State and local governments face a disturbing cybersecurity threat

Commentary: Particularly in smart cities, the threat of cyberattacks is as high as ever, says the CEO of Minerva Labs.

Headlines trumpet the remarkable international pushback on Russia’s cyber meddling and sponsorship of cybercrime and fraud. Water-cooler talk of spies, bots, and assassinations has everyone acting like an armchair FBI agent. The vulnerability of institutions we once took for granted is front and center, and it is disturbing, to say the least.

It’s not only the White House, the NSA, and the Senate Intelligence Committee that should be alarmed. State and local government organizations face a growing cybercrime threat. Hackers are targeting municipalities and state agencies in part because they are often easier to breach than better-defended enterprise networks. More importantly, state and local government networks often host and process highly valuable data about individuals, critical infrastructure, and sizable financial transactions. This leaves attackers highly motivated in a situation where they have a high chance of pulling off a successful heist of data or funds, disrupting operations, exposing public figures, or conducting espionage.

Protecting municipalities against cyber attacks is a major challenge. Specifically, in smart cities, in which municipalities use interconnected information and communication technologies to increase operational efficiency, share information with the public and improve both the quality of government services and citizen welfare. Overall, the technology state tends to be characterized by legacy infrastructure, diverse requirements and a complex network topology. State and local government IT professionals are often charged with overseeing loosely-associated, disparate networks, each servicing different needs and constituents. These heterogeneous environments are notoriously difficult to manage and secure, creating gaps which attackers readily find and exploit. These issues are compounded by tight budgets, difficulty recruiting security experts, and drawn-out bureaucratic procedures for technology upgrades and purchases. IT and security personnel are typically overburdened and pulled in multiple directions, leading to a reactive security stance that simply isn’t sufficient in the face of constant, sophisticated intrusion attempts.

Several recent attacks illustrate the potential damage that can result when local agencies are compromised. For example, the Emotet Trojan attack on Allentown, Pennsylvania’s municipal systems has disrupted operations of finance and police departments, among others. Local media reports have estimated the cost of remediation at $1 million, which doesn’t include loss of productivity or other associated costs.


The Colorado Department of Transportation (CDOT) was hit by a SamSam ransomware attack that forced the shutdown of more than 2,000 endpoints, taking the department back to the age of pen and paper during the investigation and recovery process. Fortunately, the ransomware did not hit critical systems, and CDOT had data back-ups. It isn’t hard to imagine how it could have been much worse without good luck and smart preparation.

In the same time period, WannaCry attacks on Connecticut state agencies and malware damage to Savannah, Georgia city systems were reported. In even more recent news, the city of Atlanta is investigating and recovering from a ransomware attack that has stymied some public-facing services, including court systems.

Failure to defend against cyber attacks can result in more than monetary losses and networked systems damage. When critical systems at hospitals, police, and fire departments are attacked, public safety and individual welfare are at risk (not to mention the exposure of highly sensitive data).  Government agencies that are already strapped for financial and IT staff resources can ill afford the time- and labor-intensive recovery process that often follows something like an Emotet infection — because these Trojans are often polymorphic (constantly changing in order to evade detection), getting rid of them is no simple matter. Deploying a vaccine and other evasive malware solutions can prevent these infections from taking hold in the first place. Applying the vaccine in an already-infected environment can even keep Emotet from spreading further and accelerate incident response time.

Evasive malware is increasingly available to both sophisticated and run-of-the-mill cybercriminals. It’s important to take proactive steps to protect systems from these insidious, stealthy attacks — because they are harder to detect and difficult to remove. Capable of transforming themselves, they can persist and burrow deeper into networks and endpoints over long periods of time.  Antivirus and similar baseline anti-malware solutions are weak at detecting evasive malware; these threats are built specifically to avoid being identified by AV. Instead, anti-evasion solutions work by preventing malware from getting around baseline security measures. For example, they can fool the malware into thinking it is in a hostile environment (e.g., through the use of simulated sandbox artifacts), triggering it to shut itself down before it deploys. Anti-evasion approaches are also designed to be effective against malware hidden in malicious documents, fileless methods that inject malicious code into memory, and attacks that use legitimate tools (e.g., PowerShell) to install malware.

State and local agencies should conduct careful assessment to identify solutions that are a good match for their existing technology set-up (including legacy systems) as well as their staff skill level and resources for deploying and maintaining.


These days, reading security-related news stories is like digging into a John le Carré novel. It makes the daily scroll more interesting, but that doesn’t mean you want a starring role in one of these modern-day tales of subterfuge and piracy. In the game of cyber cat-and-mouse, government organizations of all sizes need their own bag of tricks. The ability to outwit attackers is a powerful way to shut down attacks before they can cause damage. Send those hackers packing — don’t be the kind of easy target they love to infiltrate. Your constituents are counting on you to keep the lights on.

Latest Podcasts