Insider‑threat risks for state and local govs

An insider threat is damage caused by someone who already has the keys, and new Naval Postgraduate School research says state and local governments are exposed. (hstoday.us) Homeland Security Today reported on April 13, 2026 that Christopher Capone’s thesis warned that state and local agencies face insider threats and foreign malign influence, even as detection efforts still focus mainly on federal institutions. The thesis drew on case analysis, current mitigation strategies, and interviews with senior leaders from the New York City Police Department Intelligence Bureau. (hstoday.us) The basic problem is access: the Cybersecurity and Infrastructure Security Agency defines an insider as a person with authorized access or knowledge of an organization’s systems, facilities, or information. That means the risk can come from employees, contractors, vendors, or anyone else already trusted with a badge, device, or network account. (cisa.gov) The federal playbook already names the controls smaller governments struggle to run every day. National Institute of Standards and Technology control AC-6 calls for least privilege, meaning users get only the access needed for assigned tasks, while AC-5 calls for separation of duties so one person cannot complete every sensitive step alone. (csrc.nist.gov) (csf.tools 1) (csf.tools 2) Capone’s thesis argues those controls can exist on paper but remain hard to see in practice inside smaller jurisdictions, where thin staffing can force one employee to hold multiple roles. Homeland Security Today said the thesis recommends recalibrated insider-threat policies, stronger intergovernmental trust, and localized awareness campaigns. (hstoday.us) The Cybersecurity and Infrastructure Security Agency says its insider-threat guide is meant for federal, state, local, tribal, and territorial governments and is designed to scale by size and maturity. The agency organizes mitigation into four steps: define the threat, detect and identify it, assess it, and manage it. (cisa.gov 1) (cisa.gov 2) State and local government has been on insider-threat researchers’ radar for years. Carnegie Mellon University’s Software Engineering Institute said in a 2012 review that 49 of more than 700 insider cases in its dataset involved state or local government, with 27 of those 49 cases tied to fraud and 10 tied to sabotage. (sei.cmu.edu) That older casework also found that 43 of the 49 state and local cases involved current employees at the time of the attack, not outsiders breaking in. The pattern fits Capone’s warning that the soft spot is often not missing technology, but weak day-to-day visibility into who can do what, and who is checking. (sei.cmu.edu) (hstoday.us) The closing message from the thesis is not that state and local governments need a federal-size bureaucracy. It is that the front line of American government needs clearer access rules, better monitoring, and enough role separation that one trusted insider cannot act unseen. (hstoday.us)