Introduction
This the second of two articles on cyber security and long-term risk. The first article introduced the issue and discussed the first of two issues that underly the long-term risk. This is the need to have a robust Enterprise Risk Management process. This article will discuss the second issue, competition for resources both human and money. It also provides some policy recommendations.
Summary Part 1
Governments around the world are facing multiple risks. Lloyd’s of London lists 22 risks that local governments around the world face. These include cyber-attacks, pandemics, civil unrest, and climate related events such as floods and hurricanes. The adverse impact of these risks can be significant and costly. For instance, both the cities of Atlanta GA and Baltimore MD were the victims of ransomware attacks. Their computer networks were down for weeks. It cost each city at least $17 million to secure their systems and get them back up and running.
To deal adequately with these risks a robust enterprise risk management (ERM) approach is needed to identify and manage these risks. The Government Accountability Office (GAO) recommends that ERM be implemented as part of the organization’s cyber-security process.However, a GAO study of the cyber-security of federal agencies found that fewhave implemented ERM.
A 2019 policy paper by Cambridge University in the United Kingdom lists several impediments to the adoption of ERM. These are:
- Governments do not sufficiently understand how to design risk mitigation, preparation and response measures.
- Political leaders tend to focus on the short terms. There is little incentive to think about emerging or long-term risks.
- Bureaucracies are often ill-equipped to understand risk and often suffer from poor agility to new or emerging issues, poor risk management culture and practice, lack of technical expertise and failure of imagination.
While the failure to implement ERM is a significant impediment to cyber-security, an equally important impediment is competition for resources.
Competition for Resources and Talent
Government budgets are limited. Each item included in the budget competed for money with other items. In the case of computer security, there is a two-fold competition. One is the competition for talent. The other is competition for money.
For governments the competition for talent is essentially a Catch 22. A local government workforce assessment conducted by the Australian Local Government Association in 2018 found Computing ITC Professional skills in short supply. This skill shortage was expected to increase going forward. In addition, local governments were having trouble recruiting people age 30 or under. (1)
An article in the Hill, by Kevin Curry, notes that“nothing is more frustrating to Millennials than antiquated technology – legacy systems build for a former era.” (2) He goes on to indicate that Millennials, in the Information Telecommunication and Computer (ITC) field, must work with cutting edge technology to stay competitive.
Unfortunately, in order to upgrade legacy systems to cutting edge, organizations must have the talent capable of doing so. With the private sector moving to upgrade their systems and deal with cyber-attacks, a competition for talent is being waged. Since the private sector can pay more and their systems are more up to date, governments are in a Catch 22 with respect to attracting talented Millennials. Without the talent, it is difficult to upgrade the systems. Without up to date systems, it is hard to attract the needed talent.
The problem is further complicated by the expense of systems upgrades. Three examples are below.
Broome County New York – Office of Emergency Services
There are 12 different radio systems with portions dating back to 1970. These systems do not communicate well with each other. This can hinder response to emergencies. This could result in deaths. Cost to upgrade is $4 million.
Philadelphia – Street Department
The control system for most of the city’s 3,000 traffic signals date to the 1960’s. This makes it harder for the department to manage congestion. Cost to upgrade: $175,000 to $735,000 per intersection.
Minnesota Motor Vehicles Licensing Software
The state spent $100 million over ten years to replace it licensing and registration software. Once installed there were so many glitches that another $16 million was requested to fix the problems. (3)
Upgrades can be expensive. Unfortunately, the Minnesota experience with its substantive cost, long implementation period and the glitches requiring additional expenditures is what citizens and legislators remember. Consequently, citizen and legislators are reluctant to authorize funds for upgrades which continually have cost overruns and numerous glitches.
The competition for resources combined with the failure to take proactive active cyber-security measures to mitigate risks creates the long-term problem.
Long-term Problem
If governments at all levels do not upgrade their legacy systems and treat the threat of a cyber-attack in a proactive manner, then their systems remain vulnerable to attack. Further, the cost savings and performance improvement benefits, which often result from upgrading systems, will be lost.
