Tag: ai

Budgeting & Resources Leadership & Governance

You Paid For The Lock — Now USE IT!

Post author By Eudora Fleischman
Post date March 19, 2026
No Comments on You Paid For The Lock — Now USE IT!

The Gap Between Owning & Fully “Implemented” Cyber Tooling You Already Own

You fought for the budget. You built the business case, presented the risk landscape to leadership, justified every line item, and won cybersecurity funding. New tools were purchased — Identity and Access Management, advanced EDR/XDR, SIEM and more. Boxes checked. Audit requirements are satisfied. A genuine win.

But here is the uncomfortable question nobody asks in the post-purchase debrief: did you actually fully implement them?

Not install. Not license. Implement — fully configured, integrated into your architecture, with every feature activated, monitored and tested. Because there is a dangerous gap between owning a security tool and deriving security from it. And that gap is exactly where attackers live.

Only 14%

of organizations are confident they have the people and skills required to meet their cybersecurity needs today — WEF Global Cybersecurity Outlook 2025

The Stryker Wake-Up Call

On March 11, 2026, medical technology giant Stryker suffered a devastating cyberattack that wiped data from thousands of employee and personal devices across 79 offices worldwide. The attackers — an Iran-linked group — did not deploy malware. They did not exploit a zero-day vulnerability. They simply obtained high-privilege administrative credentials and weaponized Microsoft Intune’s Remote Wipe feature, a legitimate IT management tool built for lost or stolen device recovery, to factory-reset tens of thousands of enrolled devices simultaneously.

The lesson is not that Intune is dangerous. The lesson is that privileged access was not properly governed, identity boundaries between on-premises and cloud environments were not enforced, and monitoring either did not exist or did not trigger fast enough. All of these are configuration failures in tools organizations already owned.

The attackers did not break in through a sophisticated exploit. They walked through a door left open by an incomplete implementation.

The Preparedness Gap Is Real — and Growing

The Stryker attack is not an anomaly. It is a symptom of an industry-wide crisis that the World Economic Forum’s (WEF) Global Cybersecurity Outlook 2025 has quantified and it is sobering.

72%

of organizations report that cyber risks increased in the past year — WEF Global Cybersecurity Outlook 2025

2 in 3

organizations report moderate-to-critical cybersecurity skills gaps, lacking the talent needed to meet their security requirements — WEF Global Cybersecurity Outlook 2025

54%

of large organizations cite third-party and supply chain risk management as their biggest barrier to achieving cyber resilience — WEF Global Cybersecurity Outlook 2025

35%

of small organizations believe their cyber resilience is inadequate — a proportion that has increased sevenfold since 2022 — WEF Global Cybersecurity Outlook 2025

These numbers describe an industry buying security and not implementing it. Organizations are acquiring the tools, but the talent, architecture, and operational discipline needed to extract full value from those investments is not keeping pace. The result is a fleet of half-deployed, partially configured tools that create a false sense of security while leaving real gaps wide open.

The Agentic AI Threat Multiplier

Attackers are not waiting for organizations to catch up. Generative AI is reshaping the cybercrime landscape at an accelerating pace and the gap between offense and defense is widening.

47%

of organizations cite the advance of adversarial AI capabilities — including AI-enhanced phishing, malware development and deepfakes — as their primary GenAI cybersecurity concern — WEF 2025

66%

of organizations believe AI will have the most significant impact on cybersecurity in the next 12 months, yet only 37% have processes in place to assess the security of AI tools before deployment — WEF 2025

In an Agentic AI attack scenario where AI autonomously chains together reconnaissance, credential harvesting, lateral movement and execution — a monolithic, single-vendor security stack is a structural liability. If the attacker understands your provider’s architecture better than you do, and your tools are not fully configured, they will find the path of least resistance.

This is not hypothetical. It is the architecture of the Stryker attack, translated into the AI era.

Do You Have the Talent to Use What You Bought?

Before the next purchase order is signed, every security leader, technical and executive alike, should answer these questions honestly:

Do we have in-house expertise to fully configure and operationalize the features in our existing tools?
Was our tool selection driven by a holistic architecture strategy, or were tools purchased reactively to satisfy an audit requirement?
Are all features within our EDR/XDR, IAM, and SIEM platforms fully activated, integrated, and effectively monitored?
Do we have unified, normalized logging across every layer of our technology stack feeding a well-configured and monitored dashboard?
Is every vendor connection to our environment governed by Zero Trust principles — remote browser isolation, VPN-less access, and Just-In-Time privileged access with approval notification chains configured?

