A Recipe for Destruction: Municipalities and Managing Cyber Risk

While civil unrest and the global pandemic have catalyzed the news cycle, cyber-attacks and their lasting effects have been devastating municipalities around the globe. Unfortunately, where businesses and individuals may be able to respond to these threats tactfully, municipalities have been left in the dust, ineffectively managing their data and leaving citizens and services at risk of cataclysmic attacks.

In the past, managed service providers (MSP) were seen as the critical storehouses to vital data; today, municipalities and their expansive and publicly accessible data sets are becoming the focal point of cyber-attacks.

How Are Municipalities Attacked?

From embedded malware hidden in file attachments, malicious code uploaded via removable media and the persistent threat of viruses  –  and shall we say, ‘dubious data’ uploaded via self-service/file transfer portals  – municipalities face a multi-pronged series of attacks.

What unites them is a desire to compromise ‘secure data’ and extract maximum rewards. Whereas startups and established businesses can be agile, adjust quickly to market trends and implement new solutions to fight cyber-attacks, municipalities after often left missing a step (or more) in effective cyber awareness and mitigation.

Why Are Municipalities Targeted?

With limits and lags notorious in municipalities, cybercriminals have stumbled upon the ideal nexus for data exploitation. In practice, municipalities uniquely encompass all the elements illicit hackers look for when planning an attack.

  • Publicly Available Data Points

Local and municipal governments are often mandated to provide a heightened level of data transparency and accountability rarely seen by their private-sector counterparts. Part of the process demands publicly releasing vast data sets, acknowledging strategic partners, issuing reports about defense capabilities and disclosing payments to various vendors.

Where private enterprises or individuals are rarely compelled to publicly disclose massive, and often sensitive data sets about core operations, clients or expenditure, governments and local municipalities are obligated by law to release these regularly (on any range of critical issues) online.  Consequently, when hackers seek a new target, the treasure trove of data and publicly released records serve as an ideal launchpad to start a campaign of destruction.

  • Serious Cybersecurity Budget Constraints

A recent study conducted by the National Association of State Information Officers (via a white paper by KnowB4) indicates that a plurality of states have failed to allocate the appropriate resources to mitigate basic cyber-risk.

“About 50% of states do not have a committed cybersecurity line-item budget. Even more concerning is the fact that 37% of states have seen a reduction in funding or no change at all. The lack of reoccurring funding translates to municipal networks and computers being put at risk to increasing cyber threats.”

The findings of M.K. Hamilton & Associates paint a more damning picture. In the majority of municipalities surveyed, IT accounted for less than 0.1% of overall municipal budgets. Without the resources and manpower to apply patches, train staff, or implement technical solutions municipalities will continue to be focal points of cyber-attacks.

  • Complex and Rapidly Changing Cybersecurity Mandates

The National Conference of State Legislatures (US) reports that in 2021, there have been over 250 bills or resolutions introduced intended to govern and theoretically change the threat landscape for municipalities across the states (and beyond if similarly implemented globally).  

Between disconnected municipal standards and the vastly different problems faced by large scale locality versus their smaller scale siblings (it is estimated that nearly 80% of municipalities provide services for communities of less than 25,000 people, with close to 60% of those localities with populations below 10,000.) the ability to form cohesive national policy has proven complicated to put into action. Add to the mix the interplay of state and national level legislation, and you end up with many ideas and few who are capable of implementing their lofty aims.

Practical Solutions To Complex Problems

The problem of cybersecurity for municipalities has plagued the coffers and private data of local governments for decades. From ransomware attacks shutting down schools and hijacking secure networks to cyber exploitation jeopardizing core system functionality, local governments face significant threats, with minimal patience for mistakes and data breaches.

While many of these structural issues can be directly linked to unapplied patches and an overall lack of cyber awareness, in the end, they have formed a narrative that frames municipalities as easy targets, with high-value data just waiting to be taken. Fortunately for all players involved, some easy wins can decrease the attack surface and mitigate cyber-risks.

What’s Hot on Infosecurity Magazine?