Analyzing Cybersecurity Challenges and Strategies in Texas Local Governments
Abstract
Using a primary interview with a government cybersecurity leader, this study seeks to analyze current cybersecurity programs in Texas local governments to identify vulnerabilities, assess barriers, and highlight further developments. With the increasing digitalization of governmental operations, sensitive information stored in government databases, and barriers in cybersecurity programs in municipalities, local governments are a vulnerable target for cyberattacks. Texas is ranked third in cyberattacks and the number increases every year. However, while recent cybersecurity initiatives in Texas help support local governments to improve their cyber programs through education, funding, and communication between tech leaders, one problem remains significant as studies on cybersecurity in local governments are generalized, with little research conducted specifically on Texas cyber programs. To address this gap, a semi-structured interview with Dr. Brian Gardner, the Chief Information Officer in Dallas City, was conducted to obtain a deeper understanding of the effectiveness of cyber programs in Texas local governments.
The results indicate that barriers are reduced due to legislation and federal and state grants. However, government still lags behind in cybersecurity compared to the private sector. While this study provides promising solutions to cybersecurity barriers for local governments, further research should evaluate cyber programs in small to medium-sized municipalities due to their unique resource challenges.
Introduction
Since 2018, cybercrime in the US has increased from $2.7B to $12.3B in financial losses, indicating that cyberattacks are becoming increasing devastating (Crane, 2020; Lynch, 2024). In addition, local governments are a primary target, as they control utilities, government data, and civilian information in their databases (Norris et al., 2015). With over 90,000 local governments in the US, 28% experience daily cyberattacks, with some reaching over 10,000 a day (Norris et al., 2015). Local governments also face barriers in their cybersecurity programs, such as lack of staff and funding, cybersecurity awareness in government employees, and governance. Specifically in Texas, its growing population only makes the state a “large and ever-growing pool of potential targets” (“Cybersecurity”, 2018). Among the little research done on cybersecurity in local governments, there exists a literature gap evaluating specifically Texas local governments. Additionally, municipalities operate autonomously, meaning that there isn’t a single mandatory framework for cybersecurity programs in local governments. To fill this gap, this paper conducts a primary interview with a city tech leader from the City of Dallas to determine solutions to barriers, initiatives, and provide insight on the current state of cybersecurity in Texas local governments.
Methodology
This research first addresses the significance of cybersecurity in local governments in Texas and current threat levels. The following literature review explains an introduction to cyberattacks, cybersecurity frameworks, barriers local governments face, and the state of cybersecurity in Texas. In addition, examples of cyberattack on Texas local governments are discussed, as well as the Texas Cybersecurity Framework and recent cyber legislation. Following the critical literature review, a primary source analysis from a government tech leader adds depth to the analysis. The interview was conducted on November 7th, 2024 with Dr. Brian Gardner, the interim Chief Information Officer (CIO) of Dallas City to
give a deeper understanding of current cybersecurity barriers and potential solutions.
Literature Review
As technology becomes increasingly engrained into the function of today’s society, organizations, businesses, and individuals become more susceptible to cyberattacks. Cyberattacks are attempts to access information, damage systems, or freeze user access of individual computers or large networks to serve hackers’ interests (Zhu-Butler, 2022). Furthermore, they can cause substantial financial loss for businesses and individuals. Figure 1 below shows data from the FBI Internet Crime Report of total losses from 2009-2018:
Since the record breaking total financial loss of $2.7B per the FBI Internet Crime Report in 2018, there has been an increasing trend in cybercrime as 2023 recorded $12.5B in losses in the USA (Crane, 2020; Lynch, 2024). It is important to note that although the number of cyberattack reports have remained consistent in this period, the increase in damage shows that attackers are becoming more efficient.