If the honest answer to any of these is ‘no’ or ‘I’m not sure,’ you are not alone — but you are exposed.

A Layered, Heterogeneous Defense: The Architecture That Holds

A monolithic, single-vendor solution may be cost-effective and operationally convenient. But in an Agentic AI threat environment, it is a single point of architectural failure. A breach that understands one vendor’s toolset can traverse your entire environment.

A heterogeneous, layered defense, built intentionally, implemented fully, and integrated across every layer of your stack is a fundamentally different proposition for an attacker. When one protective layer is compromised, the next one holds. The following architecture has proven itself in real-world attack scenarios:

External Perimeter

SASE and next-generation firewall with full north-south traffic decryption and inspection and integrated real time defense
Advanced API gateways for all internet-facing applications with bot detection and agentic AI defense capabilities
All vendor and third-party remote access governed exclusively through remote browser isolation and VPN-less Zero Trust Network Access (ZTNA)

Internal Network

Switch-to-switch encryption across internal network segments
Micro-segmentation with east-west firewall inspection, full traffic decryption, and XDR/API integration with network admission control policies
Patch panel and port-level monitoring via MAC device admission control with logging and firewall integration feeding XDR

Endpoint

EDR/XDR deployed with all features fully activated
Consider stacking heterogeneous endpoint agents from different vendors — if one provider’s agent is compromised or bypassed, a second independent layer remains active

Identity and Privileged Access

Isolate privileged identities: on-premises admins must not carry high-privilege roles in Microsoft 365 or Entra ID — a critical lesson from the Stryker attack
Deploy Entra Private Access for Domain Controllers, extending Conditional Access and MFA requirements to sensitive Active Directory operations including LDAP and Kerberos
Implement Just-In-Time (JIT) access with approval workflows for all privileged identity management (PIM) accounts
Replace manual service account passwords with Active Directory Group Managed Service Accounts (gMSAs)
Rotate the KRBTGT password at minimum twice per year; in a breach scenario, rotate immediately — do not wait
Restrict all Domain Controller network access; ensure DCs cannot directly reach the internet
Audit and enforce strict anomaly monitoring across all security logs

Cloud Security

Conduct cloud security posture reviews frequently — cloud providers release new security features continuously; newly available controls should be assessed and implemented as a priority, not deferred
Consider disabling Password Hash Sync to keep credential validation on-premises through pass-through authentication or federation
All Saas tenant entry points should be isolated to just your agency IP block, with access for remote users only via browser based isolation and ZTNA solutions and fronted by advanced application gateways or proxies

A layered, heterogeneous defense does not require unlimited budget. It requires deliberate architecture and full implementation of the tools you already own.

How to Close the Configuration Gap Without Starting Over

1. Request a Free Implementation Assessment From Your Vendors

Most enterprise security vendors will conduct a complimentary implementation health check if asked directly. They will identify misconfigured features, unused capabilities, and integration gaps. Many will also provide staff education sessions at no additional cost. This is one of the highest-ROI actions available to any security team and it costs nothing but time.

2. Consider an MSP With Cybersecurity Depth

If in-house talent is the constraint — and the WEF data confirms it is for the majority of organizations — a Managed Security Service Provider (MSSP) with genuine cybersecurity staff, 24/7 monitoring capabilities, and a contractual cyber retainer for incident response is not a cost; it is a force multiplier. The right MSSP partner helps you operationalize the tools you already own and ensures that someone is watching when your team cannot be.

3. Build a Unified Visibility Layer

Every device, every endpoint, every cloud workload, every network segment should feed normalized logs into a centralized, well-configured SIEM or XDR dashboard. Visibility gaps are where attackers operate undetected. Unified logging is not glamorous, but it is foundational.

4. Prioritize Identity Above All Else

The Stryker attack was an identity attack. The WEF report confirms that identity theft has become the top personal cyber risk for both CISOs and CEOs in 2025. If you can only harden one area this quarter, harden identity: implement JIT access, enforce MFA everywhere without exception, isolate privileged accounts, and audit every administrative role in both your on-premises and cloud environments.

