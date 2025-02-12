Cyber security priorities for state and local government

A cyber resilience plan for 2025

Promoted by the Cybersecurity and Infrastructure Security Agency (CISA) each November, Critical Infrastructure Security and Resilience Month highlights a crucial reality: State and local agencies, as critical infrastructure providers, must continuously prepare and invest for future disruptions.

While that month focuses on cyber security resilience, it's important to recognize the broader scope. Organizations must remain ready for various incidents that can impact business operations, customer interactions, and community well-being. Recent years have shown how both physical and virtual worlds can be affected by:

Natural disasters such as Hurricane Helene, which devastate socially vulnerable areas that face a harder time recovering

Accidents such as the cargo ship that collapsed Maryland’s Key Bridge, disrupting traffic and operations at the port of Baltimore

Deliberate attacks such as the Baltic Sea cable cuts that have the potential to affect global Internet traffic flows

Supply chain attacks such as the Salt Typhoon espionage operation that infiltrated many of our nation’s top telecom providers to spy on sensitive government conversations

In the hyperconnected world we live in, events like these reach well beyond the local area and create unexpected circumstances.

Our digital world can provide resilience for some events. For example, we can support a distributed workforce in the event of a natural disaster. Of course, this same digital world can also have a negative impact on people beyond the local community and even around the world — as we have seen with outages caused by malware like Log4j or recent ransomware attacks.

Because the Internet has become a key source for connectiveness, it must be protected if we are to deliver consistent services, including during crises. “Resolve to be Resilient” is a rallying cry for preparedness as it is often state and local agencies on the frontlines of response and recovery.

The Internet's role in digital government services

For the last five years, digital government has been a top priority for most CIOs. The promise of a digital government has delivered more transparency and access to government services than ever before.



Customer experiences have greatly benefited from this evolution to digital government. A simple, real-world validation is a transaction with your local department of motor vehicles (DMV) (like driver’s license renewal). You will see that most of the services are digital and online, and you rarely actually need to visit the DMV let alone wait in long lines (that are nonexistent due to offloading to online activities).

The Internet is one of the main components of digitization. It is critical infrastructure for most government agencies as it is the primary interface to the public, and with the proliferation of software as a service (SaaS) and the hybrid workforce, it is the vehicle for internal operations and collaboration as well. Dependence on the Internet creates new requirements for IT departments — and at times can cause negative consequences if the IT environment is not properly designed.

Imagine your agency loses Internet access due to a distributed-denial-of-service (DDoS) attack. Your employees or contractors could lose connectivity to their work tools, and residents could lose the ability to access online services. As more citizen services are delivered via the web, the impact of an outage is felt broadly.

But as a state or local government leader, how do you protect your assets on the Internet? How do you optimize customer experiences and secure users’ identities and data?

You have more control than you might realize. And it’s imperative to shore up your Internet services as part of your cyber resilience plan for 2025. There are specific focus areas that can put any agency on the right path to resilience: review the DNS infrastructure, secure web application and API services, and review modernized network services.

Modernize your DNS infrastructure

Domain name system (DNS) services are a critical yet often overlooked component of cyber security and operational infrastructure for state and local government. These services, which translate human-readable website addresses into IP addresses, play a vital role in maintaining the security, reliability, and accessibility of government digital services.

Modern DNS services provide essential security features that help protect against various cyber threats, including DNS poisoning, domain hijacking, and data exfiltration attempts. Importantly, DNS is often the first line of defense against cyber threats, and modern DNS services can detect and block malicious traffic before it actually reaches government networks.

Beyond security, DNS services enable state and local government agencies to:

Maintain high availability of critical online services

Implement geographic load balancing for better service delivery

Monitor and analyze network traffic patterns

Resolve to be resilient by modernizing your DNS and getting the most out of your DNS provider. Here’s how:

Adopt the .gov top-level domain (TLD). Resilience and trust go hand in hand, and using a .gov domain increases trust. Some states are already taking action; for example, California’s Assembly Bill 1637 (AB 1637) requires a full transition by Jan. 1, 2029. Use protective DNS. Protective DNS is any security service that analyzes DNS queries and takes action to mitigate threats, leveraging the existing DNS protocol and architecture. Protective DNS prevents access to malware, ransomware, phishing attacks, viruses, malicious sites, and spyware at the source, making the network inherently more secure. Defend your DNS infrastructure. We recommend that organizations take steps to secure their DNS infrastructures such as reviewing audit logs regularly and adding multi-factor authentication (MFA). Also, agencies should ensure their providers implement DNS security extensions and move toward encrypted DNS protocols to better protect government communications.

