Local governments remain prime targets for ransomware, as hackers lock up government systems and leave municipalities with few resources and long recovery times. Everything from emergency response systems to hospitals, schools, and the elections could be up for grabs as these threat actors wreak as much havoc as possible.
It's a scary time as the landscape grows to include new threats like "killware," which is exactly as dangerous as it sounds. As Homeland Security Secretary Alejandro Mayorkas said recently, "The attacks are increasing in frequency and gravity, and cybersecurity must be a priority for all of us."
Sadly, it's not.
Hackers are consistently breaching local government systems that have weak password policies, lack multifactor authentication, and lack proper data recovery processes and tools. Those most at risk are not properly managing even the most basic security tasks, such as solidifying data backup and recovery processes. Users often share credentials like it's a Netflix account and critical systems are at risk because of it. Most local governments lack proper information security and governance.
Local leaders often lack the resources, budget, and knowledge for cybersecurity. Most don't know where their weaknesses lie and which areas threat actors are most likely to target because there is not a focus on understanding information security risks.
Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly wants them to step up. The National Association of State Chief Information Officers (NASCIO) adds further urgency with its top 10 priorities for 2022, in which risk management and cybersecurity top the list.
Here are a few steps that local and county governments can take to improve their cybersecurity posture and avoid a costly breach.
Contact a Cybersecurity Professional
In many cases, IT teams advising on cybersecurity are punching above their weight. But the risk of a cyberattack can't be ignored. Local governments need to partner with an organization that can not only check compliance with cybersecurity standards but also technically assess their controls.
Even if local governments are subject to cybersecurity policies, policies do not equal security. Compliance audits should check against the 18 Center for Internet Security (CIS) critical security controls and the National Institute of Standards and Technology (NIST) cybersecurity framework and also include a technical control suitability and configuration review.
In other words, the assessment should dig into the technical weeds. It should identify how governments are orchestrating backups, which forms of remote access are in use, whether there is multifactor authentication on all of them, how strong the passwords must be, and email security.
Undoubtedly there is a lot of work involved here and some of it is costly. However, a proactive approach is far cheaper than paying recovery costs (even if ransom isn't paid) and trying to repair the integrity of a government's systems and its reputation. In 2020, ransomware attacks cost US government organizations nearly $19 billion.
Use Available Funding
Many local governments cite a lack of funding as a reason that cybersecurity isn't taken more seriously. While funding circumstances vary greatly across the country, there are some resources available that, although not exclusively for that purpose, can be allocated to cybersecurity.
As part of the American Rescue Plan, the Coronavirus State and Local Fiscal Recovery Funds (SLFRF) program delivers $350 billion to state, local, and tribal governments across the country for a variety of uses, including cybersecurity. Hundreds, if not thousands, of local governments aren't spending those relief funds in that way.
According to a report by Deloitte and NASCIO, the majority of states spend only 1% to 2% of their IT budgets on cybersecurity, yet federal agencies and private sector businesses spend 5% to 20%. Attackers are targeting local governments just as disproportionately as they spend on security. One study in 2020 found that local governments are the most common target of cybercriminals, with 45% of ransomware attacks aimed at municipalities.
Perform a Penetration Test
Once you've identified the right cybersecurity partner and some funding to help increase your security posture, you'll want to start with a technical control suitability and configuration assessment, including a penetration test. This is an eye-opener for a lot of local governments that never thought twice about sign-in credentials or the risk posed to systems that are often taken for granted, like emergency response or traffic lights.
Your cybersecurity partner should perform both internal and external pen testing in their assessment. The data points that come out of those studies should serve as priorities for the administration and basically provide the to-do list for the next 24 months to orchestrate and support a cybersecurity strategy.
There is no quick fix for cybersecurity, but there are plenty of reasons to make the investment outside of recovery costs or ransom payments.
Consider that the Washington, DC, police network was breached and hackers posted hundreds of pages of purported internal documents. In Cornelia, Georgia, a fourth ransomware attack in two years disabled the town's software network so it couldn't pay its outstanding bills or bill its own customers for water use. In fact, water treatment plants have been of particular interest to hackers. Public water systems were hacked in California, Florida, and Pennsylvania last year, although thankfully none of the attacks have resulted in poisoned water reaching residents.
Local governments have already been targeted heavily and their threat landscape has only increased since Russia's invasion of Ukraine. The US has been bracing for Russian cyberattacks to hit home as the conflict intensifies. Municipalities, particularly the ones that control utilities, can protect against hackers' disruptions by making the necessary investments in security. With proper protections, you can save yourself from those headaches and avoid the disastrous disruptions and costs of an attack.