As high-profile attacks like Atlanta's grab headlines, experts tell StateScoop that both the level of awareness and resources available to local governments are on the rise.
Last week, it was reported that an official in Shiawassee County, Michigan, fell victim to an email-phishing scam, resulting in an inadvertent $50,000 payment to the scammers. The county is small — just 68,000 residents — but it’s the latest among a group of lower-profile victims in an established pattern of cyber vulnerabilities in government.
Cybersecurity is the No. 1 concern for CIOs in state and local governments across the country, but as they transition data storage to cloud-connected systems and digitize services, the intensifying pattern of attacks shows why security shouldn't be a one-person effort. In the wake of a flurry of incidents at the municipal level, experts weighed in on why counties are more concerned with cyberthreats than ever before and why the outlook may not be quite as dim as it seems.
It’s common for city and county governments to delegate cybersecurity to just one person, said Jeff McLeod, director of the Homeland Security & Public Safety Division at the National Governors Association. And as a result, he said, most counties are generally unprepared to meet the ever-present threats surrounding critical components of a government computer network.
“A lot of the state leaders we work with constantly raise concerns that the counties lack the manpower and expertise to manage cybersecurity risk,” McLeod said.
McLeod’s point that most municipal governments — not just the resource-scarce agencies — are vulnerable has rung true over the last year. The city of Atlanta will soon have spent more than $14 million in recovery and emergency contracts in the wake of a ransomware attack in March that crippled the city’s computer systems and various agencies, while Harris County, Texas, home of Houston, nearly paid $888,000 to a phishing scammer earlier this year. In late 2017, North Carolina’s largest county, Mecklenburg, initially resigned itself to paying off the hackers when it fell victim to a phishing scam.
Larger local governments make headlines when they’re hacked, but there are more instances not being given as much attention in non-metropolitan areas.
“I think there’s a lot going on that people are not hearing about,” said Alan Shark, CEO of the Public Technology Institute and a consultant for the National Association of Counties. “Certainly, when you think of the 2,000-plus counties, that’s a large number and at the same time, it's an attractive target for the bad guys.”
An upward trend
The resource-scarcity problem that prevents many small counties from proactively fortifying their cybersecurity — a lack of funds to outsource threat monitoring and recovery and a depleted talent base for knowledgeable IT professionals — is compounded by the absence of a federal database local governments can report cyberattacks to, Shark said.
“I’ve been frustrated that the federal government does not have a database of cyber incidents, nor is there a reporting system,” he said. “So you have a number of private groups scouring newspaper results here and there, and once in a while it’ll make a local paper, but I am personally aware of a lot of small entities [being affected] — including sheriff’s offices, which you would think would be the smartest. This is blind spot for many people. There are a lot of small communities that have gotten ransomware and not reported it.”
Coordination and cooperation between different jurisdictions and levels of government, both Shark and McLeod agreed, will be one of the key factors in improving government cybersecurity as a whole across counties of all sizes. Thankfully, Shark said, cybersecurity is on an “upward trend” among the officials he’s spoken to within the last year.
“[The National Association of Counties] is making people aware at the highest levels that this is no longer just the responsibility of the IT person,” Shark said. “We want county commissioners, we want county managers to be aware that this isn’t something that can be delegated. This is an all-hands kind of effort.”
Shark said that he’s noticed more and more counties — like Mecklenburg, which has had officials open up and share its ransomware experience at several events since December — self-reporting and seeking federal assistance from organizations like MS-ISAC, DHS and FBI, all of which provide some level of affordable relief or cybersecurity training for government employees. Shark added that he’s also noticed fewer counties actually paying ransoms — a bonus, because “the less people the comply, the less attractive this will be down the road [for attackers].”
MS-ISAC, or the Multi-State Sharing & Information Analysis Center, is a component of the Department of Homeland Security that offers free cybersecurity education tools, incident response services, cybersecurity advisories and malware analysis to member governments for free — one of many organizations providing tools for free. McLeod also suggested that counties look at bug-bounty programs, or state-led cybersecurity resources, to collect more information on the ever-expanding field of cyberthreats.
Programs like cyber-insurance and an increased cybersecurity component of mandatory annual county audits have also contributed to an environment of heightened awareness, he said. When insurance agencies or auditors examine a government’s cybersecurity protocols, Shark said, it forces the hand of a potentially otherwise-unprepared agency to shore up its procedures — writing coherent and up-to-date policy, testing and segregating backups and instituting regular employee training on basic preventative measures.
“Sometimes you need to light a fire under somebody to get them to realize, ‘Oh my god, I thought we were already doing this, but we’re not,’” Shark said.
McLeod was also optimistic — he said that good county-level cybersecurity doesn’t even need to require a sophisticated understanding of technology.
“Making sure that county employees are aware of what phishing attacks are, what ransomware is, having some procedures and processes in place to connect with the right person, that’s a huge piece of it,” he said. “The human error — that’s not even necessarily IT-related.”