If you pay any attention to cyber security related news, you likely have noticed a large uptick in ransomware attacks targeting state and local governments. These ransomware attacks include Albany New York, Lake City Florida, Jackson County Georgia, Baltimore Maryland, and the 22 government agencies in Texas last August.
Government is particularly vulnerable as an industry vertical. While there are many reasons it makes sense that governments are ransomware targets, one of the more challenging problems is the inability to have the same level of privacy as their private sector counter parts. Citizens expect transparency in modern government systems, and this often leaves sensitive information freely available online in order to provide the best service to their constituents. Many governments are required by their state law to publish entity information online whether they have a properly secured system or not. In most cases, cyber security is not an adequate reason to protect sensitive information. A threat actor can get all the information they need to carry out an attack by simply browsing employee directories, applications, and information about services and operations, the very things we use everyday for convenience and access as constituents.
Easy Target, No Easy Solutions
Growing attack surface
Most governments have a very distributed footprint making government organizations naturally challenging to protect. This has become more challenging as citizens demand more access to digital government services. Like our homes, government is growing smarter and more connected. Police cars, traffic cameras, parking meters, and utilities are all becoming more connected and accessible. Often, these systems and devices are managed by third party vendors and reside in the cloud and unfortunately, an attack on those vendors often appears as an attack on the government agency which can breach trust and potentially put constituent data in danger and degrade government operations.
Everything is public
We live in a golden era of access to public records, but this convenience and access can come at an expensive price. Even something as simple as an employee directory can provide a treasure trove of information including name, phone number, and email addresses of employees. Systems that process transmit restore personally identifiable information are usually published to the edge of the network, potentially opening it up to all Internet traffic including trolling bot networks. Meeting minutes often posted to government websites and can provide sensitive information discussed among legislators or elected officials. This information in aggregate may be harmless but someone who is looking to exploit an agency can build a very detailed picture by combining all the data points.
Outdated technology
Government is taxpayer funded and even the wealthiest cities must go through rigorous bidding processes to purchase software and services which often puts them behind the curve of the rapid pace of the threat actors. You can imagine how difficult this can be for small towns with a small budget and zero IT staff to support their networked data and infrastructure. Even if an organization is fortunate enough to afford the hardware and software needed to secure everything, many still struggle with the appropriate level of human capital to deploy technology at the required velocity. You can bet that most government agencies are not running redundant systems, allowing for network downtime without impacting access meaning that every time you upgrade a piece of hardware or software, your taking that tool offline for the duration. Modernization within government is often a large tradeoff between filling legal obligation the citizens and keeping pace with current industry technology needs.
Governments need to be as nimble as the hackers that target them. Cybersecurity requires agility and speed in order to find, stop, and deter attacks. Unfortunately, for many governments with legacy systems, just keeping systems can be a challenge, never mind trying to update software that may not be supported by vendors. How are agencies supposed to defend against cyber-attacks if the software they are using came from a company that no longer exists? Atlanta as one example, had identified 2000 network vulnerabilities prior to getting absolutely Pwned. This ransomware attack cost Atlanta $17M dollars. I am positive the residents of Atlanta could think of a million better things to spend $17M on.
Hardware does not mean a thing if you do not have the cybersecurity talent required to shore up government defenses. In order to update networks at such a large scale requires almost a constant effort in maintain security patching and systems configuration hardening. Government cyber positions are also competing with private sector firms that pay better and often offer better work/life balance making the hiring, training, and retention cyber security staff extremely difficult.
No budget
Training staff to be vigilant and avoid falling victim to ransomware attacks can make a huge difference in protecting government systems but mistakes happen, and this is where software and hardware can help prevent an accident from becoming a catastrophe. There is no cheap way to properly secure your systems with contemporary software and hardware and unfortunately, many state and local governments lack the needed funding and either bail on upgrades or go with a cheap vendor which will eventually cost them more. There are a lot of competing interests when it comes to spending tax dollars and often the tangible benefit of something physical will trump the hidden cyber security infrastructure. In other words, cyber security is not a shiny enough object to excite someone into giving up their hard-earned tax dollars. It is even harder for lawmakers who do not understand the cybersecurity landscape and are expected to convince their constituents that it’s a good investment. These folks are often being asked to cast a vote on cybersecurity systems and budgets that are written by security engineers.
What you can do to help!
Every single person reading this is living in a community that is at risk and every single voice can influence that community to invest in protecting their data. Allocating a chunk of an already thin budget on something most people do not understand is a big ask, paying the damage caused by an attack is worse. So, how can you advocate for investing in protection:
- Reach out to your local government representative, ask them what they are doing today and what they plan to do tomorrow to defend government network. They should have an answer that includes more than "we installed anti-virus".
- Reach out to NASCIO (National Association of State CIOs), ask them to help influence change. They can shape legislation at a State level.
- Reach out to NACO (National Association of Counties) ask them to help influence change. They can shape legislation at a County level.
- Reach out to NLC (National League of Cities), ask them to help influence change. They can shape legislation at a City and Municipal level.
Let me leave you with this. Change in government is not spontaneous, it requires a loud voice and convincing argument. It’s important that people recognize that it’s not random data that is being impacted, it’s their data that is exposed and vulnerable and that it is their government that can implement the changes needed to protect it.
Follow us on Social Media for more information:
Twitter facebook LinkedIn instagram
[hubspot type=form portal=9212203 id=78ed4f55-84a0-4cb8-bae7-8d92e16878ab]
Justin (he/him) is the founder and CEO of NuHarbor Security, where he continues to advance modern integrated cybersecurity services. He has over 20 years of cybersecurity experience, much of it earned while leading security efforts for multinational corporations, most recently serving as global CISO at Keurig Green Mountain Coffee. Justin serves multiple local organizations in the public interest, including his board membership at Champlain College.