Cyberattacks
Cyberattacks come from a multitude of motivations, such as obtaining personal information and selling it, ransomware, political motives, or for fun (Hossain et al., 2024). Hackers can belong to organized cyber terrorist groups, “for hire” hackers targeting systems for financial or political gain, or hacktivist groups, all with different motives and missions. Interestingly, 82% of attacks come from other nations such as China (30%), Romania (28%), Bulgaria (7%), and Russia (5%) (Norris et al., 2015). Only 18% of attacks on US IT systems come from the US itself. For these hackers, there is also a plethora of cyberattack venues at their disposal, from web to cryptographic attacks, each with its own success rate and goal (Kaur & Ramkumar, 2021). However, the most common cyberattacks recently include phishing and malware (Norris et al., 2015). Figure 2 below demonstrates the quantity of phishing sites versus malware sites from 2009-2019:
Around 2018, there is a shift in active malware and phishing sites, where phishing sites grow exponentially, and malware experiences a decline. This data supports Norris et al.’s claim that most attacks use phishing rather than brute force attacks such as injection attacks or attempts directly on the firewall (Norris et al, 2015). Phishing usually involves emails and using social engineering, where it convinces the victim to click a malicious link or makes the user unknowingly type in login information into a fake login website (Grubbs, 2022). The Texas Department of Information Resources notes that 74% of cyberattacks involve human error (2024). Additionally, attackers also might research the victim’s life to personalize the attack to make it more persuasive and look legitimate (Grubbs, 2022). Although thousands of these automated emails are blocked before they arrive in a user’s inbox, “the attacker only needs to be right once” to steal personal information (Havich, 2023a). Once given access to these accounts, hackers have access to medical records, personal information, and even government systems and information (Bailey, 2024). Ultimately, phishing is a very effective method of cyberattack as it manipulates victims.
Conversely, ransomware is less common but can cause catastrophic financial and system damage. Ransomware is defined as malicious software that prevents access to data from a computer or network, and returning access when ransom is received (Grubbs, 2022). On average, demanded ransom averages to about $110,000, but cases such as the Coastal Pipeline ransomware attack in 2021 were reported to pay $4.5 million to get access to their software back (Zhu-Butler, 2022; Nodeland, 2023). On top of massive financial losses due to ransomware, critical infrastructure can be affected. The Coastal Pipeline’s computer systems located in Houston, Texas were shut down for six days straight, causing a fuel shortage and rise in gas prices (Venter, 2023). Additionally, hackers have found that targeting large organizations or businesses is more profitable than stealing individuals’ information (Grubbs, 2022).
Some large organizations such as hospitals or school districts are more vulnerable to cyberattacks than businesses. Hospitals are drastically affected as not immediately paying the large ransom means that inability to access medical information and tasks that rely on computer systems can turn out to be catastrophic (Greig, 2024). A school district in San Antonio, Texas has also lost access to their networks, eventually paying $500,000 in ransom on top of financial struggles from COVID-19 (Grubbs, 2022). Additionally, large private and public sector organizations in the U.S. were targets for attack, either causing large financial loss or millions with their personal identifiable information (PII) stolen.
Government Cyberattacks
Local and state governments in the USA are primary cyberattack targets. These governments are constantly under cyber threats, with some experiencing more than 10,000 cyberattacks per day (Norris et al., 2015). Each of the fifty state governments and more than 90,000 individual local governments in the United States contain information technology (IT) systems and cumulatively spend billions of dollars a year supporting them. These IT systems store and contain an abundance of PII, access to government funds, and sensitive personal and government information (Norris et al., 2015). Figure 3 below visualizes the types of data collected and stored by local government:
However, local governments are especially vulnerable targets compared to state governments as the quantity and responsibilities they have can negatively affect millions. Hossain et al. mentions that the digital transformation in managing city functions make urban life more efficient, however it also creates more vulnerabilities (2024). Cities are optimizing utility management, transportation, and public works through digital technology (Venter, 2023). Although local governments are more efficient in providing services and communication, about 27.7% experience hourly cyberattacks and 19.4% once per day (Hossain et al., 2024). A list of cyberattacks on local governments are displayed below in figure 4:
Due to the vulnerability of IT systems, the information stored, and the quantity of attacks on the vast amount of government in the United States suggests the importance of both cybersecurity policy and frameworks.
