Reducing Cyber Risk in Local Government with the Cloud

Don’t stress over modernization. Aging tools and unsound practices that make local governments more vulnerable to cyber events pose a greater challenge.

As local governments prepare for a post-COVID environment, they cannot ignore the cost, speed, and agility advantages of the cloud.

There is an innate resistance to relying on cloud technologies that host critical data off-site. Stakeholders must be persuaded and employees must learn new skills. But with cyber risks rising, government technology leaders need to think about moving some workloads to the cloud.

A CDG survey of technology leaders found that 61 percent of respondents faced increased cyber threats since the start of the COVID-19 pandemic. A scant three percent of respondents were “very confident” in their ability to respond to cybersecurity risks.

The respondents’ top three challenges were aging, vulnerable technologies; lack of proper employee training; and low budget prioritization of cybersecurity. Human error was the most common cyber risk, followed by social engineering events (which take advantage of people’s bad habits), and compromised accounts/credentials.

These data points highlight the pervasiveness of cyber threats and the difficulties mid-sized governments face in confronting them.

Strengthening security in local governments starts with keeping critical applications available in a cyber event or a public emergency (like a natural disaster).

Cloud services promise speed, flexibility, and economy when deployed strategically. During the pandemic, local governments started using streaming applications to enable work-from-home capability. These apps were written to provide the same security as a virtual private network (VPN) on any device without the hassles of implementing VPN.

This level of speed and flexibility requires local governments to shift their perspective away from controlling everything in their IT sphere. The pandemic made agencies cede some of their control to cloud providers and software as a service (SaaS) companies, giving governments the freedom to try new things quickly in an emergency.

Local governments also are using low or no-code applications, serverless infrastructures, and other automated solutions to reduce the potential for human error,

But automation doesn’t fix everything. Local governments need to teach people to adopt secure practices. Training people to watch out for phishing and other forms of cyber threats is a good start. Local governments also can create systems encouraging people to adopt safer practices, rewarding them for good behavior rather than punishing missteps. Agencies can also talk to their cloud provider about simple-to-implement security tools.

Ultimately, improving security in a time of limited budgets and increasing threats comes down to persuading government leaders to adopt new ways of thinking about people, processes, and technologies.

Summarized from govtech.com

Pandemic lessons: Improving your municipality’s continuity and coordination of services after COVID

The past 18 months have been trying for governments of all sizes. As with any crisis, the pandemic exposed—and worsened—municipal gaps and inefficiencies.

Municipalities faced all sorts of challenges—one of the greatest being a lack of communication and coordination. Municipal agencies often function in silos, but in the case of a long-term emergency event, silos can make coordinating comprehensive responses extremely difficult. During the pandemic, all these issues blended: vulnerable seniors, a recession, a rapidly spreading virus. Yet those agency silos remained intact.

Another challenge that strained municipalities was the uncertainty of the pandemic and a serious lack of experience or preparation for dealing with such uncertainty. Agencies were forced to design and provide solutions on a day-by-day basis.

Further, the need for social distancing made delivering services even more difficult, especially because of barriers to accessing the internet, which disproportionately impact low-income communities.

In the months ahead, it’s crucial that municipalities don’t let these challenges go to waste. Governments must learn from them, update their processes and ensure they’re better prepared in the future.

In terms of communication, many municipalities should rethink their siloed systems and build channels for better collaboration. Each agency should strive to know what the others are working on, and how it may overlap with their own scope.

The pandemic revealed how taxing a crisis can be on residents’ mental health. And so, municipalities should invest in programs that prioritize mental health and wellness.

Municipalities need to develop new data capture and analysis capacity to understand evolving situations. Had these systems been in place at the start of the pandemic, governments could have more quickly determined where and how to deploy resources like testing sites, rent assistance, or mental health services.

Perhaps the most important lesson is that any crisis—big or small, health-related or otherwise—will affect vulnerable communities more so than any other group. The first step to address this is identifying neighborhoods without adequate access to high-quality schools, parks, public spaces, public transportation, and health resources, listening to the needs of community members and collaborating to enact services and programs that work.

