While big-name incidents fill the headlines, local governments and agencies face cyber crime at an alarming rate. In a very direct way, this impacts everyone’s life. The pandemic has forced state and local groups to deploy defenses at a distance over their networks and apps. But local security is often not encrypted and insecure, with no improvements made to defenses at all.

Studies have shown that only 38% of state and local government employees have been trained on ransomware prevention. What kind of damage occurs due to this lack of training? Last April, the Washington D.C. police force suffered an attack by a group allegedly posting department data. The data dump included more than three dozen of the police chief’s daily intelligence briefing papers.

Meanwhile, ransomware attacks against Baltimore County Public Schools and Fairfax County Public Schools caused online classes to grind to a halt.

For threat actors, no government agency is too big or too small. The Hampton Roads Sanitation District, Bristol Police Department, Baltimore’s largest drug treatment clinic, an Iowa school district and the Alaska Department of Health and Human Services have all been victims of cyber crime. This middle zone of society — where everyday things like schooling, wastewater treatment, health care and law enforcement occur — is at risk for attack.

Cyber Crime: A Well-Known Risk

The attack on the Baltimore county schools occurred one day after a state audit found “significant risks” within the system’s computer network. The school district hadn’t secured the network enough or properly safeguarded sensitive personal information, according to the Office of Legislative Audits.

The audit found that “intrusion detection prevention system coverage for untrusted traffic did not exist.” Students were allowed “unnecessary network-level access to administrative servers” within the school system’s data center and individual schools. Also, 26 servers open to the public were located within the district’s internal network rather than isolated in a separate protected network zone to reduce risks.

The problem is schools don’t put cybersecurity first. But maybe they should. In some cases, auditors have been warning local governments for years about the risk of cyber crime.

A Bonanza of Targets for Cyber Crime

There are over 90,000 local government organizations in the U.S. alone. These offices house troves of data, such as personally identifiable information (PII), names, addresses, driver’s license numbers, credit card numbers, Social Security numbers and personal medical information. And each office has contractual, billing and financial information of the governments themselves. All of this data can be held for ransom and/or sold later if it gets into the cyber crime economy.

Donald F. Norris served for 27 years as director of the Maryland Institute for Policy Analysis and Research. He was also the founding editor-in-chief of the International Journal of Electronic Government Research. His research shows conclusively that, on average, local government systems are not well defended.

In 2021, $118.7 billion in technology spending was projected for state and local governments. However, this budget doesn’t even come close to covering all the technical and security needs facing government organizations.

Norris points out that the top three barriers to effectively defending against cyber crime are the inability to pay competitive salaries to cybersecurity employees (58.6%), insufficient number of cybersecurity staff (53.1%) and lack of funds (52.8%). All three involve constrained budgets.

Finally, for local governments, the rapid spread of Internet of Things devices (cameras, sensors, traffic management, meter reading, etc.) greatly increases an attack surface. Devices tend to be numerous and heterogeneous, with different manufacturers, capabilities and interfaces which makes security management all the more difficult.

Massive Cybersecurity Gap

Many government offices are woefully lacking in tools and strategies to prevent cyber crime. For example, in the city of Baltimore, a simple Microsoft patch could have prevented an $18 million incident caused by Robbinhood ransomware.

In that 2019 incident, threat actors took over nearly all of Baltimore’s IT infrastructure and demanded a ransom of 13 bitcoin (about $76,000) to release the city’s systems and data. The city refused to pay and ransomware recovery lasted months before systems came back online. During that period services for water billing, property taxes, property sales, parking tickets, email and voicemail were all disrupted. Today, these ransomware examples have become all too common.

Funding, Funding, Funding

While money doesn’t fix everything, in the case of local government security risk, lack of funding is a major problem. Whether they are aware of the risk or not, school districts, public health care facilities and police departments don’t have cash lying around to cover the cost of security.

In a large sense, it begins with awareness. Even though it may be embarrassing, cases like Baltimore should be shared with other local government leaders. If they don’t implement budgetary measures, nothing will change when it comes to crafting and deploying adequate security policies.

Every government has spending priorities. However, with so much depending on IT infrastructure these days, can any fail to have a solid security plan?

Cyber Insurance

Local government leaders may suggest cyber insurance, at least as a starting point. The reason for this is that most insurance providers will perform an audit. From there, critical issues that could open the client up to cyber crime can be found and resolved. Also, insurers can provide guidance on incident response steps.

There’s a good chance the public and private sectors may need to team up to address the gaps in local government. The U.S. government itself has already laid out guidance with the NIST Cybersecurity Framework.

Seven Important Cybersecurity Policies for Local Governments

Norris outlines the following as the backbone of defending against cyber crime for local government agencies:

  • Formal cybersecurity policy
  • Password management policy
  • Policy regarding applying software patches
  • A cyber risk management plan
  • Incident response/disaster recovery/business continuity plan
  • Policy on the use of external devices (e.g., cell phones/flash drives)
  • Policy for vendors, contractors and cloud services.

Cyber security needs to be improved in many sectors, but the public square is one place we cannot afford to neglect. Local governments, agencies and schools need all the funding and support they can get.

More from Data Protection

Data Privacy: How the Growing Field of Regulations Impacts Businesses

The proposed rules over artificial intelligence (AI) in the European Union (EU) are a harbinger of things to come. Data privacy laws are becoming more complex and growing in number and relevance. So, businesses that seek to become — and stay — compliant must find a solution that can do more than just respond to current challenges. Take a look at upcoming trends when it comes to data privacy regulations and how to follow them. Today's AI Solutions On April…

Defensive Driving: The Need for EV Cybersecurity Roadmaps

As the U.S. looks to bolster electric vehicle (EV) adoption, a new challenge is on the horizon: cybersecurity. Given the interconnected nature of these vehicles and their reliance on local power grids, they’re not just an alternative option for getting from Point A to Point B. They also offer a new path for network compromise that could put drivers, companies and infrastructure at risk. To help address this issue, the Office of the National Cyber Director (ONCD) recently hosted a…

Why Quantum Computing Capabilities Are Creating Security Vulnerabilities Today

Quantum computing capabilities are already impacting your organization. While data encryption and operational disruption have long troubled Chief Information Security Officers (CISOs), the threat posed by emerging quantum computing capabilities is far more profound and immediate. Indeed, quantum computing poses an existential risk to the classical encryption protocols that enable virtually all digital transactions. Over the next several years, widespread data encryption mechanisms, such as public-key cryptography (PKC), could become vulnerable. Any classically encrypted communication could be wiretapped and is…

How the CCPA is Shaping Other State’s Data Privacy

Privacy laws are nothing new when it comes to modern-day business. However, since the global digitization of data and the sharing economy took off, companies have struggled to keep up with an ever-changing legal landscape while still fulfilling their obligations to protect user data. The challenge is that there is no one-size-fits-all solution regarding data privacy's legal requirements. Depending on the location and jurisdiction, data privacy laws can vary significantly in terms of scope and enforcement. But while the laws…