Beyond the National Strategy: How Cybersecurity is a Core Enabler to New Zealand Local Government

Local governments are on the frontline of cybersecurity threats. This article explores the unique security challenges councils face, the gaps in national cybersecurity frameworks, and the urgent need for a coordinated Local Government Cybersecurity Strategy in New Zealand.

Patrick Joy 11 April 2025

Beyond the National Strategy: How Cybersecurity is a Core Enabler to New Zealand Local Government

Imagine waking up to find your city’s freshwater system contaminated. Traffic has ground to a halt, delaying emergency services. No one can access your ratepayer portal, everything is locked.

These are the realities of cyber-attacks on local government, from water treatment infrastructure, to transport management networks, and worse yet, ransomware attacks on citizen services exposing residents to identity theft and financial fraud.

It’s hard to discount these as hypotheticals. The convergence of IT (Information Technology), OT (Operational Technology), and IoT (Internet of Things) has expanded the attack surface, exposing councils to an increasing number of real risks and sophisticated cyber threats.

The consequences extend far beyond financial losses; they impact public health, safety, environmental stability, and the trust of residents.

The Growing Threat Landscape: Why Local Government is a Target

Local councils are prime targets for cybercriminals due to their direct line and proximity to the citizen. Councils really are the front line and the everyday essential services.

Moreover, as geopolitical tensions rise and cyber actors become more advanced, the threats are no longer limited to opportunistic ransomware groups. State-sponsored actors, hacktivists, and criminal syndicates view local government as both a strategic target and a weak link in national security. Given this, residents now expect their local councils to take cybersecurity more seriously than ever before.

Cybersecurity is a vital safeguard for New Zealand and remains a top national priority.

Currently, New Zealand's national cybersecurity strategy is undergoing a refresh, with a revised version still under consultation. While the previous strategy provided direction, the evolving digital landscape and rising cyber threats necessitate an updated, more comprehensive approach. This consultation phase presents an opportunity to ensure that local governments are adequately represented and supported within a broader national cybersecurity framework.

This article will focus on two pertinent questions:

What are the key cybersecurity challenges in local government, and how have previous approaches overlooked these roadblocks?
What strategies and further actions should be considered to assist municipal and regional governing bodies in strengthening resilience against cybercrime?

Local Government’s Top Security Challenges

Local governments across New Zealand are facing a rapidly expanding cyber threat landscape. But while the technological risks—across IT, OT, and IoT systems—are often the most visible, they are not the root challenges themselves. Rather, they are symptoms of deeper structural constraints that hinder councils from achieving cyber resilience.

This section explores the two core challenges facing local government and how these challenges amplify the risks presented by increasingly complex digital environments.

1. High-Value Target: Legacy Technology, Limited Protection

Local governments manage a vast array of critical services and sensitive data—from ratepayer information to water treatment operations—making them attractive targets for cybercriminals. Yet many councils operate without a dedicated cybersecurity strategy or standard, relying on outdated systems and fragmented policies to safeguard essential infrastructure.

This structural gap creates an environment where existing risks across IT, OT, and IoT systems are magnified.

Contributing Risk Vectors:

IT Risks: Legacy systems vulnerable to exploitation, cloud/SaaS adoption without sufficient security controls, and ransomware attacks that disrupt operations and erode public trust.
OT Risks: Ageing industrial control systems in vital infrastructure such as wastewater and traffic networks, often lacking basic protections and isolated oversight.
IoT Risks: Widespread deployment of smart city technology—such as sensors, cameras, and connected devices—without adequate visibility, oversight, or security standards.

As digital convergence accelerates, these systems become increasingly interdependent—creating new risks that councils are often unequipped to manage alone.

Key Barriers:

Cybersecurity is a national priority, yet there is no dedicated strategy tailored to the unique challenges faced by local governments. This has resulted in fragmented and inconsistent approaches across councils.

While the New Zealand Information Security Manual (NZISM) is a mandatory framework for prescribed government agencies, it does not extend to District Health Boards (DHBs), Crown Entities, local government bodies, and similar organisations. These entities are instead governed by their own legislation, regulations, and, in some cases, a responsible Minister.

This disconnect creates a gap between strategy and implementation, leaving local governments without a cohesive, nationally aligned cybersecurity approach.

