In 2019, the Port Neches–Groves Independent School District in East Texas fell victim to a ransomware attack that led to a disruption of networks and a denial of access to student data. To regain access to its network, the school was forced to pay the ransom, resulting in significant financial loss to the district. This is only one of hundreds of cyberattacks that happen each year throughout U.S. municipalities. According to the Capitol Region Council of Governments, in 2021 alone, there were 77 cyberattacks on municipal governments and 88 cyberattacks on education entities throughout the country, resulting in nearly $18 million in costs.
From malicious criminal activity to “hacktivism,” the consequences of attacks on digital technology range from inconvenience to disaster. No matter the size of the entity affected, preventing and mitigating cyberattacks will become an increasing challenge for all levels of government, commerce, and community. Numerous threat actors target these municipalities:
· Nation-state actors take a tactical and strategical approach on behalf of a foreign government to affecting the target from a tactical and strategic aspect.
· Criminal actors conduct cyberattacks for financial gain.
· Hacktivists are individuals or groups who typically conduct cyberattacks on behalf of a political or social cause.
· Thrill seekers are individuals who target systems for the thrill of disabling or affecting them for bragging rights.
· Cyberterrorists conduct cyberattacks on behalf of a terrorist organization.
· Insiders are actors who are familiar with and know how to cripple certain systems or functions within a network.
The modern world increasingly relies on rapidly advancing digital technology, and cybercriminals progressively focus on ways to exploit technology’s vulnerabilities. With technology necessary for daily life-enhancing work environments, reducing costs, driving commerce, managing supply chains, automating functions, and overall managing daily needs, cyberattacks can have a far-reaching, negative global impact. Throughout the world, municipalities use technology for infrastructure operation and maintenance. With the growing adoption of smart technology, municipalities have become an increasingly visible target for malicious actors, thus making protection of this technology from cyberattacks more challenging.
Local municipal governments implement smart technology that interacts with daily functions and services, such as online utility payments, infrastructure maintenance and operation, operations and shipping applications within ports, digital utility meter reading and monitoring (“smart reading”), public facility automation, water and wastewater facility automation, and other affected city activities. Emergency services likewise harness information-based applications to facilitate emergency management plans, maintain communications (such as 911 capabilities), and store records (including school district information and other data relevant to city functions).
With smart technology comes the threat of cyberattack – an attempt to deny, degrade, disrupt, destroy, or alter information resources or the information itself. Examples of cyberattacks on smart technology include malware, insider threats (intentional and unintentional), denial of service, and other techniques intended to compromise the confidentiality, integrity, and availability of data. Although higher levels of government and businesses may possess the tools necessary to protect against cyberattacks and have the resources available to address these threats, local governments often do not. The following table illustrates a small fraction of cyberattacks on municipal infrastructure throughout the nation.
Date | Location | Incident Type | Impact |
---|---|---|---|
May 2023 | Philadelphia, Pennsylvania | Data Breach | Personally identifiable Information of private citizens were exposed. |
January 2023 | Atlanta, Georgia | Ransomware Attack | $17 million in data recovery costs. |
February 2023 | New Orleans, Louisiana | Data Breach | Personally identifiable Information of private citizens were exposed. |
Early 2022 | Florida | Ransomware Attack | Inability to access city government computer accounts. |
The Challenges
Protecting against cyberattacks has become a major challenge faced by local governments and communities, which often lack a sufficient cybersecurity program. Factors include inadequate funding, limited vulnerability assessments, lack of cybersecurity integration within emergency management offices, limited training, overlooked threats, or lack of policy governing information-based technology usage. By addressing these challenges, local governments have the potential to significantly reduce their cyber risk.
Funding
Funding for cybersecurity has historically been a significant issue in local municipalities. Without adequate funding, there may be no dedicated cybersecurity staff within the organization. Funding shortages can impact the critical functions of a cybersecurity program and can expose of vulnerabilities throughout a municipality’s systems. If a local government cannot budget adequate funding for a cybersecurity office, seeking the expertise of the existing information technology (IT) staff can help establish a cybersecurity program using recognized cybersecurity frameworks.
Assessments
A functional cybersecurity program starts with assessing vulnerabilities and understanding the risk to affected assets if they were to be disabled through a cyberattack. These could be any information-based technology, such as mobile devices, laptops, desktop computers, operational technology applications (including those in water and wastewater treatment facilities), building automation, and any other physical asset connected to the Internet of Things. These assessments provide documentation that may make it easier for stakeholders to understand what vulnerabilities exist for information-based systems within a municipal government and can provide them with the information necessary to either correct the issues or accept the risk that accompanies them.