As the pandemic recedes, it’s vital for municipalities to take stock of what they learned and start putting these lessons into practice immediately.

Summarized from americancityandcounty.com

How the Pandemic Impacted Government’s Cloud Migration Plans: The Good, the Bad, and the Ugly

“Cloud-first” has been a government imperative for many years, but the pandemic usurped that strategy, making “cloud-now” a priority. The results have been transformational.

The cloud made wide-scale government telework possible but it has also given agencies the opportunity to test drive new cloud applications and experience the scalability and security benefits first-hand.

However, for all the good generated from this investment in “cloud-now,” challenges remain.

Although COVID-19 accelerated cloud adoption, there are still many situations where a private cloud is required—hence the popularity of hybrid IT environments. But these can be hard to manage at scale and require a specific skill set that’s not always easy to find.

While federal, state, and local agencies remain firm believers in hybrid environments, they face several obstacles including: ensuring a high-performing infrastructure; traditional monitoring technologies that may not work across heterogeneous ecosystems; the speed at which some cloud applications were rolled out may also have resulted in unresolved security and compliance issues.

That’s the good, the bad, and the ugly. But what can agencies do to combat these concerns

1. Take a new approach to tooling.

When planning a cloud strategy, it’s easy to assume the right tools and technology are a cure-all for the complexities of hybrid cloud management, but not all technologies are created equal, with many designed for on-premises data centers or the cloud, not both.

IT leaders must prioritize a plan to control the complexities of monitoring hybrid environments with an integrated, holistic view of overall health, performance and security across the network, databases and applications.

2. Optimize the hybrid network.

Network connectivity and performance will be key factors in ensuring the delivery of high-quality, mission-critical services by addressing network latency and any other issues before they impact end-users.

Software-defined wide-area network (SD-WAN) technologies can help simplify network management tasks by intelligently routing traffic around congestion.

3. Get a handle on identity and access control.

When employees, contractors, and citizens interact with data from disparate sources—in the cloud and on-premises—security teams are finding out things get much more complicated.

In a rush to fill the security holes created by the “cloud-now” imperative, access controls such as multifactor authentication will likely replace passwords as the gold standard for digital access. Other security practices like zero-trust frameworks, network segmentation, and adhering to the cloud provider’s security best practices can help secure high-value assets wherever they reside in the hybrid environment.

4. Shift skills and mindsets.

As IT leaders are finding out, the skills involved in managing a hybrid cloud environment are different than those needed for on-premises infrastructure. Virtualization, containerization, and even some elements of security create a wholly unfamiliar environment that must be managed in unison with, and to the same high standards, as on-site assets.

Technology can help, but agencies must also identify and nurture the right skills needed to support a hybrid cloud strategy in areas such as security and application performance monitoring. Agency leaders and users also have a role to play and should be educated on how a hybrid environment supports the goals of the mission and how it can be leveraged effectively and securely.

The pandemic has made the case for IT modernization and accelerated cloud adoption, but for these services to be truly utilized by government personnel and citizens alike, they must be high-performing, easily accessible, and secure.

Summarized from nextech.gov

What Is IoT Architecture, and How Does It Enable Smart Cities?

Without the Internet of Things (IoT) smart cities simply wouldn’t be all that smart. They would not deliver value to residents or to city governments.
Things in a city that can become “smart,” from parking to streetlights, transportation, energy, health, buildings, and the environment, only become so because of an IoT architecture that has several key layers, all of which work in concert for smart cities to be successful.

In addition to government involvement, the technology needed to enable a smart city application is connectivity (to connect devices to the internet so that they can exchange information) and data (generated by the device, without which a connected device is of limited utility).

Smart cities’ spending on technology is expected to grow at a compound annual growth rate of 22.7 percent, jumping to $327 billion by 2025, up from $96 billion in 2019. To make that possible, city governments will need to continue to invest in their IoT architecture.

What Is an IoT Architecture?

An IoT application can be described “as things (devices) sending data that generates insights. These insights generate actions to improve a business or process.”