5. Review Attack Anatomy Regularly

An easy way to have a leg up on all attacks is to regularly review the anatomy of attacks. This is a free and easy way to identify gaps within your architecture and alerting. You can implement additional custom alerts from the indicators of compromise you review in attack anatomy, address configuration updates and hardening, and review with your team or your Managed Service Provider. Attack review should be part of your day-to-day operations. You cannot protect against what you do not understand. Also, you cannot harden architecture if you have not operationalized architecture review.

The Bottom Line

The cybersecurity industry has a spending problem masquerading as a security problem. Organizations are acquiring tools at scale while the skills gap required to effectively implement them grows faster than the workforce can fill it. The result is a fleet of expensive, partially deployed technology that creates compliance confidence without creating actual resilience.

The WEF Global Cybersecurity Outlook 2025 reports that 49% of public-sector organizations lack the talent to meet their cybersecurity goals — an increase of 33% in a single year. The private sector is not immune.

The answer is not more tools. It is full implementation of the tools you already own, a deliberate layered heterogeneous architecture designed to survive a breach of any single component, and the operational talent — whether in-house or through a trusted partner — to run it.

You paid for the lock.

Now use it.

About the Author

Eudora Fleischman | Infrastructure Architect & Retired CISO Eudora Fleischman is the Infrastructure Architect and Retired with over 31 years of experience in infrastructure architecture, cybersecurity, governance risk, and disaster recovery management and serves as an Advising Member of the Local Government Cybersecurity Alliance.

Sources

World Economic Forum — Global Cybersecurity Outlook 2025 (January 2025, in collaboration with Accenture)

Stryker SEC Filing & Incident Reports, March 2026

Tags ai, budgeting, cyber-security, cybersecurity, governance, local-government, security, technology

Leadership & Governance Planning & Policy

Seven Phases of AI Governance for Local Government

Post author By Eudora Fleischman
Post date March 6, 2026
No Comments on Seven Phases of AI Governance for Local Government

A Practical Framework for Agencies Beginning Their AI Journey

Government Technology | AI Governance | Public Sector

AI is already inside your agency. Vendors are embedding it into the software you use every day — permitting systems, HR platforms, records management tools, and public safety software. In most cases, no one asked. It arrived as a feature update, buried in a release note, with no governance framework in place to receive it.

At the same time, regulations are moving fast. California’s Civil Rights Council implemented binding AI employment regulations in October 2025. Dozens of additional state and local AI laws are in various stages of development. The agencies that will navigate this landscape successfully are not the ones that adopt AI fastest — they are the ones that build the right governance foundations first.

What follows is a condensed version of a practical, phased governance framework developed from real public-sector cybersecurity and advisory experience. It is designed for the city manager, IT director, HR leader, or department head who needs a clear, easy to understand, actionable path — not an academic exercise.

The Core Principle: Governance Before Tools

The most common mistake organizations make is adopting AI tools before establishing the governance infrastructure to use them responsibly. Policies written after deployment are reactive. Data classified after AI ingestion is too late. Vendor contracts negotiated without AI governance language leave agencies legally exposed.

This framework is sequenced deliberately. Each phase builds on the one before it. The goal is not to slow down AI adoption — it is to make adoption sustainable, defensible, and aligned with the communities these agencies serve.

Phase 1: Establish Governance Authority First

Before any technical work begins, designate who is responsible for AI governance in your organization. This may be a named AI Governance Officer, an AI Steering Committee, or a hybrid model. The specific structure matters less than the fact that accountability exists. Without it, governance activities have no center of gravity, decisions stall, and there is no clear point of contact when regulators come asking. Establish a recurring executive reporting cadence from day one — even if early reports are brief. AI governance without executive visibility and informing elected officials is governance in name only.

Phase 2: Data Governance and Classification Must Come First

AI cannot operate safely or compliantly without governed, classified data. Before activating any AI feature, conduct a thorough assessment of where your data lives, how it flows, who owns it, what regulatory requirements apply to it, and which data might be inadvertently exposed to AI systems. Define sensitivity labels — public, internal, confidential, restricted — and educate every employee on how to handle data accordingly. This is the foundation. Everything else depends on it.

Phase 3: Start with Problems, Not Tools

Conduct structured interviews with department leaders to identify real operational challenges that AI might address. For each candidate use case, assess feasibility, operational impact, risks, staffing implications, and full cost — including ongoing expenses for in-house staff or MSP consulting support. Compile the results into an AI Use Case Roadmap, have leadership formally prioritize it, and use it to drive every subsequent resource and tooling decision. Agencies that skip this step end up with duplicate tools, misaligned spending, and AI deployments that solve problems no one had, and, in the end, without a goal. Funding and resources become wasted efforts.

