In 2022, 106 local US governments experienced ransomware attacks, an increase from 77 in 2021. Cities continue to be targets of cyberattacks as they become more digitally connected, and these attacks can have far-reaching, dangerous consequences for the physical aspects of cities and local governments. These are known as hybrid attacks, which start digitally and evolve to attack physical infrastructure, and they are going to be a continuous problem for cities without a plan of preparation and response.
While these attacks cannot be prevented, cities can strategically prepare to ensure communities are resilient and able to recover. In order to do so, it's necessary for officials to identify points of weakness, recognize potential threats, and develop strategic communication plans both internally and externally.
Finding Points of Weakness
The first step in developing a preparation plan is identifying where a city's systems are weakest, and most often for governments, their greatest area of weakness comes from communication and human error.
Communication with the public and different departments is the duty of governments, but it's also a prime opportunity for bad actors to infiltrate their networks. Any message a public affairs office puts out can be targeted, and those offices must also have the ability to receive information back from citizens. In practice, this means that any message sent from the government can be manipulated for potential phishing schemes, and that information that governments receive back from "citizens" can contain malware to infiltrate their systems.
While governments can work to block threats technologically, they cannot plan for the human element that contributes to attacks. Phishing schemes are the No. 1 driver of ransomware attacks, and though government employees may have security training, no one is perfect. These phishing expeditions often are received by the city's principal authorizing officials (PAOs), like the mayor's office, public works, or police department. If these employees inadvertently introduce malware into their offices' systems, bad actors can gain access to a city's most critical infrastructure.
Threats Cities Face
Once points of entry and areas of weakness are identified, cities can better understand where threat levels are highest. Typically, there are two high-level threats that a city must address and prepare for: attacks on the physical infrastructure and attempts to discredit a city's reputation or its citizens' trust.
Cities have a multitude of responsibilities, like keeping the lights on, keeping water flowing, keeping EMS staffed and operating, and these functions rely on technology and digital connection to keep themselves running. In essence, every department is its own tech company that is not only susceptible to cyberattacks but can be crippled if an attack isn't managed properly. Government officials must always have these threats top of mind when planning for attacks, as one seemingly isolated cyber incident can have the power to physically shut down needed resources.
Once an attack hits a city, it is difficult for officials to regain the trust of the public. This cannot be seen as simply a byproduct of an attack — reputational impact is often a central goal of bad actors. Ransomware attacks can look like targeted campaigns to discredit a city, which in turn impacts the city's ability to generate revenue with a potential loss in residents and tourists, which are all critical for sustaining a city's viability.
How to Prepare and Mitigate the Impact of Digital Attacks
There are several strategies cities can (and should) utilize to prepare for and mitigate the impact of a ransomware attack:
- Campaigns to educate citizens and employees: As there is still a significant portion of the population who are not digitally proficient, governments must provide education on what a real message from official offices will look like and what to do if they think they received a phishing message.
- Public-facing communication strategies: When an attack occurs, it is critical to have a plan in place for how to message the situation and the government's response to the public. This helps to both alleviate mass panic and to protect the city's reputation. This solidifies public offices, or verified public partners, as the single source of truth for a situation.
- Having a CIO as a critical point person: In any organization, a CIO is looked to as the leader of the digital response and containing the cyber threat. The same is true for governments. A CIO must know every threat point, what response protocols have been established, and how departments work together to understand where and how a cyber threat can grow within city systems.
- Conduct digital tabletop exercises: Tabletop exercises are a critical component to any cyber preparedness plan, especially for cities. Officials must play out scenarios of what happens if the power grid goes down or if EMS services cannot be reached, and they must identify the potential paths a cyberattack might take that will impact these services.
When evaluating ransomware attacks, cities need to take the approach of "not if, but when." The idea that officials can protect a city's infrastructure against all threats is unrealistic. Understanding that a cyberattack will happen at some point helps to set the mental framework of how best to respond.
Cyber threats will only continue to grow in cities as they become more digitally connected, and there are serious physical and reputational consequences at stake if precautions aren't taken. Knowing how an attack might occur, understanding the potential threats and scenarios of impact, and regularly testing and updating your preparedness and response plans are the best lines of defense in the new world of cyberattacks.