As an example, an engine (the thing) sending temperature data that is used to evaluate whether the engine is performing as expected (the insight) in order to proactively prioritize the maintenance schedule for the engine (the action).
That action operates within a framework known as an IoT architecture that is often described as a four-stage process in which data flows from sensors attached to ‘things’ through a network and eventually on to a data center or the cloud for processing, analysis and storage.

A ‘thing’ could be a machine, a building or even a person. Processes in the IoT architecture also send data in the other direction in the form of instructions or commands that tell an actuator or other physically connected device to take some action to control a physical process.

The 4 Layers of IoT Architecture

1. Sensing or perception layer:

This is where the IoT architecture starts with sensors or actuators either monitoring or controlling some physical object.

2. Network layer:

Data from a sensor or actuator is sent through the network layer that collect raw data from the sensors and convert it from analog into digital format before sending it through an Internet gateway for the next stage of processing.”

3. Data processing or management layer:

After the data has been digitized and aggregated, it will need processing to further reduce the data volume before it goes to the data center or cloud. Machine learning tools can be used to provide feedback to the connected system to improve its performance. Further analysis of the data can take place in the cloud or a data center to provide a broader picture of the overall IoT system.

4. Application layer:

Industry-specific and/or agency-specific applications can be used to perform in-depth analysis and apply business rules to determine whether action needs to be taken

What Is a Smart City?

There are a range of definitions for what a smart city actually is, with no single consensus on the essential criteria.

A smart city is a municipality that uses information and communication technologies (ICT) to increase operational efficiency, share information with the public, and improve both the quality of government services and citizen welfare

A 360-degree smart city looks across every aspect of operations and uses technology to improve outcomes.

An urban center that not only leverages technology to improve its own operations but connects with citizens, businesses, and nonprofits in new ways.

A smart city network and community is a municipality that advances in six key strategic action fields: Smart Government, Smart Economy, Smart

Environment, Smart Living, Smart Mobility and Smart People.

Summarized from statetechmagazine.com

10 reasons why local governments should outsource all IT: Post pandemic view

It’s time for public managers to take a deeper dive into their technology systems, people, and capabilities as it relates to current threats and ever-growing deficiencies.

Growing ransomware attacks have brought to light many weaknesses in digital hygiene that have exposed deficiencies regarding system recovery let alone preventing the attack. Many cities and counties are performing well in meeting the growing challenges of security, modernization, innovation, and lending edge applications, however far too many are living with serious deficiencies.

Given the growing complexities of planning and maintaining technology as well as having the right staff, many local governments might be much better off outsourcing some or all of their IT operations.

We must delve deeper and actively assess what vulnerabilities lie within our systems, as well as looking more closely at staff competencies and expertise.

Just as important, one cannot ignore the fact that outsourcing to any degree does not absolve the jurisdiction’s responsibility regarding issues of compliance and security. Someone will still need to manage any contract in terms of performance and outcomes.

What follows then are 10 factors that require further exploration and action.

Retirement of senior staff. The large retirement boom is leaving many jurisdictions short of talented staff, institutional knowledge, and areas of needed expertise.

Staff turnover. Younger staff are generally not staying at one place for a lengthy period of time as did their predecessors.

Reduced incentives. Governments were traditionally known for their generous health and retirement benefits. But ever since the Great Recession of 2009, benefit packages have shrunken in all categories. This makes it even more difficult to recruit qualified staff, especially with technology professionals.

Inability to pay higher salaries. The private sector has traditionally recognized the need to pay competitive salaries based on supply and demand. Government has been stuck in time and in most instances adheres to rather inflexible pay scales that are more focused on treating everyone similarly as opposed to addressing the reality of market forces.

Lack of training resources. All too often technology staff find it difficult to attend conferences and seminars. While in some cases tech staff feel they are too busy and don’t have the time—more often than not they are told there is no or little money for training and travel to meetings.

Added to the list is the lack of certified CIOs where the need has never been greater. Any recognized professional certification program requires the obligation of recertification.

Career development indifference. It is not unusual for technology staff to be classified with non-transferable classifications such as “technician” 1, 2, etc. The issue here is not how staff are classified internally—it is having public titles that more closely reflect one’s real responsibilities.

