After looking into recent history and current-day security issues that affect federal and local government bodies, IBM X-Force Incident Response and Intelligence Services (IRIS) researchers stress that the state of cybersecurity and resilience in the public sector needs an urgent boost.
U.S. citizens rely on state governments and local municipalities to provide a host of services — everything from access to public records, law enforcement protection, education and welfare to voting and election services. These resources allow citizens to participate in our democracy and benefit from social services. As technology advances, so does the citizen-consumer’s demand for an increasing number of these services to be provided digitally.
State and local government bodies have thus responded to the demand by increasingly modernizing the way they serve citizens and digitizing access to what was previously only available in-person or on paper.
While this digital transformation is a positive step forward, granting ease of access to citizens looking to engage with state services from the comfort of their own home, it also increases risk by opening up previously internal systems to the public internet. Considering the breadth of information that governing bodies collect and hold on each individual living in their jurisdiction, it is no surprise that threat actors come a-knocking in search of data-rich records to steal, expose or encrypt for ransom.
Government data troves represent a unique attraction for cybercriminals, and therefore require an equally unique approach to ensure the protection of critical, digital state and municipal systems. Securing these systems properly necessitates both funding and policies for a more secure future.
According to a 2016 survey by the International City/County Management Association (ICMA), local government bodies are in need of that sort of support more than any other relevant aid to better the security of their systems.
Figure 1: The top three factors that local governments need to ensure the highest level of cybersecurity (Source: ICMA)
The ICMA goes on to highlight that 44 percent of municipality and county respondents in its survey felt that greater funding for cybersecurity was needed, 38 percent cited the need for better cybersecurity policies and 38 percent called for greater cybersecurity awareness among local government employees.
Billions of Dollars in Losses Hit Taxpayer Pockets
Data breaches that affect the public sector are costing taxpayers well over a billion dollars a year — an estimate that should call any state government’s attention to the rising security risk this sector is facing.
According to the Identity Theft Resource Center (ITRC)’s “2018 End-of-Year Data Breach Report,” data breaches in the government/military sector resulted in the exposure of more than 18 million records in 2018. The IBM-sponsored “Cost of a Data Breach Report,” released annually by the Ponemon Institute, discovered the average cost of a lost record in the public sector was $75 per capita in 2018. Combining these numbers easily brings the potential losses to $1.35 billion in just one year.
These costs can add up quickly considering data breaches and ransomware attacks affecting government systems have been a very frequent and costly issue. A single ransomware attack that struck Baltimore, Maryland, in May 2019 will end up costing the city over $18 million in technological upgrades and lost revenue. That’s $18 million of unexpected spending that has thrown off the city’s budget for years to come.
The costs that could be attributed to financially motivated cybercrime are overshadowed by the immense potential losses that could befall the country if it was to suffer a more systemic attack at the hands of a hostile nation. In 2015, the University of Cambridge and Lloyd’s published a report in which they found that a cyberattack on the U.S. electric grid could leave 15 states and 93 million people between New York City and Washington, D.C., without power. The total impact on the U.S. economy in the case of such an attack was estimated to be between $243 billion and $1 trillion, potentially leading to direct damage to assets and infrastructure, loss in sales revenue to electricity supply companies, and disruption to the overall supply chain.
Adversaries Abound, Attack Attempts Incessant
Cyberattacks on the public sector have been reportedly carried out by adversaries ranging from cybercriminal groups to state-sponsored threat actors, such as the major breach that befell the U.S. Office of Personnel Management (OPM), which was later attributed to China.
This sector is not exempt from financially motivated attacks, with cybercriminals hitting cities with ransomware attacks and then extorting them to have the data unlocked. In one case that emerged in the summer of 2019, at least 22 municipalities in Texas were infected with ransomware and held for ransom. The attack was found to be a coordinated cybercrime operation.
For cybercriminals looking to turn a profit, the data troves that government agencies store on citizens hold the promise of records rich with personally identifiable information (PII) that can be used in identity theft and numerous fraud scenarios. For state-sponsored threat actors looking to collect confidential information, or even disrupt and potentially destroy critical infrastructure, state and local government networks represent high-value targets that could satisfy multiple objectives.
With a wide array of motivated attackers targeting the government sector, attacks are plentiful. The ICMA survey from 2016 revealed that 60 percent of local governments that are aware of the frequency of cyberattacks on their IT systems (including attacks, incidents and breaches) reported their networks are subject to daily, almost hourly, malicious access attempts and assaults.
Response Has Been Lackluster
Malicious cyberactivity against the public sector has been making headlines for the past five years, but although the stakes are high, the response from government agencies has not always been adequate.
Cyberattacks on critical infrastructure, for example, can move far beyond the discomfort of delayed online updates to current legislation or a brief return to the handwritten check while online portals become functional again. Should a local government become the victim of a cyberattack or breach, citizens could face consequences that are far more dire than a simple inconvenience, such as:
- Hospital operating rooms could potentially face blackouts during critical patient procedures.
- Police and other first responders could be unreachable and unable to respond to crises.
- Local universities could lose decades of intellectual property and research.
- District attorneys offices and police departments could lose critical operational data.
- Citizens’ personal information — including biometric data like fingerprints — could fall into the hands of malicious actors, resulting in potentially a lifetime of fraudulent identity challenges.
Unfortunately, these kinds of risks are only rising as government agencies face adversarial activity every day.
The U.S. Senate has documented frequent failures in federal cybersecurity to apply even basic policies and controls that would otherwise help mitigate looming risk. To address the challenges endemic to local governments’ information systems and reduce the level of vulnerabilities, a full-spectrum cyber resilience plan must be integrated into every state and local government security strategy.
Breaking down this complicated and complex attack surface, IBM X-Force IRIS researchers have provided their report on the subject, identifying some of the key issues unique to state and local governments.
Read and download “Cybersecurity for State and Local Governments: Protecting Public Infrastructure”
Senior Strategic Cyber Threat Analyst, IBM
Threat Hunt Researcher, IBM
Principal Consultant, X-Force Cyber Crisis Management, IBM