Two major U.S. cities were crippled in the last week of March by ransomware, but even in the heart of Silicon Valley, Bay Area government officials tasked with safeguarding a growing trove of sensitive data feel vulnerable to what they see as a constant and ever-evolving threat.
More than a fourth of U.S. local governments are subject to hourly cyberattacks, according to one recent national survey, and about one in seven experience yearly electronic security breaches that result in confirmed unauthorized access to sensitive information and systems. Nearly a third said the hackers were seeking ransom.
“Every city sees on a routine basis ransomware attacks, it’s just a matter of which ones get through,” said San Jose Chief Information Officer Rob Lloyd. “We’ve had minor ones we’ve been able to resolve. You lose a little ground, but you recover. We really feel for our colleagues in Atlanta and Baltimore. No one’s immune to these types of attacks. Everyone is running into the same type of threats.”
In Oakland, hackers in 2014 shut down various city websites, including the police department’s, and two years earlier released personal information, including home addresses, of city leaders. Spokeswoman Karen Boyd said there haven’t been any recent ransomware attacks, but it is always a concern.
“Attacks like the one that occurred in Atlanta remind us that it is critical that we continue to build upon the security systems we have in place to keep our city safe,” Boyd said.
On March 22, ransomware rocked Atlanta with a “digital extortion” that the New York Times called “one of the most sustained and consequential cyberattacks ever mounted against a major American city.” Dell SecureWorks, an Atlanta company helping the city respond, said it was the work of a hacking crew called “SamSam” that demanded $51,000 to free the city networks.
On Sunday, an attack on Baltimore shut down the city’s automated emergency dispatching for some 17 hours, according to the Washington Post. On Wednesday, the city’s chief information officer declared it the work of “ransomware perpetrators.”
Officials in Walnut Creek and Contra Costa County had no immediate response Thursday to how often they are attacked. Lloyd said that San Jose’s efforts to keep ransomware hackers at bay “starts with individuals being vigilant with own practices.”
“That’s a key part of our cybersecurity plan, making sure our practices and habits lend to a more secure environment,” Lloyd said.
Boyd said that “Oakland’s Information Technology Department takes security concerns very seriously and has technology and protocols in place to protect the city’s assets and maintain security.”
Ransomware is one of many types of security threats they must guard against, in which hackers commandeer computer systems and threaten to destroy data or paralyze networks unless they are paid.
“It’s really alarming frankly what’s happening in Atlanta, but many people in the national security space have been worried about this for a long time,” said Kenneth Geers, senior research scientist at cybersecurity firm Comodo.
While businesses also are subject to such cyberattacks, experts say local governments are an appealing target for several reasons. They have lots of valuable personal data such as birth certificates and operate vital public systems such as emergency dispatch and wastewater treatment. They provide lots of information on the internet and have large staffs they must train to protect their networks. And they have limited budgets for upgrading their networks and security systems.
“All kinds of public institutions including universities are ripe targets for folks involved in deploying this type of malware,” said Brian Krebs, author of the security website KrebsonSecurity.com. “And eventually they don’t outrun the bear.”
In 2016, the International City/County Management Association, a professional organization for local government administrators, surveyed 3,423 local governments serving populations of 25,000 or more on cybersecurity.
The association found that more than one in four – 26 percent – reported experiencing cyber attacks, attempts to gain unauthorized access, at least once an hour, and 32 percent said the motivation was ransom. About one in six – 16.3 percent – reported security incidents at least once a year in which their network security was compromised. And about one in seven – 14 percent – reported security breaches at least once a year in which unauthorized access was confirmed.
But “the most troubling results,” the survey study authors said, were “the high percentage of respondents that did not know how often they are attacked (27.6 percent) and experience incidents (29.7 percent) and breaches (41.0 percent).”
“These data strongly suggest that, on average, local governments in the United States are not doing the kind of job necessary to achieve high levels of cybersecurity,” the study concluded.
Cory Fleming, a senior technical specialist, with the International City/County Management Association, said “it is something I don’t think a lot of local government managers have stopped to think about.”
“Our technology has been growing so fast,” Fleming said, “but so have the technologies to thwart that technology.”
The cost of data breaches can be staggering. A 2016 BetaNews article put the total average cost of a data breach at $6.53 million, including $3.72 million in lost business. Fleming said it’s become so costly that some municipalities are buying insurance to cover the costs of cyberattacks.
Fleming said that for many ransomware victims, “it’s cheaper for them to pay the ransom so they can continue to operate than to not pay them.”
It’s unclear how the ransomware invaded Atlanta and Baltimore. But Krebs said that most breaches happen when organizations fall behind in “patching some kind of server.”
Local governments spend billions on information technology – more than $30 billion for cities and $22 billion for counties, according to a 2017 report in Government Technology magazine.
But the typical state or local government agency spends less than 5 percent of its information technology budget on cybersecurity, while the typical commercial enterprise spends more than 10 percent, according to the management association report.
But guarding against attacks requires more vigilance than money. Security requires funding for hardware and software capable of detecting, cataloging, and preventing attacks, and for a sufficient and well-trained cybersecurity staff.
“The good news,” the report said, “is that, for the most part, local governments can … improve cybersecurity without spending a lot of money.”