Defending and understanding city and county digital infrastructure—Congress takes a serious look

The invite that came out of the blue that was both surprising as it was timely. I was invited to testify before the U.S. House Committee on Oversight and Reform’s Subcommittee on Government Operations. Joining me were key representatives from NASCIO, Code for America, and the Center for Digital Government—four of us in all. The topic of the hearing was “Catalyst for Change: State and Local IT After the Pandemic.”

It was an awesome experience to be in one of the large historic House chamber hearing rooms. Yet the room was sparsely attended by folks in-person—a reminder the pandemic is not yet over. Most participated virtually. My opening remarks focused on how the pandemic brought local governments together in ways never experienced before—and most were able to pivot to a comprehensive remote environment in a remarkable period of time. Cities and counties across the nation stepped up to provide citizens with enhanced website offerings, developing apps and the expanded use of social media outreach to share the latest COVID information. In addition, they developed registration systems for testing and vaccinations, pivoted many in-building services to digital citizen outreach services offered 24/7. And they did this all while supporting a near-remote workforce.

Despite all the dramatic and positive gains, we know that not every entity fared the same—the pandemic exposed weaknesses and serious short- and long-term vulnerabilities. It also demonstrated the need for greater IT modernization and resiliency. The pandemic also laid bare the gaps in IT staffing and competencies, and cybersecurity protections. For example, when everything pivoted to digital, it paved the way for greater cyber incidents leading to costly ransomware attacks.

The pandemic underscored the need to address on-going and newly found local government deficiencies regarding digital infrastructure and the growing costly attacks from cyber criminals who are targeting cities and counties. These criminal activities have greatly increased as more local government services are now online.

I pointed out the need to recognize not only the vital role technology plays and will continue to play in local government, but the need to also focus on the human factor. Tools are nothing without able mechanics and similarly, technology is but a highly sophisticated set of tools that require humans to master their new and growing toolboxes.

In all, I pointed out five major areas of concern:

1. IT modernization is still lacking in providing greater digital services directly to citizens. IT modernization must also include a focus on addressing the need for greater agility and resiliency.
2. Pressing need for enhanced intergovernmental relations. We all have so much to share, learn and coordinate, yet we continue to be stuck in silos.
3. Significant cyber threat protection, both in terms of prevention and remediation.
4. Abundant need for professional development and certifications aimed at existing staff.
5. Actively address manpower shortages requiring more creative approaches to recruitment and retention in IT-related positions.

We must recognize IT modernization is still lacking and in providing greater digital services directly to citizens. IT modernization must also include a focus on addressing the need for greater agility and resiliency.

As the pandemic grew, local governments had little choice but to pivot toward online services critical to maintaining government operations and connecting with citizens. Despite all the dramatic and positive gains not every entity faired the same—the pandemic exposed weaknesses and many local governments were forced to remain open in order to serve its citizens. Local government leaders tell us that they are somewhat aware of some of the new funding opportunities that are aimed at generally helping local governments but are unclear just how they can be used for technology modernization. They further state that they see many rules and regulations that often conflict with the funding agency/source. At the very least it would make sense for someone to step in and clarify how IT spending at the local level can be applied for and clear up the various reporting rules and regulations.

Often left out of legislative remedies and funding discussions is the fact that local governments are largely on the front lines of citizen engagement and serve as agents for state and federal program information and services.

I also pointed out the urgent need for significant cyber threat protection, both in terms of prevention and remediation. The FBI’s Internet Crime Complaint Center logged 791,790 complaints of suspected internet crimes last year—an increase of more than 300,000 complaints from 2019. Reported losses exceeded $4.2 billion. Unfortunately, there is no requirement that local governments report cybercrimes unless personally identifiable information has been breached. I am personally aware of many ransomware attacks and sadly they are clearly on the increase, are demanding greater sums of money via Bitcoin, and to add to the pressure to deliver—the criminals are starting to expose sensitive record of public employees and residents.

According to a published report in March 2021 by Comparitech, over the last few years, ransomware has become a huge cause for concern for all kinds of organizations. For governmental entities, it can mean extended downtime, lost files, and the inability to access key infrastructure and services. This includes 911 services and utilities. The report’s researchers found a total of 246 separate ransomware attacks were carried out on government agencies in the last three years (from 2018 to 2020). These have potentially impacted more than 173 million people and may have cost $52.88 billion.