Maintain your customer presence

Government agencies are increasingly finding themselves on the frontlines of a new cyber security battleground: the protection of web applications and APIs (application programming interfaces). As web applications and APIs are now the primary way residents interact with government services, from tax filing to benefits management, these digital interfaces handle millions of sensitive transactions daily. Their security is paramount to maintaining public trust.



Meanwhile, web application and API attacks are at record highs. In 2022, over 400 million web application and API attacks were recorded daily.

Traditional perimeter security isn't enough anymore. To strengthen cyber security for state and local government, we need comprehensive application and API security measures that can protect against modern threats, such as:

Sophisticated bot attacks targeting government services

API-specific vulnerabilities that can expose sensitive data

Supply chain attacks through third-party integrations

Zero-day exploits targeting application frameworks

Gartner defines cloud web application and API protection (WAAP) as a category of security solutions designed to protect web applications irrespective of their hosted locations. Typically, these services are offered as a series of security modules that provide protection from a broad range of runtime attacks on web-based applications.

Resolve to be resilient by ensuring that your customer applications are protected by leveraging WAAP tools with the following steps:

Leverage a content delivery network (CDN) to protect against DDoS attacks and add resilience with load balancing Implement web application firewall (WAF) services to filter and monitor HTTP traffic and protect against malicious bots and web crawlers Use strong authentication and authorization controls for applications and APIs Secure, monitor, and manage API traffic with an API gateway Perform continuous security testing and vulnerability assessments Assess your providers real-time threat detection and response capabilities

Ensure business continuity by modernizing network services

On the National Association of State Chief Information Officers' Top 10 list, legacy modernization is a constant. There are many reasons why the need for modernization continues to appear. For example, organizations continue to use outdated and out-of-service infrastructure components, and IT departments are often unable to keep pace with the incredible architectural changes that have happened in IT over the last decade. Those changes were caused by the move to SaaS applications, the displacement of data centers by the cloud, and the proliferation of hybrid workers. All of those factors helped invert the typical data / traffic workflow of an 80 / 20 internal company / external company to a 20 / 80 paradigm. With that major shift, the hub-and-spoke router networks of the past must be replaced or upgraded to support this transformation.

Most agencies and private companies are on the same journey to modernize their network infrastructure. As most IT assets and users are now on the Internet instead of a corporate network, augmenting or replacing traditional MPLS networks with the Internet as a WAN makes sense from a performance and cost perspective. Adopting cloud-based services to accelerate, optimize, and protect these infrastructure components makes sense from a security and use perspective. This modern approach provides scalable bandwidth, optimized for modern application delivery, with resilience built in, all while reducing complexity and costs.

Today’s network resilience can be delivered as a service, similar to how data centers and applications have been delivered as a service (IaaS and SaaS) for years now. An agency can implement WAN as a service, firewall as a service, DDoS protection, and a SASE framework. It is possible and often recommended to use the Internet for an agency’s backbone, or at least a component of the backbone.

The benefits include built-in resilience and scalability. A cut cable, data center outage, or even a massive DDoS attack will not impact uptime or performance. Agencies can protect, connect, and accelerate their networks without the cost and complexity of running or maintaining any hardware.

Steps to strengthen digital infrastructure

As government agencies continue to expand their digital services, they must transform their IT architecture and cyber security strategy to address the modern world. This transformation should include protecting citizen-facing online services delivered by web applications and APIs. A secure, consistent online presence remains critical to maintaining public trust and protecting sensitive information. With cyber threats evolving daily, robust security measures are not just a technical requirement but a fundamental obligation to public service.