Phase 4: Build Policy and Vendor Governance Around Your Use Cases

Only after your data governance is established and your use cases are defined should you develop formal AI governance policies. Policies written in the abstract tend to be ignored. Policies built around real, approved use cases get used. Alongside internal policy, embed AI governance requirements language directly into vendor contracts — including mandatory disclosure of sub-processors and data residency/sovereignty, notification obligations if their AI systems are attacked or compromised, resiliency, recovery and liability terms for discriminatory or harmful AI outputs. Agencies that assume vendor contracts handle these issues are almost always wrong.

Phase 5: Organizational Change Management Is Not Optional

The most technically sound AI governance framework will fail if employees do not understand it, trust it, or know what it requires of them. Develop a layered internal communications strategy tailored to different audiences — frontline staff, supervisors, and executives each need different messages. Pair it with role-appropriate training that covers data handling requirements, how to recognize and report unexpected AI behavior, and what the governance policies actually require in practice. Change management is not soft. In local government, it is often the difference between a governance program that lives on paper and one that actually changes behavior.

Phase 6: Regulatory Compliance Requires a Monitoring Function, Not a One-Time Review

A single legal review at the time of AI deployment is not sufficient. California’s AI regulatory landscape alone — covering employment discrimination, automated decision systems, data privacy, and civil rights — is evolving continuously. Assign ongoing responsibility for regulatory monitoring, maintain an internal AI regulatory tracker, conduct periodic reviews with qualified legal counsel, and build civil rights and algorithmic fairness impact assessments into your use case evaluation process. The cost of falling behind is not theoretical: it includes legal exposure, audit findings, loss of public trust, and — in systems that affect critical services — real harm to real people.

Phase 7: Build AI-Specific Incident Response Before You Need It

Traditional cybersecurity incident response plans were not designed for AI-specific failure modes: model poisoning, data corruption through adversarial inputs, rogue agentic AI behavior, or model collapse. Develop AI-specific runbooks that define what normal AI behavior looks like, how anomalies are detected, what triggers a shutdown or rollback of AI agent access and actions, and what the communication obligations are internally and externally. Complement this with red-team and blue-team exercises and annual tabletop simulations that involve IT, legal, HR, and leadership together. The organizations that respond well to AI incidents are the ones that have rehearsed them.

This Is a Governance Model, Not a Checklist

What distinguishes this framework from a deployment checklist is its cyclical nature. Each phase requires a scheduled review cadence, named accountability, and ongoing adaptation. Monthly executive reporting, quarterly roadmap reviews, annual red team exercises, and full governance audits — these are not nice-to-haves. They are what separates a governance program that holds up under regulatory scrutiny from one that looks good on paper until something goes wrong.

Local government agencies are under real pressure to demonstrate responsible AI stewardship to their constituents, their oversight bodies, and their regulators. The agencies that build this foundation now — before the pressure becomes a crisis — will be far better positioned to capture the genuine operational benefits that AI can deliver, while protecting the public trust that makes those agencies effective in the first place.

Responsible AI adoption is not primarily a technology challenge. It is a governance, accountability, and culture challenge. Technology is the easy part.

About the Author Eudora Fleischman – Managing Director of Artemis Technology Advisors and Retired Infrastructure and Cybersecurity Manager & CISO. Eudora is a government cybersecurity and AI governance advisor with 31 years of technical and leadership experience and 21 of those years working with public-sector organizations on cybersecurity GRC, data security, regulatory compliance, organizational resilience, disaster recovery and responsible technology adoption.

Tags cybersecurity, technology, cyber-security, ai, governance, local-government, artificial-intelligence, public sector

Budgeting & Resources Key Questions for Boards Leadership & Governance Planning & Policy

A Cyber Insurance Briefing for Elected Leaders

Post author By Elisabeth Dubois
Post date October 30, 2025
No Comments on A Cyber Insurance Briefing for Elected Leaders

In today’s digital landscape, a local government’s data—from citizen records and utility operations to internal communications—is a prime target for cybercriminals. A single ransomware attack or data breach can cripple services, drain resources, and erode public trust.

While strong cybersecurity measures are your first line of defense, Cyber Insurance acts as a crucial safety net, helping your municipality manage the massive financial fallout of a successful attack.