Federal Cybersecurity Framework
Governments and organizations must implement or improve cybersecurity policies and frameworks to reduce the risk of cyberattacks. The National Institute of Standards and Technology (NIST) agency from the Department of Commerce updated Cybersecurity Framework (CSF) in 2024 (Hossain, 2024). This framework is an assessment tool for organizations’ current cybersecurity posture to detect strengths, weaknesses, and areas of improvement. Specifically, using organizational profiles, tiers, and CSF core, the framework can determine and categorize the level of the organization’s cybersecurity practices and risk management. The CSF has six functions which include govern, identify, protect, detect, respond and recover which are applicable universally, allowing organizations to align the framework with their goals (Hossain, 2024). However, since each of the fifty states operates separately, there is no centralized way of implementing policies and leadership in cyber governance (Havich, 2023b). States such as Texas, Utah, and Virginia implement cybersecurity laws by omnibus, considering all personal data, compared to sector-specific implementing states such as California, Nevada, and Washington (Key Data Privacy and Cybersecurity Laws, 2023). To remediate the decentralization, the State, Local, Tribal, and Territorial Government Coordinating Council (SLTTGCC) works to coordinate infrastructure management across all levels of government Cybersecurity and Infrastructure Security Agency (CISA). These federal policies aim to support organizations’ cybersecurity goals.
Local Government Cybersecurity Barriers
Local governments face many challenges when it comes to policy and enforcing cybersecurity. In addition to the lack of research on this topic, about 60% of local governments in the USA lack cyber security policies (Hossain et al., 2024). Hossain et al.’s study compared the 38 categories from the NIST CSF 2.0 to local governments cybersecurity policy; the table is shown below.
Alarmingly, 6 out of the 11 cities in the USA in this study addressed less than 10 categories of the NIST CSF, with three cities aligning with five or less.
In addition to the lack of or under enforced policy, the barriers that local governments face include insufficient funding and staff, lack of knowledge or understanding of importance for cybersecurity, and governance and federation (Norris et al., 2015). Insufficient funding makes it difficult for local governments to provide adequate cybersecurity protection and hire qualified IT and cybersecurity staff. This has led local governments to find alternative ways of dealing with cybersecurity, such as outsourcing or transferring data and programs to cloud computing infrastructure (Norris et al., 2015). Addressing this issue, a one billion federal dollar grant targeted State, Local, Tribal, and Territorial (SLTT) government within the Cybersecurity and Infrastructure Security Agency (CISA) over four years (Havich, 2023b). This was the first federal initiative exclusively for local governments, however, due to complex rules, small and medium sized local governments will not meet funding or staff size requirements to receive the grant (Havich, 2023b).
Concerning the lack of knowledge or attitude towards cybersecurity in government, a study by Sulaiman et al. examined government employees’ behavior towards cybersecurity in Malaysia using the Protection Motivation Theory (PMT) (2022). With this, they evaluated perceived severity, vulnerability, barrier, self-efficacy, and security response efficacy in these employees. They found that threat and security awareness were found to improve perceived severity and mitigate cybersecurity security risks (Sulaiman, 2022). This implies that cybersecurity education and training are essential for government employees.
Cybersecurity governance also faces challenges as local and state governments are federated among the three branches of government. IT departments usually are in the executive branch but have no real authority over the judicial and legislative branches (Norris et al., 2015). An interviewee in Norris et al.’s study mentions that they have “responsibility over all three branches of government,” but “can’t legally enforce policy, due to pesky constitution, over legislative and judicial branches” (Norris et al., 2015). In addition, there are many departments within the executive branch, with one participant from Norris et al.’s study saying that they have “35 different departments, each with varying levels of risk tolerance,” and aligning the goals of each department with policy that can support each one proves to be difficult (2015). Also, local tech managers have little relationships with state government tech leaders, ensuing a gap in policy and communication across state and local government (Havich, 2023a).
