Mission, Texas, requested state of emergency after cyberattack. Some analysts aren’t so sure
Two cybersecurity experts are questioning whether officials in Mission, Texas, were too hasty when they declared a state of emergency this month in response to a recent cyberattack.
On Tuesday, the mayor of Mission, a city with a population of 87,000 located on the Mexican border, requested an extension to the local disaster declaration it filed on Mar. 4, following a cyberattack that took place on Feb. 28, which had impacted local law enforcement’s ability to scan license plates and disabled mobile data terminals inside police cars. The city announced Wednesday it’s making progress in bringing systems back online.
Despite its impact to city operations, Mike Hamilton, former chief information security officer for City of Seattle, told StateScoop he didn’t believe the cyber incident warranted a disaster declaration.
“Reading carefully what Mission, Texas, says is it’s a server, singular. This happens over and over and over and over,” Hamilton said. “Now, I did read what has been impacted is the ability of law enforcement to look up license plates, so that does have an impact on public safety. But I do not think that this rises to the level of a disaster.”
A “state of emergency” is a declaration by a government that authorizes officials to take extraordinary measures, such as suspending normal laws and procedures, to address a man-made or natural disasters that threaten public safety or one of the sixteen critical infrastructure sectors, such as water treatment facilities or energy utilities.
Hamilton, who served as CISO from 2006-2013, led a citywide response during a malware attack on the Seattle Department of Neighborhoods in 2012, which duplicated all the accessible files on an employee’s computer and could have spread to other government agencies if his office hadn’t been prepared.
“Anything you clicked on would start the malware over again, and it was propagating to all of the shared drives that this person had access to,” Hamilton explained. “And if it had gotten over to finance, we would have lost the farm.”
Mission, Texas, Mayor Norie Gonzalez Garza sent a letter to Gov. Greg Abbott on Mar. 7 requesting he declare a more expansive state of emergency after the cyber incident forced the city to take some systems offline. According to the Government Code of Texas, cities can request a disaster declaration due to a cyberattack.
Abbott has not yet responded to Garza’s request.
“I have determined that this incident is of such severity and magnitude that extraordinary measures must be taken to alleviate the immeasurable and imminent cybersecurity incident,” Garza wrote.
‘Extraordinary’ powers
Texas is one of the few states that has ever declared a state of emergency in response to a cyberattack.
In August 2019, Texas declared a state of emergency after a ransomware attack shut down IT operations in 23 cities across the state, disrupting their ability to process licenses and certificates, collect payment for services or conduct payroll activities.
A month earlier, Louisiana had declared a state of emergency after a series of cyberattacks disabled computer and digital phone systems across three school districts in the state. A 2019 report from Moody’s Investors Service analyzed the cyber incident in Louisiana and concluded that statewide emergency declarations following a cyberattack increase the chances for restoration with minimal lasting damage.
The report also found that as more states adopt a whole-of-state approach to cybersecurity, incident response plans that treat cyberattacks with the same level of severity as natural disasters are becoming more common in state governments.
Last year, the city manager of Oakley, California, declared a state of emergency to accelerate the city’s response to a ransomware attack. According to the California Governor’s Office of Emergency Services, the purpose of a local emergency proclamation is to “provide extraordinary police powers, immunity for emergency actions, authorize issuance of orders and regulations, activate pre-established emergency provisions, and is a prerequisite for requesting state or federal assistance.”
In addition to cutting bureaucratic tape, Hamilton said, disaster declarations also free up funds that can be used to hire IT experts, cyber investigators and pay ransoms.
“Normally during a disaster declaration, what you get is like, zero interest loans and things like that, right? You can borrow money quickly,” Hamilton said.
‘Potential vulnerabilities’
Garza said in her letter to the governor that a state-level declaration would allow emergency funds to be released to help the city better manage the cyberattack. The City of Mission did not respond to requests for comment.
In Texas’s 2024 cybersecurity report, the Department of Information Resources, the statewide technology department, found that many state and local government agencies didn’t have the resources to address the operational and financial impacts of a cyberattack like the one in Mission.
“Despite increased investments in cybersecurity, most agencies reported that they do not have adequate resources budgeted to respond effectively to a major cybersecurity incident, indicating potential vulnerabilities for the collective security of the state,” the report read.
“They need to be more specific about what the potential impacts here could be, and not just, ‘We’ve lost control of our computers,’ right?” Hamilton said. “Because that’s what insurance companies are for, and it kind of begs the question, did they have cyber insurance?”
According to the National Governor’s Association, cybersecurity insurance is becoming increasingly important for state and local governments. Policies can cover data breach costs, business interruption, data restoration and potentially ransomware payments, though premiums are rising quickly.
“Pretty much everybody has it, even if you’re a little teeny town and you don’t really have an insurance policy, you’re part of a risk pool that is concerned with losing access to government technology,” Hamilton said.
‘A variety of reasons’
Justin Miller, professor of cyber studies at the University of Tulsa, said he’s wary of recommending that state and local governments purchase cyber insurance.
“Insurance companies are a for-profit business, and they’re going to find every way they possibly can to not pay out a policy holder,” said Miller.
He said government agencies should train employees according to their policies’ contract language to prevent insurance denials.
Miller, who spent 25 years in the U.S. Secret Service conducting cyber fraud investigations, suggested that Mission’s location along the Texas-Mexico border, combined with its rising population and the current political climate, may have made it a target for threat actors looking to test for weaknesses in the city’s IT infrastructure or distract government officials so they can commit other types of crime.
“I found it intriguing that it’s a city close to the Mexican border,” he said. “And what better way to create a diversion than to initiate a cyberattack, knock out police ability to track driver’s licenses, mess with the communications and get everybody to focus over here, and then we maybe bring something across the border that way, while people are distracted with this cyberattack.”
Robert Russell, a regional director at the Cybersecurity and Infrastructure Security Agency, told StateScoop motives for cyberattacks vary.
“Cyber criminals, nation state hackers, and other bad actors have a variety of reasons they target U.S. interests,” Russell wrote in an email. “This is why CISA is focused on providing actionable information and valuable services to help organizations reduce the prevalence of intrusions and their impacts.”
Miller said a statewide disaster declaration would give the City of Mission operational space to activate its emergency action plan and request help from outside entities, but that the city needs to prove its strategic importance first and audit its security systems.
“My students hate it because I harp on it, but it’s people, processes, technology,” Miller said, naming the three main components of information technology. “They’re so intertwined that a mistake or misconfiguration of any one of those is going to leave you vulnerable, but bringing the right people to the table is going to help you prepare for a cyber incident.”