If your village, town, city, county, or public utility is considering or renewing a policy, here is a look at what local governments can expect, the vital differences between what is typically covered versus what isn’t, and the critical questions you must ask your municipality and your broker.

The Six Critical Questions Elected Leaders Must Answer

As an elected leader, your top priority is the continuity of public service and the protection of taxpayer funds. Cyber risk is no longer an “IT problem”—it is a governance and financial crisis waiting to happen. Before you sign a policy, your governing body must confront these fundamental questions about your municipality’s readiness and resilience.

Focus Area	The Core Question for the Governing Body	The Bottom Line for Taxpayers
Operational Impact	If our critical digital systems (email, payroll, utility controls) were locked down by an attack tomorrow, what essential public service would fail immediately?	We must know which services—from 911 dispatch to water quality monitoring—are immediately jeopardized. If the lights go out, your response must be immediate.
Downtime Tolerance	How many hours can our municipality sustain a complete disruption of public records and digital services before the damage to the community becomes irreversible?	Every hour of downtime multiplies the cost, halts services, and directly erodes public trust. This defines your operational breaking point.
Financial Cost	What is the documented, unbudgeted cost our municipality would face for recovery, separate from any ransom demand?	The true expense is in forensic investigation, legal fees, and system restoration. You need a transparent figure on the financial exposure, which often runs into the millions.
Budget Resilience	Do we have an explicitly dedicated and sufficient reserve fund that can absorb an unbudgeted recovery cost of at least $250,000?	Most local governments do not. This question forces a review of whether a cyber event would force painful cuts to essential public programs.
Risk Strategy	*Are we relying only* on our technology defenses, or have we established a financial safety net for when those defenses inevitably fail?**	Technology is a tool, but cyber insurance is the risk transfer mechanism. It is a layer of resilience for a modern public entity.
Governance & Accountability	Who is the executive-level owner of cyber risk in this municipality, and is a tested incident response plan in place?	Cyber risk is a leadership issue. Insurance helps ensure that the highest levels of governance have a clear, tested plan to guide the community through the chaos of a breach.

What is Typically INCLUDED in a Policy?

Cyber policies generally cover three distinct areas:

Coverage Area	What is Covered?	Examples
First-Party (Breach Response)	Who pays the costs for us to recover from the attack?	Fees for forensic investigators, legal counsel, system restoration, and paying cyber extortion (ransom) demands (subject to limits).
Third-Party (Liability to Others)	Who pays if we get sued or fined for exposing citizen data?	Defense costs, settlements, damages from citizen lawsuits, regulatory fines, and costs for notifying all affected individuals.
E-Crime & Financial Loss	Who pays if a criminal tricks an employee into sending public funds to a fraudulent account?	Financial loss from Computer Fraud, Funds Transfer Fraud (e.g., fraudulent vendor invoices), and Social Engineering Fraud.

What is EXCLUDED?

Exclusions can be policy-specific, but there are several common areas where cyber insurance will not provide coverage:

Failure to Maintain Minimum Security: Claims can be denied if the breach is traced to your municipality failing to implement a required security measure, such as an unpatched server or not enforcing Multi-Factor Authentication (MFA).
Property Damage or Bodily Injury: Physical damage caused by a cyber event (e.g., a hack on a utility system causing a physical failure) may be covered by a General Liability or Property policy, not the cyber policy, unless specifically added.
Acts of War or Terrorism: Losses stemming from hostilities or state-sponsored cyber-attacks are often explicitly excluded.
Cost of Hardware/Software Upgrades: The policy will pay to restore systems, but generally not for the cost of upgrading to newer technology.
Known Vulnerabilities: If a claim arises from a vulnerability your municipality was aware of before the policy inception date, coverage may be denied.

Where Are the Hidden Traps?

The real risk often lies in the fine print. You need to look beyond the general coverage summary and scrutinize the endorsements and warranties within the policy. These items can act as “trap doors” that allow insurers to legally deny a claim.

1. The “Failure to Maintain Security” Clause

This is the most common and dangerous reason for denial today. Many policies contain a clause that makes coverage conditional upon maintaining specific security controls, most notably Multi-Factor Authentication (MFA).