Texas Cyberattacks
Cybersecurity should be a large concern in Texas government. According to the U.S. Federal Bureau of Investigation Internet Crime Complaint Center, Texas is ranked third in cases of cybercrime victims and second in financial losses (“Cybersecurity: Statewide Overview”, 2018). Due to the growing Texas population, the comptroller says that Texas is a “large and ever-growing pool of potential targets” for cyberattacks (“Cybersecurity: Statewide Overview”, 2018). Figure 6 below shows the total financial losses due to cybercrime in Texas from 2016-2020:
The increasing trend of financial losses may continue to increase as Texas experienced one billion dollars lost due to cybercrime in 2023. Although the massive financial loss in Texas due to cybercrime is at an all-time high, cybersecurity contributes about $35.5 billion to the Texas economy as well as a growing job market (“Cybersecurity: Statewide Overview”, 2018). Utilities in Texas are also being targeted. For example, the cyberattack on Coastal Pipeline located in Houston, Texas disrupted operations and causing millions in damage (Venter, 2023).
Texas Local Government Cyberattack Examples
Local governments in Texas were also victim to cyberattacks in recent years. On October 19, 2023, Dallas County experienced a ransomware attack by ransomware group “Play” which later released personal information of 201,404 people with 67,701 Texans affected by the attack (Bailey, 2024). Dallas County’s quick response to the attack involved posting cybersecurity resources to protect individuals’ personal information, deployed Endpoint Detection and Response to force password changes and block malicious IP addresses and provided two years of credit monitoring and identity theft protection services to victims of the attack (“Notice of cybersecurity incident”, 2023).
Further Texas municipality was also attacked on July 30, 2024, where the city of Kileen experienced a ransomware attack that shut their utility collections division (Greig, 2024). The city’s response was coordinated with the Texas Department of Resources (DIR) in which they disabled utility payment systems, cutting off connections with Bell County to contain the issue and relying on backup systems to restore servers (Greig, 2024). To deal with these cases, Texas has implemented guidelines that will give cybersecurity departments actions to prepare for and respond to cyberattacks.
Texas Cybersecurity Legislation and Frameworks
To defend against cyberattacks and prepare for potential breaches, Texas has launched new cybersecurity policies and implemented frameworks. According to the Texas DIR, Texas created the Texas Cybersecurity Framework (TCF) to address cybersecurity risk using cost-efficient, business-oriented, and limited regulation on agencies (“Texas Cybersecurity Framework. Department of Information Resources”). The framework is aligned with the NIST CSF with concurrent functions and 42 total security control objectives, with a Maturity Model to categorize the implementation of the objectives at an organization. A visual is provided below in figure 8.
Figure 7 (“Texas Cybersecurity Framework. Department of Information Resources”)
Planning Texas’ cybersecurity outline for the future, Texas DIR created the State of Texas Cybersecurity Strategic Plan to create a “secure and resilient cybersecurity environment” by using resources efficiently and creating a “risk-aware culture” to protect Texas government services, information, and infrastructure (“Texas Department of Information Resources”, 2024). The framework’s goals include risk management, governance capabilities, cybersecurity education and awareness, improve response to cyberattacks, and institute cybersecurity workforce programs. Overall, this framework addresses many of the challenges relating to local government, however, it doesn’t specifically target local governments.
Since 2011, Texas state cybersecurity initiatives started with the Cybersecurity, Education and Economic Development Council to study Texas’ cybersecurity infrastructure. However, 2017 was a pivotal year in cybersecurity legislation (Grubbs, 2022). During the 85th Legislature, state agency information was further secured with the Texas Cybersecurity Act. The Texas Information Sharing and Analysis Organization (TxISAO) came from the Texas Cybersecurity Act, allowing public and private sector groups to communicate effective
cybersecurity strategies and potent information about cyberattacks (Grubbs, 2022). In the 87th Legislature in 2021, Nancy Rainosek mentions that it “passed some of the most significant cybersecurity legislation to date and appropriated more than $700 million for cybersecurity and legacy and modernization projects”, funding Endpoint Detection and Response (EDR) technology for state agencies and several additional cybersecurity programs under the Texas DIR (Grubbs, 2022). To spread cybersecurity awareness, the 86th and 87th Legislature enforced cybersecurity training requirements for government employees and elected officials who use computers at least 25% for their duties. Completing at least one of the five cybersecurity training programs that the Texas DIR releases every year, it is expected to increase cybersecurity threat awareness and build “security habits and procedures that protect information resources and teach best practices for detecting, assessing, reporting and addressing information security threats.” (Grubbs, 2022). Recently, Texas has passed important legislation regarding cybersecurity, improving communication, response to attacks, and providing cybersecurity education, yet local governments remain vulnerable to attack.
