"Municipal Cybersecurity: More Work Needs to be done."
It's a research note on the state of cybersecurity at the local level, the research we've seen from the academy & practice, and what we think it's missing. Thread:
First: why do we care? Thanks to efforts like @brfreed at State Scoop, we know that state & local governments are being hammered by cyberattacks, notably ransomware (most famously in Baltimore and Atlanta, but also lots of school districts, public authorities, transit, etc.) 2/10
There hasn't been a lot of research on how to improve local cyber, & what's out there is telling–local govs are burdened by budget constraints, inattentive elected officials, & inability to adopt best practice. The research that does exist is largely descriptive&exploratory. 3/10
Professional associations, however, have really produced some fantastic work. @MeredithMWard and @BrunnerMaggie (at @NASCIO and @NatlGovsAssoc) authored a report on how states have been helping their local governments improve their cybersecurity. 4/10
While @ckmcfarland and others at @leagueofcities have produced two reports this year and last, one about what government officials need to know about cybersecurity, and one about state/local collaborations for cybersecurity. This is good, important work. 5/10
However, anyone who works in cities knows: cities are much more than their city govs. School districts, utilities, public hospitals, transportation agencies,etc. All "local governments," all seeing cyberattacks, but little attention is being paid to their interconnectedness. 6/10
We summarize the findings of these reports, & add additional activities that we think might be successful, like the collaborative approach to utilities' cybersecurity in CT, MA's grants for workforce and training at the MassCyberCenter, and reporting and training in NC, TX. 7/10
Finally, our 3 calls to action & research: 1) Researchers need to start doing systematic, causal research, moving beyond surveys and descriptions. We need to know what works for cities, how, and why. Action research, long-term studies, and comparative work are all needed. 8/10
2) States need to expand support for regional & multisectoral cooperation for cyber. Won't happen otherwise. 3) Private sector & the academy need to start developing tools that will work within the legal, ethical, political, and institutional constraints of local governments.9/10
Paper is available at: doi.org/10.1177/107808….
Please feel free to reach out/email if you don't have institutional access to the paper. We're excited to have this out into the world, and hope that practitioners and researchers alike can carry this call forward. 10/10
• • •
Missing some Tweet in this thread? You can try to
force a refresh