Federal response got more serious, too, homing in on defending critical infrastructure, and states haven’t sat on the sidelines, either. Several moved to ban ransom payments and direct more resources toward defending against the threats, although researchers say fully tackling the problem requires national and international coordination.
Nation-state-driven cyber espionage by Russia and China also loomed heavy in public consciousness, particularly the SolarWinds incident, attributed to Russia. That saw a compromised security patch spread malware to clients, including government agencies, and woke up the U.S. to the need for software supply chain security. Calls for reviewing software development environments and creating a software bill of materials became more pressing.
The White House has sought to infuse fresh energy into fighting cyber crime, appointing its first-ever national cyber director and channeling new funding to state and local governments. Biden’s May executive order announced plans for holding federal agencies to higher cyber hygiene standards, and the administration signaled interest in putting more pressure on private firms to support a better national cyber posture as well.
The federal government also turned attention to states and localities, where efforts to modernize legacy systems and upgrade defenses are often held back by shortages of money, people and guidance on how to invest most impactfully. The Cybersecurity and Infrastructure Security Agency (CISA) has been working to become a go-to resource, however, and could gain more powers and programs next year under the National Defense Authorization Act (NDAA) for Fiscal Year 2022, which has not yet passed at time of writing. Federal efforts like these are also unleashing more dollars, but states and municipalities will need sustained funding.
Workforce
Even so, agencies cannot just hire their way into safety. They also need to continually train and retrain existing staff about best practices for staying safe and properly implementing technologies. Artificial intelligence tools are helping scan for vulnerabilities and suspicious activity, but cyber criminals will always find plenty of traction in tricking humans. Phishing is the jumping off point for many successful scams and ransomware attacks, with one email fraud incident costing a New Hampshire town $2.3 million. Agencies, therefore, must keep employees’ cyber awareness fresh.
Not all cyber risks come from deliberate, malicious action, either. Staffs’ technological mistakes can also be devastating, with failures to adhere to the correct procedures resulting in the Dallas Police Department permanently deleting troves of case materials and Wyoming leaking residents’ health data, to name just two 2021 examples.
Privacy
The pandemic made digital services essential to governing, with many residents and state personnel working in remote or hybrid environments and not everyone planning to go back to the old ways. This shift means agencies must be able to provide digital services without interruption and securely handle residents’ data. This hasn’t been easy, and 58,000 unemployment applicants in Florida saw their personal data exposed in a breach.
Agencies are becoming more attuned to the need to safeguard residents’ privacy, whether through security measures intended to thwart data breaches or by simply avoiding ever collecting or retaining information beyond what’s strictly necessary. States continued to add chief privacy officer posts in 2021, underscoring the growing attention put on such concerns.
Elections
Election cybersecurity and misinformation will be top of mind in 2022. Election officials sharpened skills in 2020 and shared information more closely with federal partners as they monitored and responded to potential cyber threats and physical attacks. But lingering fights over that election warn of the work ahead next year.
State and local governments are still grappling with unfounded allegations of 2020 voting fraud, with Maricopa County, Ariz.’s widely panned Cyber Ninjas election audit only concluding in September, and Wisconsin and Pennsylvania looking to launch their own.
Meanwhile, mis- and disinformation aimed at undermining trust and misleading voters spurred the Jan. 6 insurrection and death threats against election workers. Advocates in 2021 have increasingly drawn attention to how social media platforms amplify falsehoods, and combatting false information as well as curbing other social media harms will remain a major concern of policymakers.