“A smart local government will have fire, police and cybersecurity at the same level.”
— David Jordan, Chief Information Officer, Arlington County, VA
On February 25, 2016, a Sarasota, FL, Police Department employee clicked on an email attachment, as he did countless times a day. This time, no document opened. Instead, that worker had unknowingly triggered a ransomware attack. Cybercriminals encrypted 160,000 city files, making them unusable. Extortion ensued: The brains behind the operation demanded $33 million in bitcoin to unlock the files. Their story is not unique. Municipal boards should proactively take cybersecurity precautions, as smart, aggressive hackers show considerable interest in cities, counties and towns as targets.
The Scope of the Threat
Cyberattacks are making a large and growing impact on the global economy. In 2009, Eastern European hackers launched the first ransomware attacks. By 2016, the FBI estimates ransomware attacks worldwide cost victims a billion dollars. The following year saw the single largest ransomware incident. North Korean hackers struck tens of thousands of victims in more than 70 countries. They crippled Britain’s public health system, Russia’s Interior Ministry and numerous private firms. Soon after that, Russia paralyzed the Ukrainian system, freezing government agencies and crippling radiation monitoring at Chernobyl.
That formidable threat is growing in sophistication, much as a virus evolves to dodge the defenses of a host organism. Already, if cybercriminals can penetrate lackluster security shields, they can flood a system with volume in a “Denial of Service” attack. The onslaught freezes a system; the crooks then charge a ransom to grant legitimate users access to their own system’s data. These and similar scams get a boost from so-called Emotet polymorphs, which change constantly to avoid detection (Bobritsky). For instance, evasive software can fool malware into “thinking” that its environment is hostile, so that it injects malicious code directly into the memory of the victim’s system, with no files as go-betweens. Constantly updated, evasive malware at times evades detection by antivirus and other anti-malware software (Bobritsky).
Municipalities Make Prime Targets
In a cybercriminal’s mind, cities, counties and towns can make surprisingly attractive targets. According to The New York Times, a staggering 44% of local governments reported that they face cyberattacks either daily or even hourly (McGalliard). Twenty-eight percent of localities surveyed do not know how often they are attacked, and 41% don’t know how often their data is breached. A majority of local governments – 54% – do not count or catalog attacks (McGalliard).
The risk grows year by year. In an ICMA survey, nearly 40% of CIOs for local governments said that they had had more attacks in 2016 than ever before (Newcombe). The frequency of attacks, too, is on the rise, and two popular trends promise to increase the risk even further in the future. As cities strive to become “smart cities,” they increase their risk; soon, every light post and stop sign will have a connection to a computer network. Furthermore, attempts to make small governments more “open” have increased exposure as an unintended consequence.
Why do cybercriminals bother with such small fish? While “whalers” go after a small number of high-dollar targets, major ransomware outfits such as SamSam follow a volume-based business model. Municipalities meet their criteria: An attack could grind essential operations to a halt, and they could access the roughly $52,000 average ransom. (Universities and hospitals make popular targets for the same reason.) Small governments also typically lack data on the effectiveness of their security controls (Newcombe).
The material accessible through municipal systems sweetens the pot for hackers. Local governmental networks both process and host valuable confidential data about individuals, infrastructure and financial transactions – PINs, PHIs, SSNs and other sensitive material protected by HIPAA and FERPA (Bobritsky). Using “Advanced Persistent Threats” (APTs), hackers can infiltrate unsecured systems undetected – even through a single document posted on the cloud. Undetected, they can then “move laterally through networks and blend in with normal network traffic to achieve their objectives” (CSO Online).
More Than a Nuisance
When a municipal entity is attacked, it does not merely create a nuisance; it creates a catastrophe. The Sarasota IT Director, Herminio Rodriguez, told investigators after their attack, “In 25 years, that was the worst disaster I’ve ever encountered. It was an end-of-life event from the IT perspective” (Newcombe). Writing for The New York Times, cybersecurity expert Tad McGalliard recommends that local governments imagine the worst-case scenarios to guide their quest for solutions. Past experience provides glimpses of the devastating possibilities:
The list goes on and on, from a “WannaCry” attack on Connecticut state agencies to malware damage inflicted on the Savannah, GA, computer system.
Apart from these immediate one-time costs, attacks (or the failure to prepare for them) bring an added long-term drag to a municipality. First, S&P analyst Geoff Buswick told Governing Magazine that, once attacked, smaller governments could face a reduction in their credit rating, making bond issues more expensive (Newcombe). Second, cyberinsurance premiums are higher for municipalities that have not protected themselves from cyberattack (Newcombe).
Savvy hackers are attacking municipalities at alarming rates, with schemes that can cost astronomical sums to remediate. And the threat is growing. The IT officer for Allegheny County, MI, has reached the inevitable conclusion: “The proliferation of attacks has reached a height that you can no longer sit and wait,” he said. “You have to proactively put measures in place to reduce the risk level.” (Newcombe)
Bobritsky, Eddy, “State and Local Governments Face a Disturbing Cybersecurity Threat,” State Scoop April 17, 2018.
ICMA, “Cybersecurity Becomes Priority for Local Governments,” Oct. 31, 2016.
McGalliard, Tad, “How Local Governments Can Prevent Cyberattacks,” The New York Times March 30, 2018.
Newcombe, Todd, “Small Towns Confront Big Cyber-Risks,” Government Technology October–November 2017.