Cybersecurity is often an overlooked section of government with limited research on its impact on local governments. Although local governments contain critical information and are responsible for infrastructure and government services, they have limited budget, staff, and often focus their resources on other issues.
Analysis
Although private and public sectors face different challenges in cybersecurity, the approach to cybersecurity should be the same. Interviewee Dr. Brian Gardner, the Chief Information Officer of the City of Dallas, says that to holistically protect the organization, he recommends that governments follow a cybersecurity framework. Municipalities in particular “have no obligation” to follow any framework, however frameworks are tried and tested, and offer a “checklist” to help the organization to not “miss things” (B. Gardner, personal communication, November 7, 2024). Referencing Figure 5 in the literature review, the local governments in the study struggled to address categories from the NIST CSF, suggesting that local governments are not aligning their cyber programs to a nationally recognized framework and could pose weaknesses. Texas municipalities can choose to use either the NIST CSF, TCF or similar frameworks, however it comes down to preference. For Dr. Gardner, he switched from the TCF to the NIST CSF as he had “trouble mapping to NIST” as he was more familiar with that framework (B. Gardner, personal communication, November 7, 2024). Overall, frameworks help governments with a step-by-step approach for their cybersecurity program and ensure that the Identify, Protect, Detect, Respond, and Recover categories are all enforced.
Communication between State and Local Governments
According to the research discussed in the literature review, one source indicated that there was a historical gap between state and local government tech leaders (Havich, 2023a). However, Dr. Gardner disagrees with this claim as the Interim Chief Information Officer for the City of Dallas, as he tries to “stay on top of any kind of regulation” (B. Gardner, personal communication, November 7, 2024). When Governor Greg Abbott announced the statewide plan for banning the use of TikTok, Dallas City had conversations about implementing the ban into policy. Although communication from state to municipal governments are not an issue, Dr. Gardner points out that “if everything is a mandate from the top down, it’s really hard to manage budgets,” unlike legislation where it is up to the municipality to adopt it (B. Gardner, personal communication, November 7, 2024). Because of this, Dr. Gardner emphasizes the need to have “autonomy from the municipal to the state, to the federal levels”. Autonomy, however, leaves a lot of pressure on the cybersecurity staff and can potentially be subject to failed implementation. Ultimately, although the gap in communication found in the literature review was refuted with regards to the City of Dallas, local governments potentially face budgeting barriers.
Funding
Cybersecurity programs in local governments face financial barriers according to Norris et al.’s study (2015). To fill this gap, Texas has allocated $40 million over four years to local governments through the State and Local Cybersecurity Grant Program (SLCGP) in 2022. This grant was supplied by the Infrastructure Investment and Jobs Act (IIJA), which was the first federal grant addressing cybersecurity risks and threats in state and local governments (“Texas Department of Information Resources”, 2024). While the states had the choice to “pass the grant money down to the municipals,” Dr. Gardner says the state of Texas created “more of a holistic approach” (B. Gardner, personal communication, November 7, 2024). Texas allows municipalities to improve their cyber programs at a reduced cost, with cyber protection projects such as CrowdStrike licensing, AVP licensing, or to build centralized Security Operations Centers (SOC). This is a great opportunity, especially for smaller municipalities, to build their cyber program. Dr. Gardner describes his experience using grant money as a city with a significant budget by first receiving grant money, then spending it on a project that he wants to work on. The SLCGP allows local governments in Texas to improve their cyber programs while reducing the financial burden.