The Warranty Trap: If your municipality warrants (guarantees) in the application that 100% of privileged users or remote access points use MFA, and an attack happens through an account that didn’t have it, the insurer may reject the entire claim based on a breach of warranty.
The No-MFA Endorsement: A particularly insidious version of this is the MFA Exclusion Endorsement. This endorsement is added to a policy to state that the insurer will not pay any claim that arises from or is attributed to the lack of MFA on specific systems (e.g., all email, remote access, or privileged accounts).
- What does the No-MFA Endorsement mean for our paid policy? It means you could pay your full premium for a $1 million policy, but if the claim is traced back to a compromised employee email account that lacked MFA, the insurer can legally reject the entire claim. You have the policy, but no coverage for your greatest risk.

Action: Ensure your policy defines required security controls clearly and realistically. If an MFA endorsement is present, treat it as a policy killer unless you are 100% certain every covered access point complies.

2. The Retroactive Date

All policies have a date—the Retroactive Date—before which the insurer will not cover any incident, even if the loss is discovered during the policy period. If a hacker has been in your system for six months and you purchase a policy today, you may not be covered for the full extent of the intrusion. This prevents coverage for “silent data breaches.”

3. The Exclusion for Software/Hardware “Betterment”

After an attack, forensic experts often recommend system upgrades (e.g., replacing an old server or moving to cloud services). Insurers will only pay for the cost of restoring the old system, not the cost of making it “better” or new. Your municipality must be prepared to budget for these betterment costs, which can be substantial and unexpected.

The Six Critical Questions to Ask Your Broker

Cyber insurance should be a true safety net, not a piece of paper. Use these questions to determine if your policy provides the coverage, expertise, and support your community needs.

1. What does the policy cover? What specific security controls are mandatory, and what happens if we fail to maintain them?

Demand a clear list of mandatory controls (like MFA for all remote access). Clarify if non-compliance with a warranty will void the entire policy or only exclude payment for claims related to that specific missing control.

2. What is the annual premium and deductible, and how does this fit our budget risk?

Understand the financial spread: Premiums for municipalities often range from $600 to over $100,000 annually, with deductibles from $1,000 to $100,000. Ensure these costs are sustainable and that the deductible is affordable in a crisis.

3. Does the insurer have demonstrated experience specifically with the public sector?

Government entities have unique challenges: tight budgets, complex regulatory compliance (like state breach laws), and critical services. An experienced insurer will offer tailored coverage that respects these public sector obligations.

**4. What loss prevention and risk mitigation services are provided in addition to the coverage?**

Look for high-value extras included in the policy: access to incident response hotlines, employee training platforms, vulnerability scans, and tabletop exercises. These proactive services reduce risk and can help lower future premiums.

5. If we report a breach, what is the guaranteed response time, and who is our dedicated contact?

Day to day or in a crisis, you need human support, not an automated line. Ask for a commitment to a response within hours, not days. Confirm you will have access to a cyber specialist or dedicated claims manager or 24/7 breach response team.

6. What is the likely impact of making a claim on our future premiums and coverage availability?

Ask for candor: Will premiums spike after a claim, or will the insurer consider non-renewal? Understanding the long-term relationship ensures you are not penalized for using the safety net you paid for.

Tags ai, cyber insurance, cyber-security, cybersecurity, governance, local-government, security, technology

Actionable Steps Budgeting & Resources Cybersecurity Basics Leadership & Governance Planning & Policy Press Release Tools & Guidance

Announcing the Local Government Officials Guide to Cybersecurity

Post author By Elisabeth Dubois
Post date October 21, 2025
No Comments on Announcing the Local Government Officials Guide to Cybersecurity

We are thrilled to announce the official publication of a critical new resource: the Local Government Officials Guide to Cybersecurity (LGOGC)!

This project was developed by the Local Government Cybersecurity Alliance (LGCA) specifically to empower elected and appointed officials—from supervisors and council members to city managers and agency heads—to effectively navigate the increasingly complex world of cyber risk.

Moving Beyond the Technical Jargon

Cybersecurity is not just an IT department problem; it is an enterprise-wide, whole-of-government issue that impacts finance, legal compliance, emergency services, and public trust.

The LGOGC cuts through technical jargon to focus on what matters most to community leaders: governance, accountability, and resilience. This guide was truly built by and for local government professionals, ensuring every concept is practical and immediately relevant to your fiduciary duty to protect the systems that serve your communities.