Lack of realistic strategic planning. Approximately one-third of local government CIOs still report through a finance official and far fewer are routinely invited to sit at the head table when key plans, policies or decisions are being made. For technology to be fully optimized, the IT operations and infrastructure must be continuously reviewed and with senior staff tasked with seeking ways to align technology with that of the business needs of all departments and agencies.

Aging infrastructure. Too many local governments are beginning to realize that deferred equipment upgrades turn out to be costlier in the long run. Those communities who experienced the most difficulty in pivoting were the ones with the oldest and least flexible infrastructure. Today more than ever, when a vendor declares a software or hardware system as no longer supported, one needs to understand the implications as well as the consequences.

Cyber security challenges. Even with local government, there are state and federally mandated compliance regulations. However, compliance alone cannot solve the ever-growing threats governments face. Reasons to not maintain upgrades most often are that it would be too expensive, or “we are too small” to have to worry about cyber beyond what we are currently doing. The expense to recover is far greater exponentially then the price to adequately staff, train and invest in the latest threat protection systems.

Failures in scope and scale. Perhaps the most pressing and overriding issue facing local governments when it comes to technology is scope, scale, and staff competencies. Technology can be expensive to operate and maintain and one must question whether it makes sense for every government entity to own its own systems and equipment. Among the alternatives are outsourcing; shared services among neighboring jurisdictions; or simply seeking managed cloud solutions.

In the end IT performance is critical to every aspect of government operations and service delivery. The outsourcing of IT, in whole or in part, is one such option that must be considered.

Summarized from Americancityandcounty.com

Disaster Recovery via Hybrid Cloud Appeals to Local Governments

Following a recent upgrade of a local government’s IT holdings including new servers, new firewalls, and new switching equipment, leadership realized that they hadn’t come up with a good plan for what to do should anything go wrong.

As it surveyed its new infrastructure, the IT department realized it could be looking at days or weeks of downtime in the event of a serious system failure. Certain disasters — like a ransomware attack — could potentially lead to loss of reams of valuable data.

The government ultimately moved backup and disaster recovery to a hybrid cloud, the best practice according to industry experts.

Most agencies that do embrace cloud-based disaster recovery (DR) platforms find the migration to be relatively straightforward. While few organizations ever actually need to execute their DR solutions, those agencies that have to execute DR often benefit from much lower recovery time and recovery point objectives that cloud services offer their systems.

Minimizing Data Loss in the Event of Ransomware
A ransomware attack drove the city of Lodi in California to walk away from its traditional backup system upon discovering that many of the agency’s files and systems had been encrypted. Luckily, the backup server wasn’t touched, but the experience made them rethink their approach to data protection and security.

Implementing a plug-and-play cloud data management appliance on site allowed the team to set policies for backup frequency and ­retention and automated the work accordingly. If a disaster were to occur, data loss would be minimized with a “near zero” recovery time.

ATON Computing’s application of SIRIS, the Datto all-in-one Business Continuity and Disaster Recovery (BCDR) product, covers all continuity & disaster recovery needs, protecting servers, files, PCs, and SaaS applications. Datto works with all sizes of public sector organizations, providing a customized solution tailored to specific needs to prevent data loss and minimize downtime while building margins for growth.

Summarized from statetechmagazine.com

Why state and local governments need to future-proof their sales tax processes with technology

Just over a year ago, state and local governments were forced to address the public health crisis created by the COVID-19 pandemic, adding additional responsibilities including dealing with the stress of relying on paper-based processes.

Across the United States, a large majority of state and local governments manage tax processes—from issuing licenses to receiving tax returns to issuing notices—in a paper-based manner. When tax employees were sent home, those tax authorities faced the challenge of managing a tax process that was completely paper-based.

State and local authorities can use technology to future-proof their tax processes while driving efficiencies and maintaining operations during disruptive events.

After the pandemic, governments will need to adapt to a new reality, which includes changes to service delivery and pace of regulation. The post-pandemic era will be one of more technology adoption at the state and local level to enable government to work in an environment that is more flexible, agile, and prepared for continuity in the face of disruption.