Cybersecurity Education
As discussed in the literature review, phishing is one of the most effective cyberattack methods, as hackers manipulate employees to expose critical information and login credentials. In 2023, Dallas County faced a successful phishing attempt when an employee wired $2.4 million to a scammer impersonating a contractor (Bailey, 2024). Improving cybersecurity knowledge has been found to reduce cyber risks, which is reinforced in Dr. Gardner’s statement, “you never are doing enough” in terms of cybersecurity education and awareness with government employees (B. Gardner, personal communication, November 7, 2024). He credits previous Dallas City CIO Mandy Shreve and retired Chief Information Security Officer (CISO) of the Texas DIR Nancy Rainosek on their efforts of “doing so much” in terms of cyber education and training for government employees. Dr. Gardner references HB 3834 from the 86th Legislature where it states that government employees that use technology for at least 25% of their job requires completion of cybersecurity training. Although Dallas City has been training their employees for years, Dr. Gardner notes that HB 3834 “never mandated it” for municipals but emphasizes how it is “good practice to test our users” (B. Gardner, personal communication, November 7, 2024).
Testing government employees on cybersecurity knowledge is also essential to analyzing the state of the cybersecurity program. Dr. Gardner uses the analogy, “I can take you to school- but if I don’t test you, I don’t know what knowledge you’ve retained” (B. Gardner, personal communication, November 7, 2024). By using internal phish attacks, Dr. Gardner says that it is “critical” to do a lot of testing to identify weaknesses. Ultimately, the more educated government employees are on the topic of cybersecurity, the overall cyber posture in government will improve.
Responses to Cyberattacks
Local governments are susceptible to constant cyberattack, with many local governments attacked once or multiple times per day. In Norris et al.’s study, 40% of suspicious or spam emails are blocked before ever reaching the employee’s inbox, however in their case study, two out of 10,000 government employees clicked a malicious link in which hackers gained access to their system and caused damage (2015). Although prevention of a cyberattack is very important, Dr. Gardner believes that if you focus purely on prevention, “you’ve lost the battle, you’ve lost the war already…He’s already won because remember, we have to stop everyone. He only has to get one successful hook in you and now you’re, you’re playing catch up and you don’t want that” (B. Gardner, personal communication, November 7, 2024). Dr. Gardner says that regarding cyberattacks, “it’s not if, it’s when” the “bad guy” is successful. If a cyberattack is successful, the organization must be able to “respond, recover, limit their ability to do any damage [and] reduce the blast radius of whatever that’s going to be” (B. Gardner, personal communication, November 7, 2024). Ultimately, local governments must prepare for the imminent cyberattack by ensuring their response and recovery process are tested. Being able to respond to a cyberattack efficiently and reduce damage requires local governments to run routine incident scenarios. Dr. Gardner mentions that there is no “perfect script” when responding to a cyberattack, however he highlights that municipalities must test their script to be successful (B. Gardner, personal communication, November 7, 2024). For example, the city of Dallas’ security ops team run weekly tabletop exercises with varying scenarios to find out “how these are going to play out if something bad happens”. In addition, Dr. Gardner recommends that the legal, infrastructure, network, application support, and management teams all need to be involved with tabletops on a scheduled basis (B. Gardner, personal communication, November 7, 2024). By preparing for various scenarios of cyberattack, all sectors of local government will be better prepared in the event of an actual incident.With years of experience in private sector cybersecurity, Dr. Gardner says that “the attacks are not unique to one or the other, the attacks are the same,” regarding local government and private entities (B. Gardner, personal communication, November 7, 2024). However, he notes that in terms of cybersecurity, local government “tend[s] to be behind the curve… you have financials, then you have health care, and then you have kind of government that trails behind” (B. Gardner, personal communication, November 7, 2024). Dr. Gardner states that there needs to be a more proactive approach to cybersecurity in government as governments tend to be responsive in issues in general. However, there is progress as cyber leaders from private sectors induce change by influencing the public as there is starting to be “a lot of unification between municipalities and counties and even at the state level and federal level.” By changing the mentality toward cybersecurity issues to be similar to the private sector, local governments will be able to prepare and maintain cybersecurity performance with the ongoing cyberattacks.