Local government leaders are juggling a complex and competing set of challenges—most notably financial sustainability, workforce capability, infrastructure demands, and rising community expectations.

Cybersecurity is one of many critical risks on the agenda, but councils often lack the dedicated resourcing or external support to elevate it. The issue is not a lack of awareness, but a lack of capacity—financial, technical, and strategic. In this context, cybersecurity risks are not deprioritised because they are unimportant, but because they are difficult to resource without clear guidance or co-investment.

This underscores the need for a nationally coordinated approach. As councils continue to digitise, the cyber threat landscape grows more complex, and without the right support, local governments may find themselves increasingly exposed. Strengthening cybersecurity across the local government sector requires collaborative investment and shared accountability—particularly from central government.

Recommendations:

Adopt a National Local Government Cybersecurity Strategy that embeds a dedicated coordination framework:

Acknowledge the unique operating environment of local government, including funding constraints and diverse capabilities.
Provide a structured, nationally supported framework that includes centralised resources, policy guidance, and practical implementation tools tailored for councils.
Facilitate coordination between councils, central agencies, and key oversight bodies to enable knowledge sharing, joint risk assessments, and streamlined access to cybersecurity expertise.

International Case Study \| United Kingdom – Local Government Cyber Resilience:
The UK government has developed the Cyber Assessment Framework (CAF) tailored for local authorities to bolster cyber resilience across the sector. This framework, adapted from the National Cyber Security Centre’s (NCSC) CAF, assists councils in assessing and improving their cybersecurity posture. The initiative emphasises a collaborative, whole-organisation approach to understanding and managing cyber risks appropriately.

International Case Study | United Kingdom – Local Government Cyber Resilience:

The UK government has developed the Cyber Assessment Framework (CAF) tailored for local authorities to bolster cyber resilience across the sector. This framework, adapted from the National Cyber Security Centre’s (NCSC) CAF, assists councils in assessing and improving their cybersecurity posture. The initiative emphasises a collaborative, whole-organisation approach to understanding and managing cyber risks appropriately.

Conduct a national cybersecurity infrastructure stocktake across local governments:

Provide visibility into the current state of IT, OT, and IoT systems and security controls.
Identify critical vulnerabilities and investment gaps.
Help oversight bodies such as DIA, CERT NZ, and LGNZ prioritise support and co-investment where it's needed most.
Serve as a baseline to track maturity and progress over time.

International Case Study \| Singapore – Strengthening National OT Cyber Resilience:
In August 2024, Singapore launched its updated Operational Technology Cybersecurity Masterplan (OT Masterplan 2024) to address the rapidly evolving risks to critical infrastructure systems. The plan recognises the growing cyber-physical nexus between IT, OT, and IoT systems, and responds to a more dangerous threat environment shaped by geopolitical instability and advanced cyber tactics. Key initiatives include: Workforce development: OT cybersecurity is being integrated into national education frameworks and professional career pathways through the Operational Technology Cybersecurity Competency Framework (OTCCF). Information sharing: The government is streamlining collaboration with sector regulators and the OT Information Sharing and Analysis Centre (OT-ISAC) to improve real-time threat visibility and incident response. Beyond critical infrastructure: Singapore is developing a data-driven model to assess vendor risks across both critical infrastructure and wider OT supply chains, recognising the ripple effects of supply chain compromise. Secure-by-design policies: The Masterplan mandates Secure-by-Deployment principles for OT systems across their entire lifecycle—from procurement to maintenance—ensuring resilience is built in from the start. Relevance to NZ: Singapore’s proactive, whole-of-ecosystem approach demonstrates how national policy can drive OT resilience through partnerships, capability building, and governance standards. In New Zealand, the Department of the Prime Minister and Cabinet’s Critical Infrastructure Resilience work programme — which included a public consultation and was later rescoped to focus more directly on managing cyber risks — proposed an all-hazards approach that recognises cybersecurity as a key national risk. While that broader consultation is currently paused, it provides an important foundation for advancing OT cyber maturity across local councils and infrastructure operators within a more strategic, risk-informed resilience framework.