To effectively future-proof their processes, tax authorities must embrace technology that eases interoperability and seamless data exchange, creates the ability to work securely in a real-time environment, and scales from a single operator to large, enterprise businesses.

Modernizing with electronic registrations and filing
While e-filing is a common process among state governments, it is not among local governments. Today, even when digital formats are used for tax registration and returns, the process can be time-consuming and cumbersome.

The pandemic drastically increased the use of e-commerce but less than half of businesses surveyed indicated that they were fully compliant with tax filings. When authorities get those businesses in compliance, it will mean a deluge of net-new sales tax returns filed by businesses, increasing pressure on existing government systems and processes which are too often paper based.

Simplifying the process using trusted data sources
Governments and businesses leveraging the same technology would save enormous time and resources but everyone using the same software is an unlikely outcome.

Points of friction can be reduced by creating trusted relationships that limit the need for auditing and validation—all while ensuring tax authorities are receiving the most accurate tax collections each time.

Shared standards become the data that powers the platform that effectively becomes a centralized source of truth for businesses and governments alike.

Automating the exchange of tax information
Governments and the tax industry have long worked together to standardize and encourage the electronic exchange of tax information. Success will require greater efficiencies from the financial systems government and businesses must rely upon.

The concept of integrating tax technology between business and government doesn’t apply to just certain aspects of the tax compliance journey. Integrating tax technology could instantaneously issue a license to a business, automatically enabling a business to begin collecting sales tax.

As more commerce takes place digitally, state and local governments will need to modernize their tax processes to keep pace. Authorities should take a forward-looking approach to exploring tax technology so that they can address the issues of today and tomorrow.

The future of tax compliance is one that prioritizes efficiency and operates on a centralized and openly available technology to readily exchange data to instill trust in all stakeholders. To make this a reality, governments and businesses will need to integrate their tax technology to reduce the need to connect disparate systems, reduce complexity, and increase compliance.

Summarized from Americancityandcounty.com

Building a better citizen experience with contact center modernization strategies

Government contact center operations have been stretched thin by escalating pressure to control bottom-line costs. But the effects of the pandemic — and the subsequent unemployment and health crisis — showed many government leaders that their agency contact centers were not prepared to meet the surge in citizen needs.

Modernizing contact center operations with cloud-enabled infrastructure promises a more agile approach in the face of crisis according to a report produced by Scoop News Group.

By moving contact centers away from legacy infrastructure, agencies can integrate automation and AI-enabled tools that connect citizen interactions with other workflow processes.

The report describes how agencies deployed cloud and automation technology to deflect calls from at-capacity systems, enabling the use of an intelligent virtual assistant (IVA) to provide rapid answers to routine questions, resulting in a 24% decrease in call frequency.

Injecting a layer of digital interaction (text messaging, chatbots, and other automation tools) before connecting to a live agent is one of the most effective ways agencies have found to streamline surges in requests.

By integrating automation technology, agency contact centers have been able to reduce operations costs, improve employee and constituent satisfaction, and provide greater agility to react to surge events.

Summarized from fedscoop.com

Technology Enables Real-Time Situational Awareness for Cities

Modern physical security platforms that incorporate both video management and access control systems can help government agencies secure government buildings. They can also do a lot more than that.

As city leaders start thinking about the future of their transportation infrastructure and how smart cities will evolve, they can turn to some of the same technologies. Physical security platforms that combine IP-connected video camera feeds, video management tools, and analytics capabilities can provide real-time situational awareness to city traffic control centers and other nerve centers within cities.

City leaders and IT decision-makers need to determine what kinds of activity they would want to monitor, and how to use that information to improve city services, such as public safety, traffic, and parking.

The Technologies Needed for Situational Awareness
Some cities may already have the elements needed to enhance their situational awareness. However, many don’t have a system in place to interconnect them and take full advantage, for example, of the video cameras a city has deployed.

It’s important for city leaders to begin the planning process with the end in mind. How would they want to pull all the data a video camera and sensor system can collect so that the data can be used to make the right decisions at the right time?