Conclusion
Cyberattacks are and will continue to target local government systems. Local governments must be proactive regarding cyber policy and legislation as governments tend to be behind the curve. Although barriers do exist in terms of cybersecurity, new cyber initiatives in the US and Texas have supported local governments. With resources available such as the NIST CSF, the SLGCP grant, and cybersecurity legislation since 2017, governments are equipped to start up or improve their cyber programs. Most notably, small to medium sized local governments with lesser cyber budgets and therefore more vulnerabilities, should embrace these opportunities. In addition, all cyber programs should create a culture of cybersecurity awareness through education to mitigate phishing success. Lastly, local governments should be able to respond and reduce damage if a cyberattack occurs and have systems in place to prepare scenarios and test response protocols.
However, it is important to note that the holistic approach worked well for Dr. Gardner and Dallas City, but the lack of mandates for cybersecurity legislation raises concerns for local governments that choose not to improve their cyber programs. As Dr. Gardner mentioned for HB 3834 and for cybersecurity frameworks, “municipalities have no obligation to follow any of those rules” (B. Gardner, personal communication, November 7, 2024). This implies that a local government could choose not to implement HB 3834 and not use any cyber framework, ultimately reducing the effectiveness of the cybersecurity program and putting citizen data at risk. Dr. Gardner mentions that top-down mandates can make it difficult to manage budgets, but this discretionary model leaves a large burden for staff in local governments, especially with understaffed cybersecurity employees, to provide adequate cybersecurity for their citizens. Texas’ holistic approach to cybersecurity, which operates similar to the private sector, is a useful system for experienced cybersecurity programs such as Dallas City but could possibly be an ineffective model for smaller municipalities.
Since the information gathered in the semi-structured interview was with the CIO of Dallas City, future research should examine small to medium-sized governments as they face different challenges from larger municipalities. While cybersecurity programs require a holistic approach and strategy, the challenge for Texas will be to adopt the private sector mentality for cybersecurity to be proactive, not reactive, and to provide resources to support cyber initiatives.
References
Bailey, E. (2024, July 22). Dallas ransomware attack exposed info for 200,000 people. GovTech. https://www.govtech.com/security/dallas-ransomware-attack-exposed-info-for-200-000-people
Crane, C. (2020, November 20). 42 cyber attack statistics by year: A look at the last decade. InfoSec Insights. https://sectigostore.com/blog/42-cyber-attack-statistics-by-year-a-look-at-the-last-decade/
“Cybersecurity and Infrastructure Security Agency CISA”. State, local, tribal, and Territorial Government Coordinating Council: CISA. (n.d.). https://www.cisa.gov/resources-tools/groups/state-local-tribal-and-territorial-government-coordinating-council
“Cybersecurity: Statewide Overview”. (2018). https://comptroller.texas.gov/economy/economic-data/cybersecurity/texas.php
Gardner, Brian. Personal Interview, 07, Nov. 2024.
Greig, J. (2024, August 10). Local gov’ts in Texas, Florida hit with Ransomware as cyber leaders question best path forward. Cyber Security News | The Record. https://therecord.media/texas-florida-local-governments-ransomware-neuberger-nakasone-white-house
Grubbs, S. (2022, January). Cybersecurity and Texas. Texas Leaders Build Defenses to Outstrip Surge in Cyberattacks https://comptroller.texas.gov/economy/fiscal-notes/archive/2022/jan/cybersecurity.php
Kaur, J., & Ramkumar, K. R. (2021, February 9). The recent trends in Cyber Security: A Review. Journal of King Saud University – Computer and Information Sciences. https://www.sciencedirect.com/science/article/pii/S1319157821000203
Key Data Privacy and Cybersecurity Laws. (2023) Key Data Privacy and cybersecurity laws: United States: Global Data Privacy and cybersecurity handbook: Baker McKenzie Resource Hub. https://resourcehub.bakermckenzie.com/en/resources/global-data-privacy-and-cybersecurity-handbook/north-america/united-states/topics/key-data-privacy-and-cybersecurity-laws#:~:text=How%20are%20data%20privacy%20and%20cybersecurity%20laws%2Fregulations%20implemented%3F,-Last%20review%20date&text=%E2%98%92%20omnibus%20%E2%80%93%20all%20personal%20data,Texas%2C%20Utah%2C%20and%20Virginia
Havich, Michelle. (2023a). A billion dollars for local government cybersecurity—Will they ever see it? American City & County Exclusive Insight, N.PAG.