LGOGC Cybersecurity Guide (October 2025)Download

What the Guide Will Help You Achieve

The LGOGC provides a clear, actionable framework to help local leaders translate responsibility into practical action. Inside, you’ll find guidance to:

Integrate cybersecurity into your strategic and budget planning.
Strengthen oversight and reporting mechanisms.
Align your efforts with nationally recognized frameworks, such as NIST CSF 2.0.
Build a culture of cyber resilience that spans all departments and elected offices.

Download and Share Your Feedback

We believe that making cybersecurity governance as natural and necessary as financial oversight is achievable in every county, city, town, village, and district. This guide is a huge step toward that goal.

Download the Local Government Officials Guide to Cybersecurity (LGOGC) now.

We invite your feedback! Tell us how your jurisdiction is addressing these challenges and what resources would be most valuable to you next in our community forum or white paper.

Tags ai, artificial-intelligence, cyber-security, cybersecurity, governance, local-government, security, technology

Leadership & Governance

Governing AI: Ethical Use and Oversight in Local Government

Post author By Elisabeth Dubois
Post date August 27, 2025
No Comments on Governing AI: Ethical Use and Oversight in Local Government

Artificial intelligence (AI) is rapidly transforming how local governments operate—from automating administrative tasks to enhancing public safety and improving service delivery. But as these technologies become more embedded in public systems, so too does the need for thoughtful governance.

AI offers tremendous promise, but it also raises important questions about fairness, accountability, transparency, and privacy. Without clear ethical guidelines and oversight, even well-intentioned AI applications can lead to unintended consequences, such as biased decision-making or erosion of public trust.

Why AI Governance Matters

AI systems often make decisions that affect people’s lives—whether approving permits, prioritizing maintenance, or analyzing public data. Local governments must ensure these systems are used responsibly and align with community values.

Good governance helps:

Prevent misuse or overreach.
Ensure transparency in how decisions are made.
Protect civil liberties and privacy.
Build public confidence in digital services.

Key Elements of an AI Governance Framework

1. Ethical Principles

Start with a clear set of guiding values—such as fairness, accountability, transparency, and respect for individual rights. These principles should inform every stage of AI development and deployment.

2. Oversight and Accountability

Establish internal oversight bodies or designate responsible officials to review AI projects. Oversight should include legal, technical, and community perspectives to ensure balanced decision-making.

3. Risk Assessment

Before deploying AI, assess potential risks—such as bias, data privacy concerns, or unintended consequences. Consider how the system might impact different populations and whether safeguards are in place.

4. Transparency and Explainability

Residents should understand how AI systems work and how decisions are made. Use plain language to explain what data is collected, how it’s used, and what rights individuals have.

5. Public Engagement

Involve the community in discussions about AI use. Public input can help shape policies, identify concerns, and ensure that technology serves the public interest.

6. Training and Capacity Building

Ensure staff and leadership understand AI capabilities and limitations. Provide training on ethical considerations, data stewardship, and responsible procurement.

Tools and Frameworks to Guide Implementation

Local governments can draw from established frameworks to guide their AI governance efforts, including:

NIST AI Risk Management Framework: Offers a structured approach to identifying and managing AI risks.
OECD AI Principles: Promote inclusive growth, human-centered values, and transparency.
State and local AI task forces: Some jurisdictions have developed their own guidelines tailored to municipal needs.

These resources can help governments build policies that are both practical and principled.

AI is not just a technical tool—it’s a governance issue. As local governments adopt AI to improve services and efficiency, they must also ensure that these technologies are used ethically and transparently. By establishing clear frameworks, engaging the public, and investing in oversight, municipalities can harness the benefits of AI while safeguarding public trust.

Tags ai, artificial-intelligence, chatgpt, ethics, technology

Cybersecurity Basics

Know Your Enemy: The 8 Types of Cyber Threat Actors

Post author By Elisabeth Dubois
Post date August 26, 2025
1 Comment on Know Your Enemy: The 8 Types of Cyber Threat Actors

Cybersecurity is no longer a niche concern—it’s a frontline issue for local governments. From ransomware attacks that paralyze public services to data breaches that expose sensitive resident information, the threat landscape is growing more complex and dangerous. At the heart of this digital battleground are the cyber threat actors, often referred to as “bad actors.” These individuals or groups exploit technology to conduct malicious activities such as hacking, phishing, and malware deployment.