International Case Study | Singapore – Strengthening National OT Cyber Resilience:

In August 2024, Singapore launched its updated Operational Technology Cybersecurity Masterplan (OT Masterplan 2024) to address the rapidly evolving risks to critical infrastructure systems. The plan recognises the growing cyber-physical nexus between IT, OT, and IoT systems, and responds to a more dangerous threat environment shaped by geopolitical instability and advanced cyber tactics. Key initiatives include:

Workforce development: OT cybersecurity is being integrated into national education frameworks and professional career pathways through the Operational Technology Cybersecurity Competency Framework (OTCCF).
Information sharing: The government is streamlining collaboration with sector regulators and the OT Information Sharing and Analysis Centre (OT-ISAC) to improve real-time threat visibility and incident response.
Beyond critical infrastructure: Singapore is developing a data-driven model to assess vendor risks across both critical infrastructure and wider OT supply chains, recognising the ripple effects of supply chain compromise.
Secure-by-design policies: The Masterplan mandates Secure-by-Deployment principles for OT systems across their entire lifecycle—from procurement to maintenance—ensuring resilience is built in from the start.

Relevance to NZ: Singapore’s proactive, whole-of-ecosystem approach demonstrates how national policy can drive OT resilience through partnerships, capability building, and governance standards. In New Zealand, the Department of the Prime Minister and Cabinet’s Critical Infrastructure Resilience work programme — which included a public consultation and was later rescoped to focus more directly on managing cyber risks — proposed an all-hazards approach that recognises cybersecurity as a key national risk. While that broader consultation is currently paused, it provides an important foundation for advancing OT cyber maturity across local councils and infrastructure operators within a more strategic, risk-informed resilience framework.

Efforts Now in Place:

The ALGIM Cybersecurity Programme provides councils with a tailored framework to assess, benchmark, and improve their cybersecurity maturity. Built on the SAM for Compliance platform, it includes a Computer Security Incident Management System aligned to NIST guidelines, interactive readiness dashboards, tailored training, and external audit options. Councils demonstrating progress receive recognition through ALGIM’s annual awards programme, encouraging sector-wide uplift through shared benchmarking and best practice.
As the Government progresses its City and Regional Deals programme—a major new initiative focused on long-term regional infrastructure planning and economic growth—there is an opportunity to explicitly include cybersecurity as a core enabling infrastructure priority. By embedding digital resilience and cyber-readiness into the scope of these regional growth plans, both central and local governments can work together to future-proof essential public services and reduce vulnerabilities across interconnected infrastructure systems.
A number of councils have already benefitted from a complimentary one-hour assessment of their cyber risk posture by Connect NZ.

2. Budget Constraints & Competing Priorities

Cybersecurity investments frequently fall outside a council’s financial capacity, as funding is prioritised for critical community services such as infrastructure, service delivery, and workforce development. In a fiscally constrained environment, local governments must make difficult trade-offs, often leaving cybersecurity initiatives underfunded despite growing digital threats.

Key Barriers:

Local governments lack the financial flexibility to significantly increase cybersecurity budgets without external funding or strategic support. Unlike central agencies, councils operate within tight fiscal parameters, where cybersecurity is often viewed as a long-term risk rather than an immediate operational necessity.

With competing priorities limiting available resources, cybersecurity is at risk of being positioned as a “nice-to-have” rather than a core operational requirement. Without dedicated funding pathways or external support, councils may struggle to build the cybersecurity resilience required to protect increasingly digitised public services.

Recommendation:

Cybersecurity as an Economic Growth Opportunity

What if cybersecurity could be viewed not just as a cost centre, but as foundational economic infrastructure—on par with water, transport, and housing? As the Government advances its City and Regional Deals and continues to prioritise large-scale infrastructure upgrades, it is critical that cyber resilience is embedded within these investments.

Secure digital infrastructure enables productivity, attracts investment, and builds public confidence—all essential pillars of economic growth. Councils that invest in secure platforms and modern digital services not only reduce risk but accelerate innovation in how they deliver core services. Embedding cybersecurity into regional economic planning will ensure that growth is sustainable, inclusive, and resilient.

Efforts Now in Place:

The ALGIM Cyber Security Programme supports councils in managing and reducing cybersecurity risks, awarding those demonstrating significant improvements.
New Zealand Local Government Funding Agency (LGFA) provides cost-effective financing for infrastructure projects, including cybersecurity enhancements.

