After looking into recent history and current-day security issues that affect federal and local government bodies, IBM X-Force Incident Response and Intelligence Services (IRIS) researchers stress that the state of cybersecurity and resilience in the public sector needs an urgent boost.

U.S. citizens rely on state governments and local municipalities to provide a host of services — everything from access to public records, law enforcement protection, education and welfare to voting and election services. These resources allow citizens to participate in our democracy and benefit from social services. As technology advances, so does the citizen-consumer’s demand for an increasing number of these services to be provided digitally.

State and local government bodies have thus responded to the demand by increasingly modernizing the way they serve citizens and digitizing access to what was previously only available in-person or on paper.

While this digital transformation is a positive step forward, granting ease of access to citizens looking to engage with state services from the comfort of their own home, it also increases risk by opening up previously internal systems to the public internet. Considering the breadth of information that governing bodies collect and hold on each individual living in their jurisdiction, it is no surprise that threat actors come a-knocking in search of data-rich records to steal, expose or encrypt for ransom.

Government data troves represent a unique attraction for cybercriminals, and therefore require an equally unique approach to ensure the protection of critical, digital state and municipal systems. Securing these systems properly necessitates both funding and policies for a more secure future.

According to a 2016 survey by the International City/County Management Association (ICMA), local government bodies are in need of that sort of support more than any other relevant aid to better the security of their systems.

Figure 1: The top three factors that local governments need to ensure the highest level of cybersecurity (Source: ICMA)

The ICMA goes on to highlight that 44 percent of municipality and county respondents in its survey felt that greater funding for cybersecurity was needed, 38 percent cited the need for better cybersecurity policies and 38 percent called for greater cybersecurity awareness among local government employees.

Billions of Dollars in Losses Hit Taxpayer Pockets

Data breaches that affect the public sector are costing taxpayers well over a billion dollars a year — an estimate that should call any state government’s attention to the rising security risk this sector is facing.

According to the Identity Theft Resource Center (ITRC)’s “2018 End-of-Year Data Breach Report,” data breaches in the government/military sector resulted in the exposure of more than 18 million records in 2018. The IBM-sponsored “Cost of a Data Breach Report,” released annually by the Ponemon Institute, discovered the average cost of a lost record in the public sector was $75 per capita in 2018. Combining these numbers easily brings the potential losses to $1.35 billion in just one year.

These costs can add up quickly considering data breaches and ransomware attacks affecting government systems have been a very frequent and costly issue. A single ransomware attack that struck Baltimore, Maryland, in May 2019 will end up costing the city over $18 million in technological upgrades and lost revenue. That’s $18 million of unexpected spending that has thrown off the city’s budget for years to come.

The costs that could be attributed to financially motivated cybercrime are overshadowed by the immense potential losses that could befall the country if it was to suffer a more systemic attack at the hands of a hostile nation. In 2015, the University of Cambridge and Lloyd’s published a report in which they found that a cyberattack on the U.S. electric grid could leave 15 states and 93 million people between New York City and Washington, D.C., without power. The total impact on the U.S. economy in the case of such an attack was estimated to be between $243 billion and $1 trillion, potentially leading to direct damage to assets and infrastructure, loss in sales revenue to electricity supply companies, and disruption to the overall supply chain.

Adversaries Abound, Attack Attempts Incessant

Cyberattacks on the public sector have been reportedly carried out by adversaries ranging from cybercriminal groups to state-sponsored threat actors, such as the major breach that befell the U.S. Office of Personnel Management (OPM), which was later attributed to China.

This sector is not exempt from financially motivated attacks, with cybercriminals hitting cities with ransomware attacks and then extorting them to have the data unlocked. In one case that emerged in the summer of 2019, at least 22 municipalities in Texas were infected with ransomware and held for ransom. The attack was found to be a coordinated cybercrime operation.

For cybercriminals looking to turn a profit, the data troves that government agencies store on citizens hold the promise of records rich with personally identifiable information (PII) that can be used in identity theft and numerous fraud scenarios. For state-sponsored threat actors looking to collect confidential information, or even disrupt and potentially destroy critical infrastructure, state and local government networks represent high-value targets that could satisfy multiple objectives.

With a wide array of motivated attackers targeting the government sector, attacks are plentiful. The ICMA survey from 2016 revealed that 60 percent of local governments that are aware of the frequency of cyberattacks on their IT systems (including attacks, incidents and breaches) reported their networks are subject to daily, almost hourly, malicious access attempts and assaults.

Response Has Been Lackluster

Malicious cyberactivity against the public sector has been making headlines for the past five years, but although the stakes are high, the response from government agencies has not always been adequate.

Cyberattacks on critical infrastructure, for example, can move far beyond the discomfort of delayed online updates to current legislation or a brief return to the handwritten check while online portals become functional again. Should a local government become the victim of a cyberattack or breach, citizens could face consequences that are far more dire than a simple inconvenience, such as:

  • Hospital operating rooms could potentially face blackouts during critical patient procedures.
  • Police and other first responders could be unreachable and unable to respond to crises.
  • Local universities could lose decades of intellectual property and research.
  • District attorneys offices and police departments could lose critical operational data.
  • Citizens’ personal information — including biometric data like fingerprints — could fall into the hands of malicious actors, resulting in potentially a lifetime of fraudulent identity challenges.

Unfortunately, these kinds of risks are only rising as government agencies face adversarial activity every day.

The U.S. Senate has documented frequent failures in federal cybersecurity to apply even basic policies and controls that would otherwise help mitigate looming risk. To address the challenges endemic to local governments’ information systems and reduce the level of vulnerabilities, a full-spectrum cyber resilience plan must be integrated into every state and local government security strategy.

Breaking down this complicated and complex attack surface, IBM X-Force IRIS researchers have provided their report on the subject, identifying some of the key issues unique to state and local governments.

Read and download “Cybersecurity for State and Local Governments: Protecting Public Infrastructure”

More from Government

CIRCIA feedback update: Critical infrastructure providers weigh in on NPRM

3 min read - In 2022, the Cyber Incident for Reporting Critical Infrastructure Act (CIRCIA) went into effect. According to Secretary of Homeland Security Alejandro N. Mayorkas, "CIRCIA enhances our ability to spot trends, render assistance to victims of cyber incidents and quickly share information with other potential victims, driving cyber risk reduction across all critical infrastructure sectors."While the law itself is on the books, the reporting requirements for covered entities won't come into force until CISA completes its rulemaking process. As part of…

Important details about CIRCIA ransomware reporting

4 min read - In March 2022, the Biden Administration signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). This landmark legislation tasks the Cybersecurity and Infrastructure Security Agency (CISA) to develop and implement regulations requiring covered entities to report covered cyber incidents and ransomware payments.The CIRCIA incident reports are meant to enable CISA to:Rapidly deploy resources and render assistance to victims suffering attacksAnalyze incoming reporting across sectors to spot trendsQuickly share information with network defenders to warn other…

Unpacking the NIST cybersecurity framework 2.0

4 min read - The NIST cybersecurity framework (CSF) helps organizations improve risk management using common language that focuses on business drivers to enhance cybersecurity.NIST CSF 1.0 was released in February 2014, and version 1.1 in April 2018. In February 2024, NIST released its newest CSF iteration: 2.0. The journey to CSF 2.0 began with a request for information (RFI) in February 2022. Over the next two years, NIST engaged the cybersecurity community through analysis, workshops, comments and draft revision to refine existing standards…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today