Cyber-insecurity in Local Gov’t

This post was originally written in my role as a contributor for the Thomson Reuters Institute. You can read the original post here.

Cybersecurity has become a growing challenge for all levels of government, especially as digitalization and remote working increases among government agencies.

The evolutionary nature of where we work along with the persistence of digital governance has made cybersecurity an ever-increasing concern for all levels of government. Cybersecurity is increasingly viewed as a shared responsibility in order to protect personally identifiable information and for the continuity of government operations.

Cybersecurity attacks on local governments and state agencies predate the pandemic but have only worsened in recent years. The cities of Atlanta and Baltimore experienced major security breaches in 2018 and 2019, respectively, which caused major service disruptions and cost more than a combined $30 million dollars to mitigate.

As the pandemic escalated in 2020, 44% of global ransomware attacks specifically targeted municipal governments. A survey administered by the International City/County Managers Association (ICMA) on cybersecurity noted that 21.4% of local government respondents had experienced between one and three security breaches in the last calendar year. More than 90% of respondents indicated that attacks within their organization were increasing in frequency.

Pandemic-exposed weak spots

The pandemic peak time in 2020 showed weak spots in cybersecurity as more employees began working virtually, leading to new personal electronic devices accessing networks remotely, and increasing use of digital interface tools like Zoom and Microsoft Teams. A Deloitte report surveying state chief information officers indicated that the shift from office-based to remote work was rapid; indeed, by the end of 2020, 35 states had more than half of their state workforce working remotely, and nine states had more than 90% of their workforce working remotely.

Unfortunately for cybersecurity protection, those employees quarantined in 2020 and working remotely were less likely to have access to IT or security patches and updates. Organizations without asynchronous collaboration tools likely saw an increase in the transfer of sensitive documents via email. The pandemic overlapped with the massive growth of the Internet of Things — such as wearable technology and smart devices — and the number of connected devices globally ballooned from seven billion devices in 2018 to 31 billion devices in 2020, creating new vulnerabilities for governments.

Why local governments are targeted

Local governments capture personally identifiable information such as names, addresses, driver’s license numbers, forms of payment, Social Security numbers, and more. This type of data has high value for cyber-criminals to capture, sell, or hold for ransom. With more than 90,000 local government organizations in the United States, the targets are numerous, and even worse, many of those government agencies fend for themselves in regard to their network security. That makes smaller entities — such as counties, small cities, towns, and educational institutions — particularly vulnerable to cyber-attacks.

Of course, ransom is not the only goal of cyber-attackers. An increasing prevalence of hacktivist attacks — cybersecurity attacks for political motives — is responsible for 9% of attacks targeting government agencies last year. And a final goal (beyond the expression of political sentiments or financial gain) of cyber-attacks on local governments is to shake the public’s confidence in local systems and endanger citizens. This is even more worrisome because local government systems often manage emergency response operations, traffic flow, and public utilities.

Cybersecurity attacks against local government agencies have long-ranging impacts from mild inconveniences to serious disruptions of day-to-day life. In early 2021, a coordinated ransomware attack was launched against nearly two dozen Texas municipalities by a Russia-based crime syndicate, which had gained access through a third-party firm that provides technology services to local government agencies. Minor inconveniences stemming from this attack included vital records being offline and public meeting agendas having to be printed. More problematic: police officers couldn’t retrieve records digitally and municipal payrolls could not be processed. Most alarmingly: one unnamed municipality was forced to operate their water supply system manually for more than a week.

Impacts from attacks against state or local governments can spread widely. For example, a single malware incident in Miller County, Arkansas spread to endpoints in 55 different Arkansas counties.

Cybersecurity funding & policy

According to a 2021 ICMA report, the top three barriers to cybersecurity for local governments are: i) the inability to pay competitively for employees; ii) insufficient numbers of cybersecurity staff; and iii) a general lack of funds. As the costs and risks for cybersecurity management increase, local governments would be well-informed to position cybersecurity as a public safety issue when seeking additional funding. Cybersecurity insurance is another option that local government agencies might think about funding, especially considering that the average public sector cybersecurity incident costs more than $2 million dollars to mitigate.

The 2022 Strengthening American Cybersecurity Act requires U.S. government agencies to report cyber-attacks within 72 hours and report ransomware payments within 24 hours. States are also subject to the same attack report criteria. The decentralized State and Local Cybersecurity Grant Program, a part of the Infrastructure Investment and Jobs Act and the Department of Homeland Security, has dedicated $185 million in FY 2022 to enhancing cyber-governance and planning, building a cybersecurity workforce, and assessing and evaluating systems and capabilities. A large portion (80%) of allocations to each state must support local entities.

Collaborative state & local solutions

At the state level, Massachusetts has funded cybersecurity programs through their Office of Municipal and School Technology — part of the Executive Office of Technology Services and Security. This program offers local government agencies and school districts basic cybersecurity tools and assessments at no cost. End-user training, phishing drills, and other exercises can help mitigate outside attacks and prevent internal user errors that could leave systems vulnerable, especially to phishing attacks, which are reported to be the most common among all attack vectors.

New York City and New York State have created a new model of joint operations through their Joint Security Operations Center (JSOC), which co-locates city and state cybersecurity personnel in the same command center to enhance collaboration and information-sharing. JSOC offers endpoint detection and response services for five major upstate cities and 50 qualifying New York State counties. In order to qualify for three years of support at no cost, New York municipalities and counties must share their detection logs, which in turn, helps state systems to continually improve and can offer insights and warnings to potential victims.

Previous
Previous

The Case for Digitizing Evidence Management Systems

Next
Next

Resources on Vision and Values-Centered Organizations