Hackers love local governments. According to The New York Times, 44% of local governments report that they face a cyberattack daily – or even hourly (McGalliard). Yet, the ICMA’s Tad McGalliard finds that “[m]ost local governments in the United States don’t have a strong grasp of the policies and procedures they should implement to protect their technology systems from attacks.” Experts recommend a number of steps local governments should take to meet a minimal standard of cybersecurity.
Local governments make plum targets for a number of reasons. They deal with personal information, infrastructure services and large financial transactions. They could access the $52,000 that is the typical ransom demanded for data that hackers steal and corrupt. A data breach or hardware assault could bring basic operations to a grinding halt, even jeopardizing public safety. They oversee loosely associated, disparate networks with lots of security gaps, making an attack relatively easy (Bobritsky). The plot thickens with the rise of “smart cities.” Now information is stored not just on hard drives, but also on light poles, under pavement and inside police cars.
The list of victims grows. In March 2018, Atlanta, GA, spent over $2 million to recover from a ransomware attack that rendered inoperable numerous public-facing municipal services, including the court system. Allentown, PA, had to spend an estimated $1 million in remediation after an Emotet Trojan attack disrupted financial transactions and police operations. Connecticut state agencies suffered an attack from a ransomware scheme called WannaCry. The Colorado Department of Transportation operated entirely with pen and paper when the SamSam ransomware ring brought its computerized operations to a standstill (Bobritsky).
And the crooks get smarter all the time. The attack on Allentown used evasive malware, which works much like antibiotic-resistant bacteria. Polymorphous, it changes constantly to escape detection. It uses both malicious documents and more insidious fileless methods, injecting malicious code directly into a system’s memory (Bobritsky). Anti-evasive software is struggling to keep up with this fast-evolving new threat.
Currently, most local governments are not up to the fight. More alarming than the 44% figure for attack victims is the fact that 28% do not know how often they are attacked and 41% don’t know how often their data is breached. A majority of local governments (54%) do not count or catalog such attacks (Bobritsky). Moreover, the problem is international in scope. We’re not alone; the former head of Mossad, Israel’s security intelligence agency, sees governmental cybersecurity as a shared threat that could actually start a world war (Bobritsky).
The federal government is mounting a formidable, four-pronged defense. Its priorities are to: Increase use and sharing of cyberintelligence data; conduct continuous security monitoring; focus on boundary protection and security-event lifecycle management; and automate and orchestrate security operations (Mandiant).
Local governments do not have the money to launch such a robust defensive strategy. Sluggish bureaucracy and tight budgets slow upgrades and limit hardware and staff expansion (Bobritsky). However, counties and towns are not thereby helpless in the face of this formidable threat. Experts recommend a number of steps that any local government can implement to ward off cyberattackers.
The Cybersecurity Standards
- Shift from response mode to a prevention mentality. Create a culture based on imagining worst-case scenarios and seeking solutions to reduce the threat – i.e., prioritizing funding for cybersecurity, establishing stronger policies and training employees in cybersecurity protocols. As part of the shift, extend the network of collaborators to include local elected officials, internet and cybersecurity staff, department managers and end users (McGalliard).
- Store data off “the cloud.” Storage on the public cloud (e.g., on Google Docs) leaves sensitive data insufficiently protected. Netskope conducted a study of businesses using the cloud; roughly 15% of them had been hacked. (“How Secure is Google Drive? 10 Things You Need to Know about Cloud Security,” Cloudfindhq.com.) A cloud-based server is fine; just be sure data is stored on a private server.
- Ban email. In his assessment of New Jersey municipalities, technological consultant Lou Romero found that a great majority of municipalities don’t encrypt emails, but nevertheless send all manner of sensitive information beyond their organizations. A typical case would involve sending a workman’s comp claim form to an insurance agency through email. All the PHI (personal health information) is wide open for data interception schemes such as “packet sniffing” (Romero). Instead, keep confidential information secure on a board portal with 256-bit encryption, multifactor authentication and storage on a private, cloud-based server.
- Send safer texts. The same principle applies to texting; it needs to be kept off the wide-open highway of the standard text apps that come on smartphones. Instead, use a secure app that comes as part of a board portal software package.
- Develop and implement password policies. Most municipalities have no password management policy; those that do often use outdated standards (ICMA). Eight-character passwords are now laughably penetrable. The new norm is 10-character passwords that expire every 60 to 80 days. Every local government should have requirements for all their stakeholders to follow (ICMA, McGalliard).
- Create guidelines for using government devices. The ICMA recommends treating use of government devices as a privilege, not a right. Their use should be subject to compliance with organizational standards (ICMA).
- Share information. McGalliard encourages localities to communicate with other organizations across state lines and with the federal government on election management issues, transportation data and intelligence about hackers. The Multi-State Information Sharing and Analysis Center is a great place to start (ICMA).
- Move ownership from IT staff. Cybersecurity consulting firm Aon sees an imminent shift to boards of directors assuming full responsibility for computer security. (They already have full legal liability.) As they see it, an enterprise-wide risk warrants a centralized, top-level authority overseeing it. McGalliard recommends extending that sense of ownership to elected and appointed officials as well (McGalliard).
- Create a disaster recovery plan. After auditing over 100 New Jersey municipalities to identify vulnerabilities, technological consultant Lou Romero found that a full 80% lack a plan for disaster recovery or business continuity. Most felt protected by backup systems, which do not suffice to restore full functionality in the event of a breach (Romero).
- Get a third-party risk management program. Romero found that at least 60% of local governments outsource some of their services, but few use a third party to assess the risks created by those outsourcing arrangements. For instance, they might outsource payroll, but not conduct due diligence on the security of the service provider. They also have no contingencies in the event of data breach involving theft of birth dates, SSNs or salaries. He implores municipalities to ask third parties if they’ve gone through a certification process and if they’ve been audited by a known standard. Ask if they perform background checks on their employees. Most don’t know. Most municipalities outsource credit card services to bypass fee waivers; then, too, check that the vendor is PCI-compliant (Romero).
- Develop security awareness training programs. The New Jersey auditor found a very small percentage of municipalities training staff to protect against ransomware and phishing attacks, etc. (In one town, the training consisted of instructions to rip out the data jack from the wall if something didn’t feel right.) Experts should come to board meetings and staff meetings. Frequent tabletop exercises can reinforce best practices.
- Improve use of computer recycling. Most municipalities leave old computers lying around. About 20% to 30% turn them over to Public Works for storage. That leaves data dangerously exposed. The best way to protect old data is to call a computer recycler. At minimum, remove hard drives and drill holes in them (Romero).
Hackers are playing hardball. You can, too. Adopting these 12 best practices could lead cybercriminals to pass you by in their endless quest for an easy target.
Bobritsky, Eddy, “State and Local Government Face a Disturbing Cybersecurity Threat.” State Scoop, April 17, 2018.
ICMA, “Cybersecurity Becomes Priority for Local Governments,” Oct. 31, 2016.
McGalliard, Tad, “How Local Governments Can Prevent Cyberattacks,” The New York Times March 30, 2018.
Mandiant Services, “How Government Agencies are Facing Cyber Security Challenges,” White Paper.
Romero, Lou, “Six Eye-Opening Findings about Local Government Cyber Security,” PivotPoint Security, April 20, 2017.