artificial intelligence (AI); on the other end is a longstanding commitment to providing transparent services to residents via digital means, including access to public records, reports, meeting minutes, and more.
Over a third (34%) of state and local governments were hit by ransomware this year, according to Sophos. This leaves residents and communities at risk of exposure and exploitation, unless government agencies have a robust plan to protect against these threats. However, certain cybersecurity measures to fight these attacks, like additional layers of authentication, can increase friction as residents try to access government services.
Whether residents are accessing public records or leveraging self-service features, it is essential that local and state governments provide technology that enables agency and transparency. But this is only successful if that technology provides ease of access. Striking the right balance can be a challenge, but it’s necessary for state and local governments to be in lockstep around security and transparency initiatives – first by implementing the right security measures and then by communicating them clearly with their communities.
Why balancing security and transparency is more important than ever
As it stands, state and local governments are already at a significant risk of attack from cyber-extortionists. This year’s election season heightens that risk, with more state-sponsored actors focused on creating high-profile disruption campaigns and taking advantage of outdated voting systems and insufficient security measures.
The Cybersecurity and Infrastructure Security Agency (CISA) has issued several warnings on the ways cyber threat actors are attempting to compromise election integrity, from Distributed Denial of Service (DDoS) attacks to the use of generative AI to alter images, clone speech and develop false narratives.
Residents rely on certain transparency measures from their governments to be informed, participate in community dialogue and be educated voters. Successful cyberattacks on state and local governments during a time as crucial as the election cycle can create significant reputational damage and loss of trust from residents when it is most important.
Strategies for ensuring security without sacrificing service
Cyber attackers have gotten creative in the past few years, but some of the longstanding threats to state and local governments are DDoS attacks, ransomware attacks, and malware. To avoid risk, government IT leaders need to focus on security practices, from the defenses they invest in, to the partners they use, to the people they employ.
For cyber defenses, government IT leaders should invest in website hosting services with Secure Sockets Layer (SSL) encryption, and further enhancing security with HTTP Strict Transport Security (HSTS). These measures ensure that all data exchanged via government sites is encrypted, protecting resident self-service features such as online voter registration, permit submissions, utility bill payments, and more. By enforcing HSTS, websites are also protected from protocol downgrade attacks and cookie hijacking, ensuring that all connections remain secure, and reducing the risk of data interception. Other marks of a reliable website hosting solution provider include DDoS mitigation coverage and reliability around regular software patching and updates.
For all digital partners, it’s essential to consider third-party risk. Some of the most valuable information residents should be able to access – meeting minutes, agendas, and other documents pertaining to local governing decisions – are hosted by document management vendors. To ensure this access is secure, each vendor must be vetted on its security capabilities, so that critical data is always protected, and hackers are not able to prevent access for residents or laterally move further into government networks.
And as they look internally, government IT leaders must ensure that all staff are properly trained in cyber hygiene. Human error remains one of the leading causes of data breaches, making it critical for all employees to understand and follow cybersecurity best practices. Staff should have regular training on policies and expectations for secure digital practices, including the safe transmission of data, and use of interconnected systems. These practices can be bolstered by implementing measures like multifactor authentication and conducting regular security audits.
What to share with communities, and how to do it
A strong security posture will make all the difference in ensuring residents can trust state and local governments with their data – that they can trust them to offer reliable, secure access to public records. In fact, ensuring this access strengthens trust, as people who engage with their city’s website are often more trusting of their city.
To achieve this, however, state and local government leaders cannot rely on a “build-it-and-they-will-come” mentality. There needs to be a level of communication that these public records and resources are available in the first place, whether those are live streamed meetings, recorded videos, or self-service options. Promoting these materials via social media networks allows residents to know they are free to access.
Then, it’s important to inform residents of the cybersecurity investments made around these resources. State and local governments should develop statements for their websites that clearly communicate the efforts they have taken to ensure website uptime 24/7, protect resident data, and develop incident response plans in the event of a cyber event, should residents be looking for this reassurance.
To go a step further, public education campaigns on phishing and misinformation provide an excellent way to engage the community on cybersecurity, especially in today’s election landscape. This not only allows government IT professionals to equip their residents with knowledge, but also communicate the steps they have taken to protect their community with cyber defense measures.
Finding the equilibrium
For a community to successfully engage with state and local government, residents must be able to trust their government leaders. For state and local governments to provide essential, trust-building services, they must have the right security to uphold their online presence.
State and local governments will continue to grapple with rising cyberattacks, but with the right strategy, government IT leaders can defend their assets, while still retaining transparent, frictionless services to residents. In today’s digital-first world, a security-first mindset will be what separates a trusted government resource from an untrusted one.