Governments at all level want to become “digital” or“smart”. But success depends upon integrated computer networks. If there are multiple intersections between legacy and up to date systems, the number of points that can be attacked increase. If digital government or smart city systems are not secure from attack, they might be more of a danger, than benefit.
A Catch 22 is difficult to escape in the short term. However, there are actions which can and be taken.
Actions to be taken
Foreign actors are attacking our computer networks. Thus, for descriptive purposes, our response ought to be thought of as building an army to defend our networks. An army requires people with the proper training and focus. It also requires the materials necessary to carry out the mission. Below is a list of actions that could be taken.
- Government at all levels need to take a more proactive approach to risk identification and mitigation. (Proper focus)
- Federal agencies can assist this process by including ERM in guides and manuals.
- Federal agencies need to show that ERM is beneficial by successfully implementing ERM.
- Computer networks at the state and local level need to be viewed as part of the national network infrastructure. As such, the President and Congress need to develop a ten-year plan to upgrade legacy systems at all levels of government and make it a priority, just like the transportation system.
- Because this is a national issue, the federal government will have to pony up the bulk of the money to upgrade the legacy systems. However, state governments will have to share some of the cost for their own system upgrades and pony up money to assist local governments. Local government will also have to pony up money for their systems upgrade. This should be a priority. As such, every level of government will have to allocate the needed resources. A possible sharing approach is; at the state level – 30% federal money and 70% state, and at the local level – 15% federal money, 25% state and 60% local.
- The bidding process for upgrades needs to be sped up. The goal should be the awarding of the bid within six months, start no later than a month after award and completion within two years. If the project goes beyond three years, at the speed of innovation and change, the systems could be outdated by the time it is completed. In which case, the expenditure was for naught.
- To fill the skills void, the federal government should offer grants to students majoring in engineering, science, math and information technology. Upon graduation, if the individual works for any level of government or a non -profit organization for three consecutive years, the grant is forgiven. If the United States is to remain competitive and secure in a technology driven global economy, it must heavily invest in the skills that will keep it competitive.
Conclusion
Cyber-attacks are a recognized threat to both the public and private sector. But cyber-attacks are but one type of risk organizations face. Consequently, a more risk sensitive orientation needs to be developed within all organizations.
In the United States, the GAO audit combined with the successful attacks on local governments indicate there are substantive cyber-security risks. If governments are to operate within a digital technology-based economy, digital systems must be secure from attack. This cannot occur with the degree of outdated legacy systems currently populating governmental computer systems.
In order to ensure government computer networks are secure the national government needs to recognize cyber-security is not limited to its own systems. It includes state and local government computer systems as well. Consequently, a federal initiative to upgrade the computer systems of all levels of governments needs to occur.
Endnotes
- Australian Local Government Association, 2018, “Local Government Workforce and FutureSkills Report Australia”, September ,https://lgnsw.org.au/files/imce-uploads/1/local-government-workforce-and-future-skills-report-australia.
- Curry, Kevin, 2017, “America’s Public Sector Has A Big Problem – It’s Not Getting Any Millennials”, https://thehill.com/…/327638-americans– public-sector-has-a-bad-problem-it’s-not-getting-any-millennials.
- Kline, James, 2019, Enterprise Risk Management in Government: Implementing ISO31000:2018, page 39, CERMAcademy Portland OR forthcoming.
James J. Kline is a Senior Member of ASQ, a Six Sigma Green Belt, a Manager of Quality/Organizational Excellence and a Certified Enterprise Risk Manager. He has over ten year’s supervisory and managerial experience in both the public and private sector. He has consulted on economic, quality and workforce development issues for state and local governments. He has authored numerous articles on quality in government and risk analysis. His book Enterprise Risk Management inGovernment: Implementing ISO 31000:2018 will be out in August. jeffreyk12011@live.com