A major cyberattack on Atlanta in March shut down city computers for five days, exposing critical vulnerabilities in the government system.
Just days later, Baltimore was hit with a separate ransomware attack that required 911 dispatchers to manually dispatch calls. In May, the Idaho legislature website was taken over by hackers who posted a manifesto on its website.
Odenton Maryland-based SecuLore Solutions, a cybersecurity firm that serves the public safety industry, has been tracking attacks on local governments across the country. The number of attacks on its rolling 24-month tracker keeps rising by about 10 percent a month, said SecuLore President & CEO Tim Lorello.
“When the ransomware damages go from $1 billion to $2 billion in one year then you know that the criminals have a business and they’re operating at full force and we need to do something to respond to it nationally,” Lorello said. “On the other hand, you’ve got thousands of jurisdictions and even the federal government doesn’t have the resources to support and protect them.”
As small and big cities and counties alike grapple with attacks in a changing digital landscape, going it alone may not be enough. In Aurora Colorado, city officials are helping spread the word that data security isn’t something local governments can ignore.
Chief Information Security Officer Tim McCain and Internal Audit Manager Wayne Sommer wrote on a 2016 blog for the International City/Couny Management Association that cybersecurity is an iceberg looming before cities. Two years later, McCain reports that attacks are on the rise.
“They’re increasing in sophistication, they’re increasing in magnitude, they’re increasing in complexity,” he said. “Government as well as other favorable sectors for these people — nation states and hackers — is a big focus for them right now.”
Threat can’t be ignored
Aurora, located next to Denver, is moving toward more smart features and data-driven innovations. To address security concerns, Sommer and McCain anticipate creating a joint risk register that will identify specific risk areas and rate those risks.
“The No. 1 thing to do is to realize it can still come home to roost in your community,” Sommer said. “You can’t ignore it, you have to think about it.”
In a cybersecurity survey published by ICMA in partnership with the University of Maryland, Baltimore County, city and county governments reported that a lack of funds (52.3 percent), inability to pay competitive salaries for cybersecurity personnel (58.3 percent) and insufficient number of cybersecurity staff (53 percent) were severe or somewhat severe barriers to achieving the highest possible level of cybersecurity.
And the survey revealed that most local governments believe they are being attacked at least daily, and 24 percent said hourly or more – numbers that UMBC researchers believe are actually much higher.
Harry Holt, vice president of operations at Bithgroup Technologies in Baltimore, said he was not surprised to hear local governments worry that they don’t pay enough to attract top cybersecurity personnel. There simply aren’t enough cybersecurity engineers to meet the demand in the field, he said. But he believes partnerships with local universities could attract young talent to government. In the end, cybersecurity looks pretty similar for private and public entities. It comes down to the employees doing all they can to keep it secure, he said.
“Once (hackers) get in, there’s some pretty sophisticated technology folks out there that can do bad things,” Holt said. “The training has to be constant. And you have to do different types of tests and awareness on an ongoing basis.”
In Colorado, working together has proved a potential model. Leaders noticed the Department of Homeland Security and other federal agencies are not able to provide enough real-time actionable intelligence on current threats. Aurora was one of the founding members of the Colorado Threat Intelligence System, where local governments band together to notify each other of incoming attacks.
Public safety not immune
The security of the 911 systems across the country are particularly critical, as Baltimore found out. Lorello hopes they will get more attention, pointing out emergency call centers are often the only 24/7 system in a government.
On Thanksgiving weekend 2016, a small county in Maryland was attacked. The IT director was on the phone at 8 p.m., asking for help, but a staffer said his job description didn’t require him to come in on weekends.
Lorello estimates 80 percent of 911 centers are only four employees or less, but being embedded in a larger system also has its own risks.
“That’s the problem that we’re seeing is because they’re embedded in these city and county government infrastructures they are susceptible to the horrible attacks that are going on to those cities and counties today,” Lorello said.
He believes local governments need to move forward with NextGen 911 technology, a new digital architecture for 911 that will give them access to data beyond the traditional location, call back number and voice communication. Instead, they would be able to accept texts, photos, videos and smart city data that could be critical to first responders in an emergency.
Additionally, jurisdictions and the private sector are working together to adopt the infrastructure, so it would move the call centers out of individual jurisdiction systems and to a more secure, resilient architecture, he said. About 20 percent of the country has moved to NextGen, but none are taking photos and videos yet.
Another solution could be including public safety governments in EINSTEIN, a cybersecurity program that protects federal agencies. In 2016, then-Federal Communications Commission Chairman Tom Wheeler asked a congressional committee to do so. For now, McCain said local governments need to remember this is about protecting data.
“Always take time to go back to the basics,” he said. “When you walk into an organization say what are the basics: how are you doing access control, patching, locking down your networks.”