With cybercriminals on the attack, states help cities punch back

 

Connecting state and local government leaders

The majority of publicized ransomware attacks in the United States last year targeted local governments.

When the city of Lodi, California’s computers got hit by a ransomware attack last April, the strike disabled phone lines, forced police officers to write reports by hand and prevented workers from sending out utility bills.

City officials refused to pay the ransom of 75 bitcoins -- about $400,000 -- and instead turned to their cyber insurance company, which sent in a legal team and security experts to investigate and help return the system to normal.

“It took a lot of our energy and ended up consuming a great deal of time,” recalled City Manager Steve Schwabauer. “We ultimately filed a claim of about $250,000, and it’s not fully closed yet.”

State legislators later gave Lodi, a city of about 67,000, a half-million-dollar grant to upgrade cybersecurity.

As cybercriminals increase their attacks against local governments -- hundreds of municipalities and county agencies were hit in the past two years -- some states are helping cities and counties better protect themselves.

States have offered election cybersecurity, responses to ransomware attacks that take computer systems hostage, training and other programs, according to a recent report by the National Governors Association and the National Association of State Chief Information Officers.

“It’s the right thing to do,” said Meredith Ward, the latter group’s policy and research director. “Cybersecurity is a team sport. States and local government and the private sector all have a role to play.”

But while 65% of states report that they provide some cybersecurity services to local governments, the scope varies widely. And other states aren’t doing anything to help, saying they don’t have jurisdiction over local governments or they lack money to spare.

“It’s very hard for most local governments,” said Alan Shark, executive director of the Public Technology Institute, a Washington, D.C.-based nonprofit that provides training and other support to local government information technology executives. “They lack the resources to adequately protect themselves. Yesterday’s fixes don’t work today. The cybercriminals are encouraged.”

But Shark said more states are starting to assist local governments in restoring their systems.

The states committed to collaboration are on the right track, the report by the governors’ and IT chiefs’ groups found.

Among them:

  • Illinois created a program that helps local election officials improve their cybersecurity readiness and conduct risk assessments. It hired IT specialists to help local election offices beef up their security.
  • Iowa is using a federal grant to offer counties cybersecurity vulnerability scanning and to pay for hardware and anti-malware tools. It also is piloting cyber projects with schools, cities and hospitals.
  • North Carolina developed a partnership with the state’s National Guard and emergency management division to help local governments, school systems and community colleges recover data compromised during a cyberattack and provide training to help prevent future incidents.
  • Pennsylvania partnered with the county commissioners’ statewide association to provide security awareness training and phishing exercises for all 150,000 county and state employees and contractors. Phishing victims unwittingly click on emailed links designed to get personal information, such as passwords.

“It’s about working outside your comfort zone and forging relationships,” said Erik Avakian, Pennsylvania’s chief information security officer. “We think this is really the path forward for all states. It’s something they should be looking at.”

Cyberattacks spike

Cybersecurity remains a serious issue for state governments, as sophisticated hackers and cybercriminals are constantly scanning computer networks looking for vulnerabilities. Those networks contain information such as Social Security numbers, birth certificates, bank account details and credit card numbers of millions of individuals and businesses.

But it’s especially hard for local governments. Just last month, for example, a small school district near Austin, Texas, with 9,600 students, disclosed that it had lost $2 million in a phishing email scam.

Local governments saw a spike in cyberattacks in 2019, and experts say it doesn’t look like they’re going to abate any time soon.

In the past 24 months, at least 370 cyber incidents affecting local governments and public safety agencies were publicly reported in 47 states, according to Aubrey Larson, a marketing manager at SecuLore Solutions, a Maryland-based cybersecurity company. That’s a 150% hike over the previous two-year period, she said.

In fact, the majority of publicized ransomware attacks in the United States last year targeted local governments, according to the report by the governors’ and state IT officers’ associations. Cities and counties provide essential services to residents and need access to their data to function effectively.

Ransomware hijacks government computer systems and holds them hostage until their victims pay a ransom or restore the system on their own.

In October, the FBI issued a public service announcement, saying state and local governments “have been particularly visible targets for ransomware attacks.”

Those attacks can be devastating.

Democratic New Orleans Mayor LaToya Cantrell declared a state of emergency in December after a ransomware attack hobbled the city. Officials had to shut down more than 4,000 computers and close municipal courthouses. The attack has cost the city at least $7 million.

Nearly two dozen Texas cities were targeted in a ransomware attack in August that led Republican Gov. Greg Abbott to order a “Level 2 Escalated Response,” which is just one level below the emergency management division’s highest alert. The state led the response and helped the cities restore their systems.

And Baltimore was hit by a ransomware attack in May that crippled thousands of computers and left workers unable to access online accounts and payment systems for weeks. City officials transferred $6 million from a parks and recreation fund to pay for cyber protections. In total, restorations and repairs cost $18 million.

Crossing boundaries

Preventing and responding to attacks can be complicated when efforts involve jurisdictions that generally operate independently of one another.

“Some cyber incidents are truly becoming emergencies. [State and local IT officials] shouldn’t be exchanging business cards at that point,” said Maggie Brunner, cybersecurity program director for the national governors’ group. “They should be doing it ahead of time. We’d love to see state CIOs know every single local IT director.”

In Pennsylvania, IT security chief Avakian said his agency held quarterly meetings with county IT officials to build relationships and find out about their cybersecurity needs.

“The fact that we’ve cracked this nut across jurisdictional boundaries is significant,” Avakian said.

Because of the collaboration, he said, the state was able to buy licenses for the phishing training exercise in bulk. The larger number of users lowered the cost per unit and saved the state and its 67 counties a considerable amount of money. He wouldn’t say how much.

“Now that we’ve done this, more people want to come onboard -- school districts, cities,” Avakian said. “It’s kind of taken off.”

Michael Sage, chief information officer for the County Commissioners Association of Pennsylvania, called the cyber training and relationship the counties have developed with the commonwealth “a fantastic effort.”

“It has bolstered awareness and helped the counties understand where the threats are coming from, so they can stay vigilant,” Sage said. “The more we can collaborate and share, the better off we’re going to be.”

Stumbling blocks

While some states have provided help, others have “little or no engagement with local governments,” when it comes to cybersecurity, according to the report by the governors’ and state IT officials’ groups, though the report didn’t list the states that are uninvolved.

That needs to change, they say.

“Cybersecurity is not just an ‘IT problem’ anymore,” the report said. “It is a critical business risk, homeland security and public safety threat, voter confidence issue and economic development opportunity.”

But there are impediments, said Ward, of the state IT officials’ group.

“Sometimes, states will say, ‘We don’t have jurisdiction to help local governments. That’s not our swim lane,’” she said. “Or localities will say, ‘We’re good, and we don’t need your help.’”

And Ward said some states say they don’t have the money to help local governments with cybersecurity. “They’ll say, ‘We’re just trying to keep our head above water ourselves.’”

The report recommended that states overcome those obstacles by building relationships with municipal leagues and county associations and raising awareness by holding cyber summits. States also should explore ways to save money by consulting local governments during the cyber contract planning process.

“You don’t need to have jurisdictional permission nor money to pick up the phone and call someone and build a relationship,” Ward said. “That’s something anyone can do.”

This article was first posted to Stateline, an initiative of The Pew Charitable Trusts.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.