Bad Actors vs. Defenders: The Asymmetry of Cyber Conflict

The economic dynamics of cybersecurity are starkly imbalanced. Attackers only need to succeed once, while defenders must be flawless every time. This asymmetry creates a daunting challenge for local government cybersecurity teams.

Low Cost of Entry for Attackers: The barrier to entry for launching cyberattacks has never been lower. On the dark web, malicious tools and services are readily available for purchase or rent. For example:
- Ransomware-as-a-Service (RaaS) platforms allow even non-technical criminals to deploy sophisticated attacks.
- Phishing kits with pre-built templates and spoofing tools can be bought for under $50.
- DDoS-for-hire services can be used to overwhelm public websites or internal systems for as little as $200.
High Cost for Defenders: In contrast, defenders must secure every endpoint, every user, and every system—24/7. Even a single overlooked vulnerability can lead to catastrophic consequences. For local governments, this means:
- Maintaining up-to-date patches across legacy systems that may not be easily upgradeable.
- Training staff to recognize and report phishing attempts, despite high turnover or limited cybersecurity awareness.
- Monitoring networks for anomalies, often without a dedicated security operations center (SOC).
- Complying with regulations and reporting requirements, which add administrative overhead.

This uneven playing field means attackers can afford to be opportunistic, while defenders must maintain constant vigilance.

The Imbalance in Risk and Reward

This asymmetry creates a risk-reward imbalance:

Aspect	Attackers	Defenders
Cost	Low (tools are cheap or free)	High (tools, staff, training, compliance)
Effort	One successful exploit is enough	Must defend all vectors, all the time
Risk	Often anonymous, low legal risk	High accountability, legal and reputational consequences
Scale	Can automate and replicate attacks	Must tailor defenses to each system and user

For defenders, the cost of failure is steep:

Financial Losses: Ransom payments, recovery costs, and lost revenue.
Reputational Damage: Loss of public trust, especially if resident data is compromised.
Operational Disruption: Downtime in essential services like emergency response, utilities, or public records.
Legal and Regulatory Penalties: Non-compliance with data protection laws can result in fines and audits.

Types of Cyber Threat Actors

Understanding the motivations, capabilities, and tactics of cyber threat actors is essential for building resilient defenses—especially for local governments that manage sensitive data and critical infrastructure. These actors vary widely in sophistication, intent, and impact, but each poses a unique risk to public sector organizations.

Type of Actor	Who They Are	What They Do	Motivation
Nation-States	Government-backed groups with extensive resources and strategic objectives.	Launch Advanced Persistent Threats (APTs), conduct espionage, disrupt infrastructure, and manipulate political systems.	Espionage, geopolitical advantage, economic disruption.
Organized Crime	Sophisticated criminal syndicates operating like businesses.	Deploy ransomware, steal data, commit fraud, and sell stolen credentials.	Financial gain through extortion, blackmail, and identity theft.
Hacktivists	Ideologically driven individuals or groups.	Deface websites, leak sensitive data, disrupt services to promote causes.	Political activism, social justice, retaliation.
Insiders	Employees, contractors, or vendors with privileged access.	Leak data, sabotage systems, or unintentionally expose vulnerabilities.	Grievance, financial reward, coercion, or ideological alignment.
Script Kiddies	Inexperienced individuals using pre-made tools.	Launch DDoS attacks, deface websites, or breach systems for fun.	Recognition, boredom, curiosity.
Cyber Terrorists	Extremist groups seeking to cause fear and disruption.	Target critical infrastructure, emergency services, and communication networks.	Ideological warfare, political destabilization.
Foreign Intelligence Services	State-sponsored espionage units.	Steal sensitive data, conduct influence operations, and manipulate public opinion.	National security, economic advantage, political leverage.
Terrorist Organizations	Radical groups using cyber tactics as part of broader warfare.	Attack infrastructure, disrupt governance, and spread propaganda.	Retaliation, ideological extremism, destabilization.

Each actor type presents unique risks, and their tactics evolve constantly. Defenders must understand the Tactics, Techniques, and Procedures (TTPs) used by adversaries to stay ahead.

What Local Government Leaders Can Do

To counter this imbalance, local government must:

Prioritize cybersecurity as a strategic risk, not just an IT issue.
Invest in layered defenses, including endpoint protection, network segmentation, and incident response planning.
Foster a culture of security awareness across all departments.
Leverage partnerships with state and federal cybersecurity agencies for threat intelligence and support.

Tags ai, cyber-security, cybersecurity, security, technology