International Case Study \| United States – Local Cybersecurity Grant Program
To address the funding gap many local governments face, the U.S. Department of Homeland Security (DHS), through the Cybersecurity and Infrastructure Security Agency (CISA) and FEMA, established the State and Local Cybersecurity Grant Program (SLCGP). Backed by $1 billion over four years via the Infrastructure Investment and Jobs Act (2021), the program provides targeted funding to help state, local, and tribal governments reduce cybersecurity risk across their IT and OT systems. In its third year (FY2024), over $279.9 million was allocated, with a minimum of 80% of funds required to flow to local governments—and 25% reserved for rural areas. The grants fund critical activities such as: Conducting cybersecurity assessments, Developing or revising Cybersecurity Plans, Implementing core controls like multi-factor authentication and secure backups, Replacing unsupported legacy systems. This funding model ensures that even small or under-resourced councils have access to dedicated co-funding for cybersecurity uplift, especially as part of broader infrastructure modernisation efforts.

International Case Study | United States – Local Cybersecurity Grant Program

To address the funding gap many local governments face, the U.S. Department of Homeland Security (DHS), through the Cybersecurity and Infrastructure Security Agency (CISA) and FEMA, established the State and Local Cybersecurity Grant Program (SLCGP). Backed by $1 billion over four years via the Infrastructure Investment and Jobs Act (2021), the program provides targeted funding to help state, local, and tribal governments reduce cybersecurity risk across their IT and OT systems.

In its third year (FY2024), over $279.9 million was allocated, with a minimum of 80% of funds required to flow to local governments—and 25% reserved for rural areas. The grants fund critical activities such as:

Conducting cybersecurity assessments,
Developing or revising Cybersecurity Plans,
Implementing core controls like multi-factor authentication and secure backups,
Replacing unsupported legacy systems.

This funding model ensures that even small or under-resourced councils have access to dedicated co-funding for cybersecurity uplift, especially as part of broader infrastructure modernisation efforts.

Moving Forward: Cybersecurity as a Strategic Priority for Business Enablement, Not a Cost Burden

Local government executives must shift their perception of cybersecurity from a compliance requirement to a fundamental enabler of efficient, reliable, and resilient public services. Cyber investments:

Reduce operational disruptions by ensuring continuous service delivery.
Safeguard public trust by protecting resident data and critical infrastructure.
Protect public safety by securing essential services like water treatment, traffic systems, and emergency communications from cyber-physical threats.
Enable digital transformation by securing the foundation for smart cities and modern governance.

While New Zealand’s National Cyber Security Strategy is undergoing consultation, it is imperative to include a National Local Government Cybersecurity Strategy that directly addresses the unique challenges councils face. A one-size-fits-all approach is insufficient given local government’s scale, responsibility constraints, and financial realities.

A promising development is the Service Modernisation Roadmap, a three-year all-of-government program aimed at enhancing digital infrastructure, data protection, and cybersecurity budget allocations. By integrating cybersecurity support into this roadmap and aligning it with a dedicated local government strategy, New Zealand can build stronger, more resilient municipal institutions.

To safeguard critical infrastructure, maintain the continuity of essential services, and ultimately protect public safety, the government should ensure that local councils have access to dedicated cybersecurity resources, coordinated strategic guidance, and funding mechanisms that do not place additional financial strain on ratepayers. Cyber threats no longer only compromise email systems or sensitive data — they can directly disrupt water treatment, transport networks, emergency response systems, and other vital services. Strengthening local cybersecurity capability is not just an IT concern, but a public safety imperative.

Acknowledgement

This research was supported by Fortinet, a global cybersecurity leader committed to securing the digital transformation of public institutions. Fortinet’s expertise in converging IT, OT, and IoT security through its Security Fabric architecture aligns closely with the imperatives explored in this article—particularly the need for integrated, scalable, and risk-informed approaches to protecting local government infrastructure. By enabling real-time visibility, threat intelligence, and operational resilience across complex municipal systems, Fortinet continues to empower councils to move beyond reactive measures and build proactive cybersecurity strategies. As New Zealand local governments face a rapidly evolving threat landscape, Fortinet’s leadership in securing critical services and safeguarding community trust underscores the vital role of public-private collaboration in shaping a safer digital future.