A Connected Community Toolkit for municipal Leaders: Important Questions (and Adult Beverages)
Strategic Cybersecurity - Expert Commentary
This is the fourth installment in our series on technology convergence, cybersecurity, and the implications for policymakers. You can read the first post here, second post here, and third post here on GoTech Insights.
Boy, who needs a drink, eh? Critical infrastructure, cyber vulnerabilities, AI, lack of guidance, forget it. Before you reach for something strong to drown your sorrows, let’s kick back for a second with something calming. Coming your way right here, right now, and courtesy of GoTech is a toolkit that our municipal officials and critical infrastructure operators can use to help begin to mitigate risks from connected community architecture deployments. Before you get too excited, this is not a single pill that will cure everything. Rather, it is a simple set of two lists of questions. Questions that municipal officials can ask THEMSELVES and questions that they can ask of their vendors. Before we get into the questions, a word about framing problems.
As mentioned in the last post, problems can feel so large and complex that getting to an actionable solution right away can be daunting, if not impossible. Sometimes it is useful to take a few steps before getting to actionable recommendations like framing and prioritizing a problem. This is where policy action can help go from zero to one for a problem that most people are not looking at. In that spirit, these questions bridge the gap between simple framing and actionable recommendations. They do not purport to solve the problem completely nor to prescribe one size fits all solutions to such inconsistent and decentralized problems. Instead, it simply asks municipalities to ask themselves a few important questions to take stock of their readiness to maintain a connected community architecture and to ensure the architecture components and functions they choose are going to solve real community problems.
In so doing, it lets each community prescribe solutions that work for their specific circumstances, which, in turn, contributes to the overall risk discussion around critical infrastructure and connected communities deployments around the country. Second, the list of questions to ask vendors creates an economic demand to incentivize security by design and interoperability in connected community architectures. Companies respond to customer demand or risk being put out of the market so a groundswell of demands from municipal leaders will create market forces that change the technology for the better.
Questions Municipalities Should Ask Their Vendors
- Are your products interoperable with other municipal IoT devices and services?
- Can software patches and firmware updates be applied to devices remotely?
- How often are updates sent to devices and are the updates done automatically or do they require a human action?
- Does your product provide a means to view the health and functionality of all deployed devices?
- Do you provide software support over the life of the product?
- Describe your internal software security procedures.
- To what extent do you source parts or labor from overseas? If so, where?
- Do you offer live 24/7 assistance for security incidents, breaches, or other disruptions?
- What training for system managers do you offer as a part of a purchase?
- Are there system security features that allow me to isolate cybersecurity incidents to prevent a malicious actor from gaining access to all architecture features?
Questions Municipalities Should Ask Themselves
- What problem(s) am I trying to solve and will this technology solve it in a measurable way?
- Do I have personnel on staff who can monitor and diagnose technical issues inside the system?
- Do I have the ability to conduct training and exercises to help diagnose systemic issues within the architecture when they happen?
- Do I have the budget to purchase, maintain, and update the equipment in my architecture?
- Does my contract language have requirements for security and interoperability for connected communities purchases?
- Do I have a unifying connected community strategy in my municipality?
- Do I have the proper accountable officials with the resources required to manage my architecture (CISO, CIO, CPO)?
- Do I have plans and controls in place to protect privacy and secure data of my citizens?
- What critical infrastructure will my architecture touch and what are the interdependencies with other critical infrastructure?
- Do I have direct access to CISA, FBI, and other authorities in the event of a cybersecurity incident?
Using a list of general questions like these allows municipalities to scope and design both architectures and governance structures to ensure they get the most out of their investments while mitigating the risks. As it stands today, we are not in a position to give a set of 10 hard recommendations that municipalities can implement that will reduce their risk because the problem is too big and too complex. That is not a good enough reason to simply ignore it and watch as cyber incidents occur in different municipalities.
Instead, this approach frames the conversation correctly and gives a few guideposts for municipalities to follow in the form of questions that can be asked of vendors and of the municipalities themselves. The combination of multiple municipalities using this tool, scoping what it means to them, and sharing the results among each other is how we will be able to find those actionable recommendations that make sense for all or most municipalities.
The missing piece is the policy prioritization of the issue and right now that is sadly lacking from DHS, CISA, and the rest of the federal government. The five largest municipalities in the United States have a unifying strategy but around 75% of US municipalities do not. Furthermore, only 28 of the 100 largest metro areas in the United States have a CISO or equivalent. The decentralization of this problem is creating a startling lack of accountability and planning at the same time that technology deployment is increasing. A policy with clear prioritization is critical but must take the same approach as the questions above. Prioritize the issue, lay out some principles, but allow municipalities to tailor their strategies and choices to their needs.
There is a long way to go but some reasons for optimism. Let’s celebrate with a smoky and sweet Oaxacan Mule. Get your copper mugs ready. Cybersecurity is coming to your community.