The main building block for the video portion of such a system is a video management system. A VMS can support search analytics, including metadata on objects, faster retrieval of video and forensic searches.

Other tools, such as those from providers like Live Earth, incorporate geographic information system (GIS) data, vehicle tracking data and other video information, then tie it all together.
Such a platform might also pull in data from license plate reader cameras and sensors, GPS sensors or trackers in police squad cards, and from air quality monitoring stations and other connected sensors.

The Benefits of Real-Time Situational Awareness
There are a multitude of advantages to collecting, aggregating, and analyzing all of these data feeds.

Emergency management and transportation operation centers can plot out where all of the cameras are in a location, and can also visualize on video walls where every police car and ambulance is.

Cameras can be programmed to detect illegal left turns or wrong-way drivers, with the video data used not for enforcement action but rather for better street or traffic signal planning.
Data dashboards can also provide customizable data feeds for whatever city officials want to keep track of, whether that is vehicle traffic, pedestrian traffic or conditions captured via sensor data. When that data is plugged into a citywide platform officials can drill down into the data that matters most to them.

The purpose of such a platform is to allow cities to use real-time video feeds and data, alongside analytics, to get a better picture of what is happening in a city. That then allows city and IT leaders to improve planning and services.

With the right vision and technology in place, city leaders can get more value from their existing investments and make their cities safer and better able to serve the needs of residents.

Summarized from statetechmagazine.com

Disruptionware: A New Cyber Threat Targeting Critical Infrastructure

Disruptionware is an emerging type of cyberattack calculated not only to disrupt the availability, integrity, and confidentiality of victims’ data, systems, and networks, but also to interrupt or shut down the essential business operations functions of its victims. More destructive than traditional malware and ransomware attacks which typically only target a victim’s systems and networks, disruptionware attacks target both the “information technology” (IT) and “operational technology” (OT) networks of its victims.

Ransomware is the most commonly used tool to effectuate disruptionware attacks, and, similar to other disruptionware tools, is a type of malware that — once released into a victim’s data networks — is highly effective at diagnosing, attacking and shutting down the victim’s business operations.

Disruptionware attacks are expensive and inconvenient and they also pose a danger to the public health and safety. For example, a 2020 disruptionware attack at a German hospital shut down the hospital’s computer systems, making patient and vital health data inaccessible. The attack also targeted the hospital’s OT networks, including shutting down operating room infrastructure, which locked the hospital out of critical life support systems and equipment needed by the medical staff.

While attacks on companies in the health care industry have garnered significant and well-deserved attention, disruptionware attacks have begun to impact many other industries.

OT networks are susceptible to less sophisticated, readily deployable cyberattacks such as ransomware. According to the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), there are many forms of ransomware that are designed to specifically disrupt operations by organizations using OT networks and devices.

A recent cyberattack on a water treatment plant in Oldsmar, Florida highlights the danger posed by disruptionware attacks on participants in critical infrastructure industries. In that case, an attacker remotely accessed an OT system controlling the chemicals that were added to the water supply. Fortunately, the attack was discovered and reversed before there was any danger to the public health.

The danger from disruptionware attacks to the nation’s critical infrastructure is only growing. In early May 2021, one of the largest U.S. fuel pipelines was hit by a ransomware attack, forcing its operator, Colonial Pipeline, to shut down its operations — including 5,500 miles of pipeline.

Disruptionware attacks are becoming more commonplace and more dangerous. Disruptionware is obviously a tremendous change to the cyber threat landscape, and agencies should be aware of the potential danger that such attacks can pose. Organizations would be well-advised to take steps to upgrade their security to guard against disruptionware. In addition to baseline “cyber hygiene” practices to secure IT and OT networks, organizations should also consider doing the following:

    • Regularly patching networks and ensuring a viable patch management system
    • Disabling Macro Scripts on your network
    • Limiting unnecessary internet exposure
    • Disabling Secure Server Message Block (SMB)
    • Disabling Remote Desktop Protocol (RDP)
    • Managing and securing third-party Service Level Agreement (SLA) access to networks
  • Instituting effective “Social Awareness” training for company employees.

 

Summarized from JD Supra