Prior to 2020, it could safely be assumed that many local government officials did not recognize the risk of behaviors in which they were engaged. Local governments are particularly invested in keeping things secure because of the high level of sensitive information they store and the number of systems they use to share data with state and federal government programs. They have a fiduciary duty to safeguard this data.
The amount of data that municipalities deal with has grown exponentially. Conversely, because they are often operating on a shoestring budget, local governments rarely have dedicated cybersecurity experts; they rely on their IT team to ensure security. However, that IT department often does not have the investment it requires, so holes in their security leave them vulnerable to attacks. These attacks can range from viruses to hackers to phishing.
One of the most prevalent types of cyberattacks recently is ransomware attacks. Ransomware is a type of malicious software that gains access to files or systems and blocks user access to those files or systems. Then, all files, or even entire devices, are held hostage using encryption until the victim pays a ransom in exchange for a decryption key. The key allows the user to access the files or systems encrypted by the program. These attacks often begin with an email with links or attachments that seem benign but give the hacker access to that single system followed by the network. While it is relatively unsophisticated as cybercrimes go, these can shut down servers, expose data, paralyze 911 centers and interact with traffic management systems. “Smart cities” — that is, cities whose infrastructure relies on interconnected technologies — might be more affected, but many hacks have occurred in other municipalities as well. Again, without a dedicated IT staff and with a reliance on aging infrastructures, many cash-strapped municipalities are ripe for attack.
A coordinated attack in the fall of 2019 hit 22 smaller Texas communities at once for a combined ransom of $2.5 million. While industry experts discourage paying ransoms for fear of encouraging this type of attack, many cities without reliable backup or backups that are encrypted as part of the attack are left with no option but to pay the ransom to get back up and running. The Texas attack showed that what once was thought to be a big city problem is leaving every local government vulnerable, and attacks are on the rise. 2019 was called the worst year on record for breaches, and then came 2020.
Low-Hanging Fruit and the Impact of COVID on Security
2020 not only introduced us to the COVID-19 pandemic, but it also brought about what many refer to as a cyber pandemic. The forced quarantine in the wake of the COVID-19 pandemic had more people working remotely without access to IT and to security patches and updates. With tens of thousands of small government institutions, ransomware, once on the decline, has become low-hanging fruit for most cybercriminals. Identifying attackers is rare, so it is difficult to make someone accountable. At the outset of 2020, an informal survey conducted by Diligent of municipal officials involved in agenda creation revealed that 97% were transferring sensitive documents via email. With the threat of cyberattacks in the form of ransomware, using email to prepare or send meeting materials is concerning. When council members and staff are accustomed to receiving documents and updates via email, they are less likely to exercise caution when getting infected links or attachments. This is compounded with the fact that 88% of the survey respondents reported confidence in their organization’s security.
The prevalence of portable devices again exacerbates cyber risks. Most council members — and staff members — use their device for information, but also for entertainment and social media. When more than 70% of all ransomware attacks in the United States target state and local governments, it is clear that this poses a hazard for cities. It is safe to say that groups that carry out these kinds of attacks have discovered that cities are an easy target.
In the area of cybersecurity, overall, it does not appear that public entities are doing enough to mitigate risks. Using email to either communicate or to prepare and transmit meeting materials is inviting unnecessary levels of risk. Elected board members are quite likely not aware of the risks or aware of their personal liability. Of breaches that come from inside the organization, 67% are not malicious but are from errors. Effective defense from cyberattacks ultimately depends on education and overriding the chance of human error whenever possible. Cloud-based software that is recognizable and reliable is one of the best ways to take the guesswork and human error out of the agenda creation process.
- Utilize cloud-based software like iCompass for both agenda creation as well as the distribution of materials to the council. Logging into a secure portal eliminates the likelihood of users clicking on a tainted email or attachment.
- Everyone involved in agenda creation, delivery, or use needs to be updated with training on cybersecurity. Cybersecurity needs to be viewed as a shared responsibility rather than being relegated to IT teams.
- Municipalities need to develop a plan for cybersecurity. If they already have one, it should be reviewed annually. By now, city administrators are becoming aware that they are a target, but it needs to be stressed to council members.
- Cities need to adopt a digital security mindset, with contingency and disaster plans in place. Working closely with other entities can help minimize threats. Utility grids that are interconnected can quickly cause cascading problems. Any device with data or applications on it needs to be remotely wiped in case of a threat. Only approved applications should be opened with devices belonging to the city.
- When possible, it is best to have dedicated hardware. A tablet or laptop that can be updated and fully patched with all security updates easily is a necessity. Using a secure portal to prepare and host agenda materials that are password protected is the preferred vehicle to transmit council documents.