On Feb. 25, 2016, a civilian employee in the Sarasota, Fla., Police Department clicked on an attachment to an email. Instead of opening a document, the worker inadvertently launched a ransomware attack that encrypted 160,000 city files and triggered an extortion that demanded up to $33 million in the virtual currency known as bitcoin to unlock them.
The situation was so dire that the city’s IT department literally had to unplug the city’s computer system and then spent the following night getting rid of the malware and restoring its systems. City IT Director Herminio Rodriguez later told city investigators, “In 25 years, that was the worst disaster I’ve ever encountered. It was an end-of-life event from the IT perspective.”
Sarasota, population 56,000, and its IT department weathered the attack. But smaller governments haven’t been so lucky. In Cockrell Hill, Texas, a small city of 4,200, a ransomware attack back in December 2016 encrypted all the files in the police department. When the department refused to pay the $4,000 ransom demand, the department’s records, dating back to 2009, were lost.
Ransomware is just one type of attack on local governments. Other incidents involve breaches to gather information, such as personally identifiable information and credit card numbers, which can be used to commit fraud, for example. Whether the attacks are intrusions or breaches, their number and sophistication are increasing.
Nearly 40 percent of local government CIOs report experiencing more attacks during the last 12 months, according to a 2016 survey by the International City/County Management Association (ICMA). And the frequency is increasing too, with 26 percent of CIOs reporting an attack, incident or breach attempt occurring hourly, while another 18 percent report a cyberattempt at least daily.
That’s bad news for local governments, which have fewer resources than many larger jurisdictions to fight back. But it’s especially bad for small to mid-sized cities, counties and towns, which may have only one full-time person devoted to IT — including cybersecurity — if they are lucky.
Local governments are attractive targets for cybercriminals for the valuable data they store, and the fact that many are connected to state systems and big networks, where the quantity and quality of data is likely to be greater. And in a few cases with small jurisdictions, local governments are attractive targets because some are willing to pay the extortion fee to regain access to their records.
Lou Romero, e-gov cyber liability and risk practice lead at Pivot Point Security, surveyed nearly 200 municipalities in New Jersey, and what he found out was both sobering and worrisome. “Take passwords. I found that 78 percent of municipalities don’t have an adequate password management policy,” he said. “That means the majority of the passwords never expire and they typically use six characters.”
Romero ticked off other troublesome statistics: 97 percent of the municipalities he surveyed don’t have a well-documented disaster recovery plan; 46 percent store their backup files and records onsite rather than offsite or in the cloud; and 90 percent of local governments don’t bother to encrypt sensitive emails. These kinds of basic cyberhygiene mistakes indicate a lack of preparedness, especially among smaller local governments.
Local governments, in general, tend not to outsource cybersecurity operations — 61.8 percent keep it in house, according to ICMA. But as local governments get smaller in size, the inclination is to outsource all IT operations, including cybersecurity, according to Romero. A 2015 survey of 200 small local governments in Washington state by the nonprofit Municipal Research and Services Center found that a majority of respondents didn’t have any staff members dedicated to IT or cybersecurity. While most did use some kind of anti-virus protection and email security, only about 25 percent of the local governments surveyed reported updating their security policies on an annual basis.
The lack of good policies and practices can be traced to some fundamental problems that plague government at every level. “We just don’t have the resources to do this kind of thing,” said Steve Sedore, executive director of operations in Allegan County, Mich. Those missing resources include: lack of funds; insufficient cybersecurity staff; inability to pay competitive salaries for security talent; lack of training; and lack of end-user accountability and awareness.
The less rigorous a local government’s cybersecurity practice is, the more challenging it becomes to reduce risk. And that’s a problem that has caught the attention of the cyberinsurance industry. While the market for cyberinsurance has matured in recent years, municipalities will pay a hefty premium for a policy if their cyberhygiene isn’t up to snuff. Some experts argue that the money on insurance might go to better use providing more robust protection.
Lack of good cyberdefenses, policies and practices raises an even more troubling issue for any local government that uses the bond market to pay for capital projects, such as new sewers, schools and roads. A cyberattack could end up lowering a government’s credit rating. While no government yet has been downgraded because of a cyberattack, S&P analyst Geoff Buswick told Governing* magazine in June that the risk is real, “particularly for smaller governments with less financial flexibility.” According to Buswick, cyberattacks can cost a lot, including taxpayer trust. That, in turn, can hinder a government’s ability to raise taxes.
For small local governments, getting a handle on cybersecurity issues starts with information. Knowing what your vulnerabilities are allows a local government to direct its limited resources toward the weakest link in the chain and beef up security. For example, many municipalities that operate with just a handful of employees often outsource their payroll services, credit card processing and other basic administrative functions. Yet few small-sized municipalities conduct the due diligence on the robustness of the security of these third-party providers or try to find out if the contracts include contingencies if the provider suffers a data breach. One answer is to conduct such due diligence or hire a firm to carry out a third-party risk assessment.