Integration Into Emergency Management
Emergency management has traditionally focused on incidents such as wildfire, flood, natural disaster, and other disasters requiring government response. However, local emergency management coordinators at the state, county, and city levels should begin integrating cyber incidents into their emergency preparedness plans, exercises, and incident command system to aid them in an actual event. By focusing on how to respond to an incident affecting a critical component of an emergency operations center (EOC) or other assets capable of degrading response, and by categorizing the level of effect, municipalities can be prepared to execute the appropriate response. Everyday cyberthreats such as email phishing would not warrant the activation of the EOC, which occurs mainly on cyberattacks that have the potential to develop into an expanding incident. However, in the case of a more serious threat, the emergency management coordinator should seek outside assistance from federal or state partners. One method to address this is via an Emergency Support Function (ESF) with other entities throughout the jurisdiction and the larger region to ensure there is a centralized pool of resources to use in the event of a cybersecurity incident. This ESF should consist of federal, state, and local agencies in addition to private industry partners. An effective ESF can minimize the impact of a cybersecurity event and foster interoperability throughout the region.
Training
The weakest link in any security system is the human factor. Due to the potential for human error, it is often the first point of failure in a cybersecurity incident. Any information-based asset used by members of a local government, or the community are vulnerable to cyberattacks. Users should be trained on how to best protect these devices to prevent the compromise of information. This can be accomplished through computer-based cybersecurity training, in-person awareness courses, emergency management exercises, and end-user agreements, and these tools could ultimately be used to hold users accountable for their actions. Training should include how to distinguish phishing emails, protect personally identifiable information on e‑government systems, recognition of social engineering attempts, regular penetration testing, simulated phishing emails, and other training to create “cybersecurity champions” throughout the organization.
Ignoring the Threat
“It will never happen here” is one of the most dangerous assumptions an emergency preparedness professionals can make. Emergency management coordinators at local levels should begin to recognize that cyberattacks are an increasing threat for communities of any size during and after natural disasters, as the potential impact on human lives can make even small-town networks and assets high-value cyberattack targets. Often during major disasters, scammers pose as insurance companies targeting disaster victims, while at the same time, local government network security may be overlooked. Emergency management coordinators should seek the assistance of their cybersecurity staff to help ensure that assets are monitored for external and internal cyberthreats. There should be a fine line drawn between IT staff and cybersecurity staff. IT traditionally fixes computer problems and cybersecurity personnel mitigate cyberthreats through security measures and monitor systems for unauthorized access. If feasible, the organization should have cybersecurity personnel specifically assigned to protect internal systems. Budgeting for these positions should be a priority of any local government.
Governing Policy
Incident response plans can play a major role in determining ultimate outcomes. Effective cybersecurity programs are built on incident response plans, derived from risk assessments, understanding vulnerabilities, and outlining requirements of cyber hygiene on all information-based assets in use. Local government stakeholders should work with their cybersecurity staff or outside resources to build an effective governing cybersecurity plan or policy to establish a common baseline of good cyber practices to protect assets. Smaller government entities should establish mutual aid agreements with regional, larger governments to share cybersecurity personnel and resources if needed. This effort would foster regional teamwork and build relationships, which could prove invaluable during a real-world scenario.
Where to Start
Smaller local governments with no cybersecurity program in place may struggle to identify a starting point, but numerous resources are available to help provide basic building blocks. These are discussed below and can provide the municipality with a solid foundation on which to build:
- In March 2022, the Cybersecurity and Infrastructure Security Agency released Cybersecurity Performance Goals. This framework contains 38 categories written in a common language to help an entity of any size establish a cybersecurity program. It may be used to assess a local government’s current cybersecurity position and to plan how to address remaining vulnerabilities. Additionally, this framework can help build a cybersecurity program.
- The National Institute of Standards and Technology released the latest version of the Cybersecurity Framework in February 2024. This framework is nationally recognized and dives deeper into both technical and administrative controls, which can help to develop a functional cybersecurity program.
Local governments should recognize the need to integrate cybersecurity into their daily activities and better protect e-government systems, information-based assets, and the citizens they serve. Cyberthreats can stem from multiple angles, including technical and non-technical threat vectors, and can strike anytime. By following the advice in this article and giving more focus to integrating cybersecurity into emergency management at all levels, local governments and communities can help to reduce the frequency of cyberattacks.
Brian Shajari
Brian Shajari is a principal consultant at ABSG Consulting Inc. (“ABS Consulting”), Global Government Sector, with 23 years of experience in cybersecurity, intelligence analysis, and emergency management. He holds a Master of Arts in Cybersecurity from American Military University, along with certifications such as CompTIA Security+, Facility Security Officer, and multiple U.S. Coast Guard emergency management qualifications. Brian specializes in developing cybersecurity standards for the U.S. Coast Guard and Cybersecurity & Infrastructure Security Agency (CISA), conducting cyber risk assessments, and leading cyber intelligence efforts throughout the government and private sector. He is committed to safeguarding critical assets and networks by applying his expertise in artificial intelligence, network security, and incident response. As a 23-year veteran of the U.S. Coast Guard, Brian has served in multiple major disasters across the country, spanning from hurricanes to cybersecurity incidents.
- Brian Shajarihttps://domesticpreparedness.com/author/brian-shajari