By Bradford Willke, Thursday December 12th, 2019
From maintaining voter rolls to directing traffic and fielding 911 calls, almost every civic function of today’s modern city is facilitated, housed, or carried out on digital systems. When these systems are compromised, the real-world effects can be devastating.
This year alone saw dozens of government agency servers in multiple states and localities forced temporarily offline because of ransomware attacks – from city halls and school districts, to state departments of motor vehicles and health and human services. Not only are these attacks costly (i.e. the cost in time and energy of responding IT staff, downtime costs, or the cost of paid ransoms, etc.) but the hit to constituent confidence in their local government can be equally steep.
As the nation’s risk advisor and lead civilian agency charged with safeguarding the nation’s cyberspace, we at the Cybersecurity and Infrastructure Security Agency (CISA) engage with leaders of cities, sharing our expertise to support their efforts to secure their municipal cyberspace and ensure the integrity and reliability of their services. But, having an effective cybersecurity strategy requires more than simply an awareness of tactics, it also requires a new way of thinking. Just as officials would prepare their city for a severe weather event, cyber risks should be treated with the same planning, capacity building, investment, and holistic risk management approach.
The challenge is that unlike boarding up windows and filling sandbags to limit physical damage from a storm surge, the essential practices for limiting damage from cyber risks are less obvious. We often hear, “where do I start?” In response, this past November we published our answer: the CISA Cyber Essentials.
The continued success and security of America’s cities depends on their leaders making decisions that affect their city’s cyber readiness. The shift toward greater cyber readiness is cultural as much as it is tactical. This shift can be especially challenging for elected leaders and public officials without IT backgrounds or the resources to hire outside experts. CISA designed the Cyber Essentials to address this challenge directly by providing a leadership-driven guide aimed at helping leaders understand and facilitate conversations with IT personnel for building a Culture of Cyber Readiness from the ground up.
CISA collaborated with local government agencies and small businesses to shape our expertise and years of experience helping to secure civilian Federal networks into six Essential Elements of forming a Culture of Cyber Readiness:
- Yourself (the leader);
- Your Staff (the users);
- Your Systems (what makes you operational);
- Your Surroundings (the digital workplace);
- Your Data (what your organization is built on);
- Your Actions Under Stress (the strategy for responding to and recovering from compromise).
When converted into specific actions for building up each element of the Culture of Cyber Readiness, these become:
- Drive cybersecurity strategy, investment, and culture (Yourself);
- Develop security awareness and vigilance (Your Staff);
- Protect Critical assets and applications (Your Systems);
- Ensure only those who belong on your digital workplace have access (Your Surroundings);
- Make backups and avoid the loss of information critical to operations (Your Data); and
- Limit Damage and quicken restoration of normal operations (Your Actions Under Stress).
Together with the implementation steps listed for each Essential Element, these constitute the basics of thinking about and preparing for cyber risks.
CISA intends for this to be the first of many Cyber Essentials product releases. In the coming months, we will be developing a toolkit that provides users with additional detail on each Essential and links them to helpful resources for implementation. We will also continue to engage with partner organizations to get the word out about the Cyber Essentials and collaborate with us in developing the toolkit.
Finally, CISA recognizes that fully realizing a Culture of Cyber Readiness will look different for each organization based on their unique requirements, resources, and missions. Because of this, we encourage everyone to make the Cyber Essentials their own, and even collaborate with peer organizations to develop customized implementation toolkits specific to their industry or agency type that we can then link to and share on a national-level.
We are excited for you to join us in raising the bar in cybersecurity across all levels of government. To learn more about the Cyber Essentials, visit www.CISA.gov/Cyber-Essentials.