As the fallout from this past December's SolarWinds cyberattack settles, it is clear that the hack didn't just compromise federal organizations. The SolarWinds attack now appears to have infected government networks from federal departments all the way down to state and local government bodies. That a state-sponsored attack would proliferate beyond its initial targets is no surprise. However, the fact that this attack impacted all government levels also highlights a broader trend. State and local government networks are no less of a target than their federal counterparts for cybercriminals.
To take one example, August 2019 saw 22 local government networks crippled by malware across the state of Texas. In what appears to have been a targeted statewide attack, public services were disabled for thousands of Texans for multiple days. The same year also saw at least 100 other ransomware attacks successfully compromise local and state bodies in the U.S. Today, the threat level has increased further. BlueVoyan reports that attacks on state and local governments have risen by over 50% since 2017.
Threat actors target local and state bodies for numerous reasons, including ideological ones, but for others the motive is purely financial. Last year saw an increase of over 700% in the number of ransomware attacks across all sectors. For financially driven attackers, government bodies have been frequent targets. Although many organizations pledge not to pay ransoms, the cost of an attack can still be considerable. Unwilling to pay a ransom demand of $78,000 in 2019, for example, the city of Baltimore spent nearly $18 million recovering from a ransomware infection.
However, as dire as the threat to their operations is, local and state bodies' best option is not to pay ransoms to cybercriminals or accept breaches as an inevitability. Instead, state and local governments should adopt a lean approach to cybersecurity that can reduce their risk exposure without increasing expenditure.
State and Local Government Cybersecurity Gets Harder
Even though they may not seem like obvious targets for threat actors, state and local government bodies are under threat. Despite the fact that they hold valuable customer data and have a low tolerance for downtime, government bodies at this level are often under-resourced when it comes to cybersecurity. Smaller organizations at the local and state level may seem less lucrative for cybercriminals, but it is this combination of poor security and high value that makes them excellent targets for threat actors. Just like Lafayette in Colorado, small rural towns can find themselves struck by devastating cyberattacks without the means to defend themselves.
Since the COVID-19 pandemic, the threat level for local and state-level government bodies has risen dramatically. The growing number of remote workers has partially driven this rise within these organizations and, consequently, created a broader attack surface. When we surveyed over 500 government employees last year, we found that more than 40% worked remotely -- a percentage unlikely to have decreased since. The rapid adoption of cloud-based technology has likely weakened security further with the addition of yet more tools that protection platforms must cover.
On the other side of the cybersecurity equation, the arsenal of tools available to even poorly resourced cybercriminals is growing. While they remain a target for both financially motivated criminals and state-backed threat actors alike, state and local government networks are faced with the same kind of Advanced Persistent Threats (APTs) as their federal counterparts.
Third-Party Endpoint Security Tools Create More Risks
Defending against attackers who can quickly deploy complex tactics such as in-memory and fileless attacks, and have the patience to do so over a prolonged period, is a significant challenge for any organization. For local and state governments, insufficient budgets and low security awareness among staff doesn't help matters. As they face a never-ending array of issues ranging from ongoing public health problems to reduced tax revenue, securing proper resourcing for cybersecurity can be an uphill battle. Complicating this challenge further is that many local and state-level organizations rely on security solutions that don't work against the threats they face.
As attackers increasingly deliver malware that executes in application memory rather than via an executable file, antivirus software alone (including "next-generation" antivirus software) isn't enough to ensure protection. Unfortunately, deploying effective endpoint protection platforms (EPP) without compromising operations can be an insurmountable challenge. The problem for government bodies is that most EPP solutions operate by focusing on detection and response. While this can work in some organizations, balancing the cost -- both financial and operational -- of a detection and response-based approach is often infeasible for local and state governments.
The increasing capability of attacks combined with the growing unsuitability of protection solutions puts many state and local government bodies in an unfortunate situation. With EDR out of reach, and MDR often too pricey, too many organizations rely on antivirus solutions that give only illusory protection. The answer to these problems is not to layer more ineffective, costly solutions on top of government security stacks. Rather, state and local governments need to take a lean and cost-effective approach to cybersecurity through leveraging the security tools they already own.
A Lean Approach to State and local government Cybersecurity
A sound strategy for maximizing cybersecurity within local and state governments' is to create a simplified security stack that covers all the bases. Doing this starts by revisiting OS-native security tools, which for Windows machines means Microsoft’s Windows Defender AV.
While its previous iterations were often lacking compared to aftermarket alternatives, Windows Defender has evolved tremendously. Today, according to Gartner and AV-Test, Windows Defender is as effective, or even more effective, than any other antivirus solution on the market. There is no good reason for public bodies to pay for antivirus protection when there is very little separating Defender from paid alternatives.
Microsoft has invested at least $3 billion in its portfolio of security products and built-in capabilities for the Windows operating system. Today, Windows machines automatically have device control, disk encryption, and personal firewall built in alongside Defender AV. Given that these tools are “baked-in” with the operating system, they have access to parts of the system that even the best third-party tool can’t touch. Further, using the built-in solutions means that state and local governments don’t need to worry about increasing the attack surface by adding yet another solution to their technology stack.
With Windows Defender and other built-in tools forming the bedrock of a solid cybersecurity strategy, public bodies can focus on adding additional protections such as a solution like moving target defense that protects against unknown threats and in-memory attacks across remote and in-office endpoints. Together, this combination of market-leading antivirus software and deterministic protection provides a simple, effective way to secure state and local government employees regardless of where they work.
The simple reality of state and local government cybersecurity is that the threat landscape is not going to get any easier, and most governments aren’t going to suddenly see their technology budgets increase. As a result, governments of all sizes need to adopt a cost-effective approach to cybersecurity to reduce their risk and their attack surface before the next attack occurs.