Cyberattacks on local government in the U.S. have increased dramatically over the last several years. In 2019 alone, ransomware affected more than 100 state and local governments, according to Recorded Future — and that’s just one threat vector. Municipalities are also at risk from insider threats, coordinated attacks and other perils.

What is it about municipal organizations and local governments that makes them such attractive targets for threat actors? Why are cybercriminals directing greater attention and resources toward attacking them?

In short, local governments are extremely attractive targets because they store valuable data on government operations and the citizens they serve, they lack adequate funding and skills in their information security programs, and they often have to yield to criminals’ demands to ensure critical services stay online.

Let’s dive deeper and explore some of the factors that contribute to this situation.

Attackers Are After Treasure Troves of Valuable Data

Municipalities collect and store large amounts of data encompassing many sensitive pieces of information. This includes personally identifiable information (PII) like Social Security numbers, birth dates and driver’s license numbers, employee payroll information, banking details used by residents for electronic payments, credit card data for both individuals and businesses, court records, and many other forms of information that criminals can exploit for malicious purposes after a successful cyberattack.

Criminals love this kind of data because much of it doesn’t change regularly, which means if they steal it, they can “age it” like a fine wine. For example, even if a government data breach is detected, the threat actors can wait for several months or even years before they utilize the data, by which point many of the people whose data was compromised may have let their guard down. And of course, state and local governments also have bank accounts and public funds from which money can be stolen.

Inadequate Cybersecurity Budgets and Talent

Unlike many businesses of similar size, municipalities often lack sufficient resources to adequately secure their infrastructure. Likewise, because they can be bound by various salary restrictions, local governments often have problems attracting high-caliber information security personnel — at least in areas with highly competitive job markets, which is the case for most parts of the U.S. right now.

Additionally, it is important to realize that state governments, which often help fund programs at the local level, face serious security challenges themselves and typically cannot spare the resources to help municipalities on a day-to-day basis with information security. And in many cases, local governments use different computer systems than their respective states, so state personnel may not have enough of an understanding of the local systems to oversee their security.

Legacy Systems and Outdated Technology

Municipal and government agencies tend to invest in areas that matter most to residents. Often, this drives them to upgrade their technology infrastructure less frequently than commercial organizations do, so they can be more efficient with their budgets.

Unlike businesses, governments do not need to worry about competitors having better systems. Residents cannot pay their property taxes to some other town if they prefer the other town’s payment system, and nobody chooses what town to live in or where to establish their business based on the particular system that area uses to collect taxes electronically. Likewise, publications don’t rank the desirability of a town based on such factors. As a result, government security technologies are often outdated, and in some cases unsupported, which makes them ideal targets for hackers.

Local Governments Can’t Afford to Have Services Go Offline

One of the reasons why hospitals have become primary targets for ransomware attackers is that, unlike many businesses, they often can’t keep their systems offline for as long as it would take to restore them from backups. Similar situations are challenging local government entities like police departments, fire departments, emergency medical services and other critical divisions of government that cannot stay offline for any significant period of time.

Likewise, the cost of downtime might exceed the cost of a ransom. This may be the case if a municipality can’t, for instance, process revenue-generating transactions for a significant period of time.

Cybercriminals know that these factors can leave certain state and local government entities especially vulnerable, which means those entities would be disproportionately likely to pay ransoms if their systems were taken hostage.

Susceptible to Ransomware

Many recent cyberattacks on local government were committed using ransomware, and several high-profile cases of local governments paying ransoms demanded by attackers have provided strong incentives for other hackers to launch similar attacks. This is one of the many reasons why security experts recommend that cities shouldn’t pay the ransom if possible. Instead, state and local governments should shift their focus from ransomware detection to prevention.

Smart City Programs Create Huge Attack Surfaces

Government targets will likely become even more enticing for attackers in the future. One area of tech where more and more cities are investing is internet of things (IoT) infrastructure, which can help deliver services more efficiently and reduce management costs. Deploying IoT systems across entire cities can create many potential attack points and introduce new systems for criminals to compromise or hold hostage.

IoT and smart city technologies offer great opportunity, but they also increase the likelihood of a serious government data breach if security isn’t ingrained in every part of the system and every user operating on it.

How State and Local Governments Can Reduce Their Risk

The critical first step toward securing municipal systems is ensuring awareness. All government employees must realize and internalize that they are targets, as people who believe they are targets tend to act more cautiously. They generally protect themselves better and act with greater diligence and suspicion when they encounter anomalous requests. Educating all employees about the cyberthreats facing them and the security of the data and systems they handle is therefore essential.

Governments require sufficient resources to build proper information security programs. Government employees must raise alarms and explain in clear terms what could happen if there is a breach. Ultimately, local governments are funded by taxpayers, and taxpayers have the right to know what risks they face if governments do not invest properly in information security programs and technology. News stories about the string of cyberattacks on local government in 2019 and 2020 can back up claims and help convince both elected officials and taxpayers of the need to boost investments in local information security.

I won’t go into the specifics of developing and implementing a proper government cybersecurity program here — this will follow in future SecurityIntelligence articles on municipal cyberattacks. However, it is important to emphasize that building an effective security program at this level requires significant time, money and planning, so state and local governments must be prepared to dedicate resources to this effort or risk facing more devastating attacks in the future.

In the meantime, governments could encourage, support and reward individuals and organizations that practice proper cyber hygiene. Doing so likely won’t require significant effort or resources, and it can dramatically reduce the odds of a successful cyberattack.

More from Government

How the FBI Fights Back Against Worldwide Cyberattacks

5 min read - In the worldwide battle against malicious cyberattacks, there is no organization more central to the fight than the Federal Bureau of Investigation (FBI). And recent years have proven that the bureau still has some surprises up its sleeve. In early May, the U.S. Department of Justice announced the conclusion of a U.S. government operation called MEDUSA. The operation disrupted a global peer-to-peer network of computers compromised by malware called Snake. Attributed to a unit of the Russian government Security Service,…

How NIST Cybersecurity Framework 2.0 Tackles Risk Management

4 min read - The NIST Cybersecurity Framework 2.0 (CSF) is moving into its final stages before its 2024 implementation. After the public discussion period to inform decisions for the framework closed in May, it’s time to learn more about what to expect from the changes to the guidelines. The updated CSF is being aligned with the Biden Administration’s National Cybersecurity Strategy, according to Cherilyn Pascoe, senior technology policy advisor with NIST, at the 2023 RSA Conference. This sets up the new CSF to…

Why keep Cybercom and the NSA’s dual-hat arrangement?

4 min read - The dual-hat arrangement, where one person leads both the National Security Agency (NSA) and U.S. Cyber Command (Cybercom), has been in place since Cybercom’s creation in 2010. What was once touted as temporary 13 years ago now seems established. Will the dual-hat arrangement continue? Should it? Experts have discussed the pros and cons of both viewpoints for years. It remains in place for now, but is that likely to change in the future? That remains to be seen, and points…

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…