In November of last year, leaders from across the country met in San Antonio for the National League of Cities’ City Summit to learn from one another and exchange ideas on the issues affecting their cities. Of those issues, cybersecurity was one of the biggest on leaders’ minds. It is not difficult to understand why: from maintaining voter rolls to directing traffic and fielding 911 calls, almost every civic function of today’s modern city is facilitated, housed, or carried out on digital systems.
When these systems are compromised, the real-world effects can be devastating. This year alone saw dozens of government agency servers in multiple states and localities forced temporarily offline because of ransomware attacks – from city halls and school districts, to state departments of motor vehicles and health and human services. Not only are these attacks costly – the cost in time and energy of responding IT staff, downtime costs, or the cost of paid ransoms, etc. – but the hit to constituent confidence in their local government can be equally steep.
As the nation’s risk advisor and lead civilian agency charged with safeguarding the nation’s cyberspace, we at the Cybersecurity and Infrastructure Security Agency (CISA) engage with leaders such as yourselves, sharing our expertise to support you in your efforts to secure your municipal cyberspace and ensure the integrity and reliability of your services. Having an effective cybersecurity strategy requires more than simply an awareness of tactics, it also requires a new way of thinking. Just as officials would prepare their city for a severe weather event, cyber risks should be treated with planning, capacity building, investment, and a holistic risk management approach.
The challenge is that unlike boarding up windows and filling sandbags to limit physical damage from a storm surge, the essential practices for limiting damage from cyber risks are less obvious. We often hear, “Where do I start?” In response to this question, we published our answer: the CISA Cyber Essentials.
As leaders, the continued success and security of your cities depends on you – and that increasingly involves making decisions that affect your city’s cyber readiness. The shift toward greater cyber readiness is cultural as much as it is tactical. This shift can be especially challenging for elected leaders and public officials without IT backgrounds or the resources to hire outside experts. CISA designed the Cyber Essentials to address this challenge directly by providing a leadership-driven guide aimed at helping leaders understand and facilitate conversations with IT personnel for building a Culture of Cyber Readiness from the ground up.
CISA collaborated with local government agencies and small businesses to shape our expertise and years of experience helping to secure civilian Federal networks into six Essential Elements of forming a Culture of Cyber Readiness:
- Yourself (the leader);
- Your Staff (the users);
- Your Systems (what makes you operational);
- Your Surroundings (the digital workplace);
- Your Data (what your organization is built on);
- Your Actions Under Stress (the strategy for responding to and recovering from compromise).
When converted into specific actions for building up each element of the Culture of Cyber Readiness, these become:
- Drive cybersecurity strategy, investment, and culture (Yourself);
- Develop security awareness and vigilance (Your Staff);
- Protect critical assets and applications (Your Systems);
- Ensure only those who belong on your digital workplace have access (Your Surroundings);
- Make backups and avoid the loss of information critical to operations (Your Data); and
- Limit damage and quicken restoration of normal operations (Your Actions Under Stress).
Together with the implementation steps listed for each Essential Element, these constitute the basics of thinking about and preparing for cyber risks.
CISA intends for this to be the first of many Cyber Essentials product releases. In the coming months, we will be developing a toolkit that provides users with additional detail on each Essential and links them to helpful resources for implementation. We will also continue to partner with organizations like the National League of Cities to get the word out about the Cyber Essentials and collaborate with us in developing the toolkit.
Finally, CISA recognizes that fully realizing a Culture of Cyber Readiness will look different for each organization based on their unique requirements, resources, and missions. Because of this, we encourage everyone to make the Cyber Essentials their own, and even collaborate with your peers to develop customized implementation toolkits specific to your industry or agency type that we can then link to and share on a national level.
We are excited for you to join us in raising the bar in cybersecurity across all levels of government. To learn more about the Cyber Essentials, visit www.CISA.gov/Cyber-Essentials.
About the Author: Bradford Willke serves as the Assistant Director (Acting) for Stakeholder Engagement, Cybersecurity and Infrastructure Security Agency (CISA). He leads the Agency’s strategic relationship formation and management for its stakeholders, partners, and customers. His team provides a “front door” to customers looking for CISA’s capacity building and risk reducing products and services; and his programs convene industry, state and local government, academic, and non-profit partners to channel common goals and objectives into meaningful community of interest outcomes to manage national risk.