Havich, Michelle. (2023b). Shifting the cybersecurity burden for state and local governments. American City & County Exclusive Insight, N.PAG.
Hossain, S. T., Yigitcanlar, T., Nguyen, K., & Xu, Y. (2024, June 25). Local government cybersecurity landscape: A systematic review and Conceptual Framework. MDPI. https://www.mdpi.com/2076-3417/14/13/5501
Hossain, S. T., Yigitcanlar, T., Nguyen, K., & Xu, Y. (2024). Understanding Local Government Cybersecurity Policy: A Concept Map and Framework. Information (2078-2489), 15(6), 342. https://doi-org.lscsproxy2.lonestar.edu/10.3390/info15060342
Lynch, K. (2024, June 7). Which Cybercrimes generated the largest financial losses in 2023?. Which Cybercrimes Generated the Largest Financial Losses in 2023? https://core.verisk.com/Insights/Emerging-Issues/Articles/2024/June/Week-2/2023-Cybercrime-Losses
Nodeland, B. (2023) Ensuring the Cybersecurity of Texas’ Critical Infrastructures. (Report No. IHS/CR-2023-1023). The Sam Houston State University Institute for Homeland Security. https://doi.org/10.17605/OSF.IO/4ZVRU
Norris, D., Joshi, A., & Finin, T. (2015, June). Cybersecurity challenges to American state and local governments. In 15th European Conference on eGovernment (pp. 196-202). Academic Conferences and Publishing Int. Ltd.
“Notice of cybersecurity incident”. Dallas County. (2023). https://www.dallascounty.org/about-us/hot-links/notice-cybersecurity-incident.php
Petrosyan, Ani. (2024, July 18). U.S. states with the highest cybercrime losses 2023. Statista. https://www.statista.com/statistics/234993/us-states-with-the-largest-losses-through-cybercrime/#:~:text=Financial%20losses%20in%20cybercrime%20in%20the%20U.S.%202023%2C%20by%20state&text=In%202022%2C%20California%20ranked%20first,with%20874%20million%20U.S.%20dollars.
Sulaiman, N. S., Fauzi, M. A., Hussain, S., & Wider, W. (2022). Cybersecurity Behavior among Government Employees: The Role of Protection Motivation Theory and Responsibility in Mitigating Cyberattacks. Information (2078-2489), 13(9), N.PAG. https://doi-org.lscsproxy2.lonestar.edu/10.3390/info13090413
“Texas Cybersecurity Framework. Department of Information Resources”. (n.d.-a). https://dir.texas.gov/information-security/security-policy-and-planning/texas-cybersecurity-framework#:~:text=Maturity%20Model,active%20optimization%20of%20the%20processes
“Texas Department of Information Resources”. (2024). State of Texas Cybersecurity Strategic Plan 2024–2028. State of Texas Cybersecurity Strategic Plan. https://dir.texas.gov/sites/default/files/2024-05/State%20of%20Texas%20Cybersecurity%20Strategic%20Plan%202024%E2%80%932029.pdf
Venter, W. (2023). CYBERSECURITY: The rising cyber threat to the Texas power infrastructure – Are we prepared? Texas Water Utilities Journal, 33(8), 28–29.
Zhu-Butler, H. (2022). Establishing a Cause of Action for Cybersecurity Breaches against Government Agencies in Louisiana. Loyola Law Review, 68(2), 415–441.
