Cybercrime has turned its attention toward city and regional governments and the scale and scope of the problem will continue to grow. That was one of the main threads at the recent U.S. House of Representatives hearing on , which was held in the wake of a string of high profile ransomware attacks hitting local governments from Florida to Ohio to California.
The recent attacks are only the latest manifestation of a steadily increasing problem that has serious repercussion for the governments involved as well as their residents and constituents. The Ponemon Institute’s annual 2019 Cost of Cyber Crime report found that cybercrime syndicates threat costs for (non-federal) public agencies rose, on average, by more than 20%. But cost is only one factor. Local governments hold extremely sensitive information on children, billing records, criminal history and more. And when local services are shut down by a ransomware attack, it’s often the most vulnerable populations that feel the brunt of the attack.
The large amounts of sensitive data handled by local governments make them a valuable target. Cybercriminals also know that local governments and their residents can’t afford to let critical systems remain shut down in the event of a ransomware attack. Courts, transportation, public utilities, traffic, social services – all come under the local umbrella.
That’s why many are choosing to pay up rather than weather the consequences. Lake City and Riviera Beach in Florida together paid over a million dollars after they were hit by ransomware. The City of Atlanta refused to pay its attackers the $51,000 ransom after hit by SamSam ransomware last year. They ended up spending over $7 million to recover systems and data and certain information, such as some police dashcam footage, was irretrievably lost.
Ransomware is not the only problem, it’s just the most immediately visible. Potentially more harmful are attacks that sit undetected in networks and let malicious actors quietly siphon off data or cause damage. In nearly 60 percent of security incidents, it takes government agencies years to discover the breach.
The 2018 Government Cybersecurity Report by Security Scorecard found that governmental agencies share many of the challenges faced by other industries, yet at a heightened level. Agencies of all sizes fell at the bottom of the list for endpoint security, patching cadence and network security. On the bright side they get a near perfect score for social engineering – phishing, spam, social network attacks – which is a big problem for other industries. The assumption is that government agency employees are less targeted as they are less likely to use work email addresses and credentials outside of work, for example for marketing lists or social networks.
Like their private sector counterparts, city and regional governments are undergoing massive internal digital reshuffling to drive efficiencies and reduce costs. In addition, more services to citizens and partner agencies are handled through online portals and apps. And while these changes are necessary to serve their populations effectively, they open municipalities to many more avenues of attack at a time that cyberthreats are rapidly growing in volume and sophistication.
Third-party suppliers and vendors are another attack vector that local governments have proven unprepared to handle. The hacking of online bill payment portal Click2Gov was responsible for at least 46 breaches in public agencies across the United States over a period of more than a year, exposing hundreds of thousands of payment records, which were discovered for sale on underground markets. Click2Gov software vendor, Superion, initially claimed the fault lay with poorly protect government servers hosting the software, but later admitted to a software vulnerability and issued a patch.
While local governments’ attack surface grows, their ability to protect their system infrastructure has not kept up. The Security Scorecard report puts the government sector as the second worse industry for endpoint security, below even healthcare, which has notoriously poor endpoint security, and in the bottom third for network security.
Governments themselves seem to be cognizant of this fact. A Ponemon survey of Federal, State and Local government IT security practitioners found that only 19 percent of state and local respondents rate their ability to prevent a cyberattack as very high. The Click2Gov fiasco above shows the consequences of this lack of attack prevention ability, especially against zero-day attacks. Stronger server protection could have stopped hackers from being able to exploit the software vulnerability.
The Click2Gov vulnerability illustrates another problem for local governments – they can’t keep up with patching updates. Superion issued a software patch in June 2018 yet breached records were still showing up six months later. According to the SecurityScorecard report, government agencies at all levels are in the bottom third of industries when it comes to patching cadence. Patching takes time and money as upgrades must be tested thoroughly before deploying in order to make sure they don’t create system conflicts that could jeopardize ongoing operations.
Many of the recent ransomware attacks on US cities used the NSA EternalBlue exploit to gain a foothold in systems. That vulnerability was fixed by Microsoft in Windows updates more than two years ago.
Underlying and exacerbating all these issues is that local governments do not have enough resources to improve their security posture. The situation is so acute that many local governments lack the means to even fully gauge the scope of the problem they face. A survey of local governments by ICMA, in partnership with the University of Maryland, found that while 44% of respondents said they experience cyberattacks at least daily, more than half had no idea how frequently their information system is attacked, and 40% didn’t even track actual breaches.
The same report showed that only one percent of surveyed municipalities have a stand-alone cybersecurity department or unit. Not surprisingly, greater funding for cybersecurity was rated as the number one thing local governments need most and the top barriers to better cybersecurity all had to do with money, including the ability to hire, pay and train staff.
Standard best security practices go a long way. Safeguard admin credentials and change passwords regularly; use multi-factor authentication or two-step verification procedures as feasible. Maintain a firewall and keep operating system and application software up to date.
Strong endpoint protection is critical; standard antivirus is not enough. But a robust security stack with advanced threat protection doesn’t have to mean expensive, complex to operate EDR solutions. Morphisec Unified Threat Prevention uses Moving Target Defense to stop fileless attacks, zero-days and unknown advanced threats that bypass standard security defenses. It is a pure prevention tool – meaning there are no alerts to chase, no lengthy investigations, no after-the-fact remediation.
It’s easy to recommend keeping OS and applications up to date, less so to implement. Morphisec virtually patches vulnerabilities, protecting endpoints from vulnerability exploits when patches are not yet available or deployed. This lets municipalities extend their patching cycles to a more sustainable cadence yet still cut risk.
Contact a Morphisec security expert to learn how we can help your city or region fight back against global cyberthreats.