While I’m glad that Tad Mcgalliard is highlighting the cybersecurity of state and local governments in his op-ed in the New York Times, I don’t believe that if everything he proposes is adopted it will change much:
First, local leaders must create a culture of cybersecurity that imagines worst-case scenarios and explores a range of solutions to mitigate threats to the ecosystem of local government technology. This should involve prioritizing funding for cybersecurity, establishing stronger cybersecurity policies and training employees in cybersecurity protocols. Success will require collaboration with local elected officials, internet-technology and cybersecurity staff members, department managers and end users.
Cybersecurity is more than just the I.T. department’s problem. It must now also be a top priority along the entire chain of elected and appointed officials in and around local governments. Preventing and mitigating the effects of future attacks will require intergovernmental cooperation, because localities work together across state lines and collaborate with the federal government on crucial tasks like running elections, managing transportation and sharing intelligence.
In my view the federal, state, and local governments are peculiarly ill-suited to deal with cybersecurity. Here are some of the things that must happen to make government computers and networks secure.
We must change how budgeting is done, particularly with respect to government computers. The complete lifecycle must be taken into account. Cybersecurity should be considered in ordinary maintenance. It costs as much as it costs. If you can’t afford to be secure, you can’t afford to computerize.
We must reform the civil service. Present civil service regulations mean that there are no consequences for failure to put appropriate policies into place and no consequences for failing to adhere to the policies. Yes, private companies experience security breaches, too. I guarantee you that the Boeing employee who caused the recent security breach there will experience consequences.
Some substitute for the profit motive must be found that are applicable to governments to incentivize process improvement. Good intentions are not enough. As Napoleon observed, the two great motivators are the fear of loss and the hope of gain.
