February 17, 2020 By Joseph Steinberg 4 min read

Cyberattacks on local government in the U.S. have increased dramatically over the last several years. In 2019 alone, ransomware affected more than 100 state and local governments, according to Recorded Future — and that’s just one threat vector. Municipalities are also at risk from insider threats, coordinated attacks and other perils.

What is it about municipal organizations and local governments that makes them such attractive targets for threat actors? Why are cybercriminals directing greater attention and resources toward attacking them?

In short, local governments are extremely attractive targets because they store valuable data on government operations and the citizens they serve, they lack adequate funding and skills in their information security programs, and they often have to yield to criminals’ demands to ensure critical services stay online.

Let’s dive deeper and explore some of the factors that contribute to this situation.

Attackers Are After Treasure Troves of Valuable Data

Municipalities collect and store large amounts of data encompassing many sensitive pieces of information. This includes personally identifiable information (PII) like Social Security numbers, birth dates and driver’s license numbers, employee payroll information, banking details used by residents for electronic payments, credit card data for both individuals and businesses, court records, and many other forms of information that criminals can exploit for malicious purposes after a successful cyberattack.

Criminals love this kind of data because much of it doesn’t change regularly, which means if they steal it, they can “age it” like a fine wine. For example, even if a government data breach is detected, the threat actors can wait for several months or even years before they utilize the data, by which point many of the people whose data was compromised may have let their guard down. And of course, state and local governments also have bank accounts and public funds from which money can be stolen.

Inadequate Cybersecurity Budgets and Talent

Unlike many businesses of similar size, municipalities often lack sufficient resources to adequately secure their infrastructure. Likewise, because they can be bound by various salary restrictions, local governments often have problems attracting high-caliber information security personnel — at least in areas with highly competitive job markets, which is the case for most parts of the U.S. right now.

Additionally, it is important to realize that state governments, which often help fund programs at the local level, face serious security challenges themselves and typically cannot spare the resources to help municipalities on a day-to-day basis with information security. And in many cases, local governments use different computer systems than their respective states, so state personnel may not have enough of an understanding of the local systems to oversee their security.

Legacy Systems and Outdated Technology

Municipal and government agencies tend to invest in areas that matter most to residents. Often, this drives them to upgrade their technology infrastructure less frequently than commercial organizations do, so they can be more efficient with their budgets.

Unlike businesses, governments do not need to worry about competitors having better systems. Residents cannot pay their property taxes to some other town if they prefer the other town’s payment system, and nobody chooses what town to live in or where to establish their business based on the particular system that area uses to collect taxes electronically. Likewise, publications don’t rank the desirability of a town based on such factors. As a result, government security technologies are often outdated, and in some cases unsupported, which makes them ideal targets for hackers.

Local Governments Can’t Afford to Have Services Go Offline

One of the reasons why hospitals have become primary targets for ransomware attackers is that, unlike many businesses, they often can’t keep their systems offline for as long as it would take to restore them from backups. Similar situations are challenging local government entities like police departments, fire departments, emergency medical services and other critical divisions of government that cannot stay offline for any significant period of time.

Likewise, the cost of downtime might exceed the cost of a ransom. This may be the case if a municipality can’t, for instance, process revenue-generating transactions for a significant period of time.

Cybercriminals know that these factors can leave certain state and local government entities especially vulnerable, which means those entities would be disproportionately likely to pay ransoms if their systems were taken hostage.

Susceptible to Ransomware

Many recent cyberattacks on local government were committed using ransomware, and several high-profile cases of local governments paying ransoms demanded by attackers have provided strong incentives for other hackers to launch similar attacks. This is one of the many reasons why security experts recommend that cities shouldn’t pay the ransom if possible. Instead, state and local governments should shift their focus from ransomware detection to prevention.

Smart City Programs Create Huge Attack Surfaces

Government targets will likely become even more enticing for attackers in the future. One area of tech where more and more cities are investing is internet of things (IoT) infrastructure, which can help deliver services more efficiently and reduce management costs. Deploying IoT systems across entire cities can create many potential attack points and introduce new systems for criminals to compromise or hold hostage.

IoT and smart city technologies offer great opportunity, but they also increase the likelihood of a serious government data breach if security isn’t ingrained in every part of the system and every user operating on it.

How State and Local Governments Can Reduce Their Risk

The critical first step toward securing municipal systems is ensuring awareness. All government employees must realize and internalize that they are targets, as people who believe they are targets tend to act more cautiously. They generally protect themselves better and act with greater diligence and suspicion when they encounter anomalous requests. Educating all employees about the cyberthreats facing them and the security of the data and systems they handle is therefore essential.

Governments require sufficient resources to build proper information security programs. Government employees must raise alarms and explain in clear terms what could happen if there is a breach. Ultimately, local governments are funded by taxpayers, and taxpayers have the right to know what risks they face if governments do not invest properly in information security programs and technology. News stories about the string of cyberattacks on local government in 2019 and 2020 can back up claims and help convince both elected officials and taxpayers of the need to boost investments in local information security.

I won’t go into the specifics of developing and implementing a proper government cybersecurity program here — this will follow in future SecurityIntelligence articles on municipal cyberattacks. However, it is important to emphasize that building an effective security program at this level requires significant time, money and planning, so state and local governments must be prepared to dedicate resources to this effort or risk facing more devastating attacks in the future.

In the meantime, governments could encourage, support and reward individuals and organizations that practice proper cyber hygiene. Doing so likely won’t require significant effort or resources, and it can dramatically reduce the odds of a successful cyberattack.

More from Government

CIRCIA feedback update: Critical infrastructure providers weigh in on NPRM

3 min read - In 2022, the Cyber Incident for Reporting Critical Infrastructure Act (CIRCIA) went into effect. According to Secretary of Homeland Security Alejandro N. Mayorkas, "CIRCIA enhances our ability to spot trends, render assistance to victims of cyber incidents and quickly share information with other potential victims, driving cyber risk reduction across all critical infrastructure sectors."While the law itself is on the books, the reporting requirements for covered entities won't come into force until CISA completes its rulemaking process. As part of…

Important details about CIRCIA ransomware reporting

4 min read - In March 2022, the Biden Administration signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). This landmark legislation tasks the Cybersecurity and Infrastructure Security Agency (CISA) to develop and implement regulations requiring covered entities to report covered cyber incidents and ransomware payments.The CIRCIA incident reports are meant to enable CISA to:Rapidly deploy resources and render assistance to victims suffering attacksAnalyze incoming reporting across sectors to spot trendsQuickly share information with network defenders to warn other…

Unpacking the NIST cybersecurity framework 2.0

4 min read - The NIST cybersecurity framework (CSF) helps organizations improve risk management using common language that focuses on business drivers to enhance cybersecurity.NIST CSF 1.0 was released in February 2014, and version 1.1 in April 2018. In February 2024, NIST released its newest CSF iteration: 2.0. The journey to CSF 2.0 began with a request for information (RFI) in February 2022. Over the next two years, NIST engaged the cybersecurity community through analysis, workshops, comments and draft revision to refine existing standards…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today