Another valuable source of information that local governments often lack is data on the effectiveness of their security controls. The solution is to conduct an audit that includes penetration testing of cyberdefenses. But that can be very expensive. For help, local governments have turned to state governments, and some have responded. Washington state earlier this year began offering free cybersecurity audits to more than a dozen municipalities. The state pays for the tests through an initiative approved by voters in 2014 that has allowed the state auditor to appropriate approximately $20 million for various performance audits, including cybersecurity.
Michigan is another state that is making a concerted effort to ease the burden of cybersecurity on its more than 1,300 local governments. For three years, the state has had a squad of volunteers, known as the Michigan Cyber Civilian Corps, or MiC3, standing by, ready to provide technical assistance if the state gets hit with a crippling cyberattack.
But MiC3 has yet to be deployed. This year, state officials are pushing the state Legislature to pass a bill that would broaden the scope of MiC3 so it could help local governments, as well as nonprofits and businesses.
More proactively, the state has also launched a pilot program with five local governments to test whether a chief information security officer (CISO) can operate as a shared service. The idea is to have a certified, trained cyberprofessional who could help local governments that lack such expertise, according to Allegan County, Mich.’s Sedore.
The program starts with an audit using an assessment tool that identifies what critical controls Allegan should have in place. Eventually the pilot will identify what proper procedures and policies should be in place to mitigate potential cyberissues.
“The state has agreed to be the parent to this program, and through their funding, they have hired a CISO to provide a shared service role,” said Sedore. “The objective is to find out how we can tap into the CISO-as-a-service to address specific cyberconcerns.”
After 18 months, if the pilot generates evidence that the shared service approach is beneficial for local governments, then Sedore thinks the effort could become a full-fledged program. That, of course, would require a sustainable funding mechanism, as well as a sustainable business plan, according to Sedore. “It’s been a great program so far and we have all progressed in a very short period of time,” he said.
Sedore cited lack of cybersecurity knowledge as a big challenge for his small IT staff. General county employees also lack a good awareness about cybersecurity risks. Another challenge is auditing and logging of incidents. Again, better information can generate better defenses. But without that data it’s hard to be proactive. “The proliferation of attacks has reached a height that you can no longer sit and wait,” he said. “You have to proactively put measures in place to reduce the risk level. Having a CISO-as-a-service is one of the key measures that can make a difference for a small local government.”
For some smaller local governments, the importance of good cybersecurity crystallizes when a breach occurs, systems are impacted, files aren’t available and the network is shut down. Several years ago, a cyberattack hit the city of Sugar Land, Texas (population 87,000), forcing city officials to confront an issue that had received little attention in the past.
The result: The city now has its first CISO. Anthony Leatherwood’s title is officially manager of IT operations, “but my background is cybersecurity,” he said.
The attack was a wake-up call to city officials. “It really impacted the network,” explained Leatherwood. “After that, one of the initiatives was to better secure the city, so I came in, started locking things down, putting controls into place.”
Leatherwood said the most frequent type of cyberincident involves phishing, including ransomware attacks. Viruses are another concern and hard to control in today’s world of Web services. “Everyone wants to deploy their own types of applications, which means trying to get a security architecture review [of the software] before it is deployed,” he said. “That’s a challenge for local governments.”
Leatherwood also cited the open government trend as another example of how access to information has changed as demand for transparency has increased, yet it has also made it easier for the “bad guys” to access information that can be exploited. “If you scan any website, you can pick up on how to reach the city officials and workers. That’s information that any private-sector firm would guard from exposure. But we have all these distribution lists out there,” he said.
To cope with the ever-growing challenges, Leatherwood operates much like any CISO working for a large government organization. He runs awareness training to keep city staff alert to the latest in phishing exploits and to reduce mistakes; he has built up a layered defense, involving several different vendors; and he is partnering with the Department of Homeland Security to start a project that will give the city’s supervisory control and data acquisition (SCADA) systems better defense. “It may mean going with a system that may cost a little bit more money, but it will mean better security,” he said.
Despite having been a victim of a cyberattack, Leatherwood said it is still a challenge to keep cybersecurity front and center as a priority. “Senior officials are aware [of the problem], but they are not aware enough. The awareness level has risen, but not to the point where it is part of every decision.”
Leatherwood is not alone on this issue. Only 20 percent of local government CIOs believe their top appointed managers are exceptionally aware of cybersecurity risks, according to ICMA.
“We need to stay on top of this,” said Leatherwood. “You have to keep it at the forefront of everybody’s mind. Security is no different than cops and guns. If you want to consider your city safe, it can’t just be about cops, guns and bullets. It’s got to be cybersecurity as well.”