While big-name incidents fill the headlines, local governments and agencies face cyber crime at an alarming rate. In a very direct way, this impacts everyone’s life. The pandemic has forced state and local groups to deploy defenses at a distance over their networks and apps. But local security is often not encrypted and insecure, with no improvements made to defenses at all.
Studies have shown that only 38% of state and local government employees have been trained on ransomware prevention. What kind of damage occurs due to this lack of training? Last April, the Washington D.C. police force suffered an attack by a group allegedly posting department data. The data dump included more than three dozen of the police chief’s daily intelligence briefing papers.
Meanwhile, ransomware attacks against Baltimore County Public Schools and Fairfax County Public Schools caused online classes to grind to a halt.
For threat actors, no government agency is too big or too small. The Hampton Roads Sanitation District, Bristol Police Department, Baltimore’s largest drug treatment clinic, an Iowa school district and the Alaska Department of Health and Human Services have all been victims of cyber crime. This middle zone of society — where everyday things like schooling, wastewater treatment, health care and law enforcement occur — is at risk for attack.
Cyber Crime: A Well-Known Risk
The attack on the Baltimore county schools occurred one day after a state audit found “significant risks” within the system’s computer network. The school district hadn’t secured the network enough or properly safeguarded sensitive personal information, according to the Office of Legislative Audits.
The audit found that “intrusion detection prevention system coverage for untrusted traffic did not exist.” Students were allowed “unnecessary network-level access to administrative servers” within the school system’s data center and individual schools. Also, 26 servers open to the public were located within the district’s internal network rather than isolated in a separate protected network zone to reduce risks.
The problem is schools don’t put cybersecurity first. But maybe they should. In some cases, auditors have been warning local governments for years about the risk of cyber crime.
A Bonanza of Targets for Cyber Crime
There are over 90,000 local government organizations in the U.S. alone. These offices house troves of data, such as personally identifiable information (PII), names, addresses, driver’s license numbers, credit card numbers, Social Security numbers and personal medical information. And each office has contractual, billing and financial information of the governments themselves. All of this data can be held for ransom and/or sold later if it gets into the cyber crime economy.
Donald F. Norris served for 27 years as director of the Maryland Institute for Policy Analysis and Research. He was also the founding editor-in-chief of the International Journal of Electronic Government Research. His research shows conclusively that, on average, local government systems are not well defended.
In 2021, $118.7 billion in technology spending was projected for state and local governments. However, this budget doesn’t even come close to covering all the technical and security needs facing government organizations.
Norris points out that the top three barriers to effectively defending against cyber crime are the inability to pay competitive salaries to cybersecurity employees (58.6%), insufficient number of cybersecurity staff (53.1%) and lack of funds (52.8%). All three involve constrained budgets.
Finally, for local governments, the rapid spread of Internet of Things devices (cameras, sensors, traffic management, meter reading, etc.) greatly increases an attack surface. Devices tend to be numerous and heterogeneous, with different manufacturers, capabilities and interfaces which makes security management all the more difficult.
Massive Cybersecurity Gap
Many government offices are woefully lacking in tools and strategies to prevent cyber crime. For example, in the city of Baltimore, a simple Microsoft patch could have prevented an $18 million incident caused by Robbinhood ransomware.
In that 2019 incident, threat actors took over nearly all of Baltimore’s IT infrastructure and demanded a ransom of 13 bitcoin (about $76,000) to release the city’s systems and data. The city refused to pay and ransomware recovery lasted months before systems came back online. During that period services for water billing, property taxes, property sales, parking tickets, email and voicemail were all disrupted. Today, these ransomware examples have become all too common.
Funding, Funding, Funding
While money doesn’t fix everything, in the case of local government security risk, lack of funding is a major problem. Whether they are aware of the risk or not, school districts, public health care facilities and police departments don’t have cash lying around to cover the cost of security.
In a large sense, it begins with awareness. Even though it may be embarrassing, cases like Baltimore should be shared with other local government leaders. If they don’t implement budgetary measures, nothing will change when it comes to crafting and deploying adequate security policies.
Every government has spending priorities. However, with so much depending on IT infrastructure these days, can any fail to have a solid security plan?
Local government leaders may suggest cyber insurance, at least as a starting point. The reason for this is that most insurance providers will perform an audit. From there, critical issues that could open the client up to cyber crime can be found and resolved. Also, insurers can provide guidance on incident response steps.
There’s a good chance the public and private sectors may need to team up to address the gaps in local government. The U.S. government itself has already laid out guidance with the NIST Cybersecurity Framework.
Seven Important Cybersecurity Policies for Local Governments
Norris outlines the following as the backbone of defending against cyber crime for local government agencies:
- Formal cybersecurity policy
- Password management policy
- Policy regarding applying software patches
- A cyber risk management plan
- Incident response/disaster recovery/business continuity plan
- Policy on the use of external devices (e.g., cell phones/flash drives)
- Policy for vendors, contractors and cloud services.
Cyber security needs to be improved in many sectors, but the public square is one place we cannot afford to neglect. Local governments, agencies and schools need all the funding and support they can get.