Many local governments were able to use CARES Act funding and now are contemplating the American Rescue Plan Act, though there are no specifics related to cyber security.

Perhaps the most interesting portion of the hearing was taking and responding to questions from members of the sub-committee. The questions revealed a disappointing understanding of the many significant differences between state and local governments. Many comments and questions were aimed at the mess created by inadequate state systems tasked with processing unemployment claims and payments. Despite the pleas from each of the four panelists for greater understanding and funding directly to states, cities and counties, many committee members lamented on the “billions of dollars of waste from fraud,” and went on to say that additional funding should not be considered until fraud and abuse is addressed. While no one was arguing waste and abuse doesn’t exist in some programs, local governments should not be swept into the failings of state government.

We continue to believe there is an abundant need for professional development and certifications aimed at existing staff. The pandemic exposed numerous deficiencies, including the lack of trained or certified IT staff to help counter the enormous burdens placed on IT system integrity. IT staff have evolved into a profession and like any worthy profession there is an on-going need to train and certify just as is expected with public safety, pilots, CPA’s and more. The pace of change in IT is nothing short of dizzying and requires the need for staff professionals to keep up on the latest tech developments.

There are numerous certification programs from which to choose including such broad areas as IT fundamentals, cybersecurity, cloud, infrastructure and professional skills. Local governments when faced with uncertain financial outcomes due to a crisis such as the great recession of 2008-2009 and the pandemic are the first to cut training and travel. More must be done to encourage current IT professionals by supporting IT certifications and other forms of IT training and development. Research has found that when government entities are viewed as investing in their professional staff, a greater sense of commitment, job satisfaction and increased productivity can be expected.

I believe Congress can help in actively addressing the manpower shortages requiring more creative approaches to recruitment and retention in IT-related positions. Research as shown there is an IT manpower gap—and this was well before the pandemic, which has only exacerbated the situation. Making matters worse is the fact as the economy recovers, many IT professionals are leaving local government for higher paying jobs in the private sector. Any incentives that would keep qualified IT professionals in place would be welcomed.

Apprenticeships can play a role in growing the next generation of talent in these government IT departments. They increase retention, attract diverse talent, and provide a reliable talent development strategy. To date CompTIA, PTI’s parent, has played a leadership role in promoting creative apprenticeships in IT.

Today’s economy is increasingly dependent on the technology industry to generate economic growth and the skills gap is a significant hurdle. In 2020, the technology industry contributed nearly $2 trillion to the U.S. economy and employed more than 12 million workers. However, there were also nearly 4 million tech job openings. These findings, coupled with the recent calls by the White House to build a diverse and accessible talent pipeline to strengthen our nation’s supply chains, demonstrate the urgent need for Congress to work quickly to address this important matter.

The hearing took place on June 30^th and my hope is this is just a beginning of a new and positive dialog moving forward. Just days later we would all learn of the Kaseya ransomware attack which seriously impacted thousands of businesses and local governments. With pressure to do more, The White House announced a series of measures that included added resources for protecting our nation’s cities and counties.

So, I applaud the Administration in their efforts, as I do the sub-committee for providing the leadership in conducting this hearing and the ensuing discussion. It has been said that a tragedy is a terrible thing to waste, and I believe we can all agree that this is an opportune time to reflect on the recent past of what were the lessons learned stemming from the pandemic and more importantly how can we best prepare for the future. We all have much work to do. We need more meaningful dialog for starters, and we need greater understanding on how best federal and state resources can help cities and counties address their digital infrastructure needs.

Note: You can view the entire hearing by going to: https://www.youtube.com/watch?v=BvwM9XYICis&t=3750s

Dr. Alan R. Shark is the executive director of the Public Technology Institute (PTI), now part of the Computing Technology Industry Association (CompTIA) in Washington, D.C., since 2004. He is a fellow of the National Academy for Public Administration and chair of the Standing Panel on Technology Leadership. Shark also is associate professor for the Schar School of Policy and Government, George Mason University, and course developer/instructor at Rutgers University Center for Government Services. Shark’s thought leadership activities include keynote speaking, blogging and a bi-weekly podcast called Sharkbytes. He is the author or co-author of more than 12 books, including “Technology and Public Management,” as well as “CIO Leadership for Cities and Counties.”