- On April 10, the city of Greenville, North Carolina, had to disconnect most city-owned computers from the internet due to what officials said was a RobinHood ransomware infection, a duplicitous piece of malware that pretends to raise awareness and funds for the people of Yemen.
- On April 13, Imperial County, California was hit with Ryuk ransomware, which is designed to target enterprise environments, forcing its website to go dark and causing some city systems to malfunction, including a number of departments’ phone lines.
- On the same day Imperial County was infected, the city of Stuart, Florida, was hit by Ryuk ransomware, forcing system shut-downs affecting payroll, utilities and other vital functions, including police and fire departments.
- On April 18, an unspecified piece of malware, likely ransomware, crippled the city’s computer network in Augusta, Maine.
- On April 21, the municipally owned airport in Cleveland, Ohio, Cleveland Hopkins International airport, was struck by still-unspecified malware, causing the airport’s flight and baggage information boards to go dark, an outage that lasted at least five days.
Despite what appears to be a recent spurt in municipal ransomware attacks, these infections are nothing new to the nation’s cities. The most high-profile municipal ransomware attack took place over a year ago in March 2018 when the city of Atlanta was crippled by SamSam ransomware. According to Wired magazine, the city of Atlanta ended up spending $2.6 million to respond to that attack, roughly 52 times the amount of the $50,000 or so in ransom demanded by the attackers.
Cyberattacks on municipalities harder to hide
Still, the recent spate of attacks raises the question: Are municipal ransomware infections on the rise? According to some municipal cybersecurity experts, cities have long grappled with malware and ransomware attacks at the same rate as private sector organizations, but are just now becoming more public about it.
“Most of these cities have had issues just like businesses have for years,” Gary Hayslip, former CISO for the City of San Diego, California, and now CISO for security firm Webroot, says. “It's just more of them are being public about it because governments are requiring it now more.”
It’s increasingly difficult to hide city ransomware infections, particularly given that responding to them often requires funds from municipal coffers. “Typically, you end up having to pull out your cyber insurance and you’ve got to get Mandiant or somebody that you have on call to come on over and help you clean up and then hopefully get your data back,” says Hayslip. “So, you're not going to keep that kind of stuff quiet.”
Internet-delivered city services present more opportunities for attackers
Cities are getting deeper and deeper into IP-based activities to deliver services as efficiently as possible, giving attackers more opportunity to engage in malicious behavior. “I would say there are a couple of big pressures that I think are relevant to most industries, but state and local governments are also exposed to it. First and foremost is the rapid expansion and availability of technology capabilities,” says Chris Kennedy, former government cybersecurity veteran and currently CISO of cybersecurity firm AttackIQ.
Attackers are also getting more savvy. “There's a constantly growing threat of exploitation either through investment from state-sponsored actors to the commoditization of very sophisticated attack techniques that are easy to use for inexperienced hackers. Ransomware isn't new. It's just how it's been packaged up and how it's being leveraged operationally by the hacker community.”
Data stored in city systems an attractive target
Whether attacks on cities are increasing or just coming more to light now, it’s clear that they’re attractive targets for attackers. “If you think long-range, state and local governments offer a wealth of information about citizen activity. You can imagine how cyber criminals would want to take advantage of that collection of information for identity theft and things like that,” says Kennedy.
“Most people don't realize cities have massive amounts of data. It's amazing the different types of data that they have. I mean it's just phenomenal. They have everything from permits to people paying their water bills to parking tickets to whatever. People are investing in bonds,” says Hayslip, adding that cities also accept credit cards. “U.S. cities are very, very similar to large multinational businesses.”
Financial constraints put a squeeze on security
Unlike large multinational businesses, however, cities, particularly small cities or towns, face financial constraints that limit just how much they can spend on protecting themselves from breaches, malware infections and other kinds of attacks. “It can be an overwhelming problem if you're not adequately staffed,” Kennedy says. “When you're resource-constrained a lot of the operating falls to contractors” and “how well you manage those contractors is often difficult.”
On top of that, cities struggle to keep pace with technology refresh cycles, which are growing shorter each year. “Today the typical refresh cycle is about 18 months and most cities aren't ready for it. A lot of the larger cities still have mainframes.” Hayslip says. “In a business you can do rip and replace. You can go ahead and say we're going to be down and we're going to stand up a parallel data center and we're going to flip over and rip out all this old stuff and then go on about our business. That's very hard to do when you have citizens that are riding on the services that you provide and don’t like to have their services interrupted.”
State and local governments need federal cybersecurity assistance
While municipal governments struggle with increased attacks, constrained resources and outdated equipment, there are few easy solutions to the unique problems they face. Hayslip thinks the federal government has a role to play in helping cities with funding shortages. “These municipal governments and state governments are tied to massive amounts of federal networks. They're all interrelated and tied to each other,” he says.
“There should be a pool available to state and local governments” to provide small governments funds to addresses at least the basics of cybersecurity, such as updated software, firewalls and other cyber hygiene-related needs. “It would reduce the risk on the supply chain side among the municipal, state and federal networks,” according to Hayslip.
Cities that are fortunate enough to have dedicated security staff, which Hayslip says begins when the municipality reaches 300 employees, can also benefit from participating in formal and informal information-sharing efforts. Among the formal options available to cities are the FBI, the Multi-State Information Sharing and Analysis Center (MS-ISAC), which is focused on state, local, tribal and territorial government cybersecurity, as well as resources available from the Department of Homeland Security.
Local governments should share security data
When it comes to local governments, sharing information informally can be as helpful as the more formal efforts. When Hayslip was CISO of San Diego, he had a loose group of peers from other jurisdictions in the area and nine times out of ten when one of them was dealing with a sustained attack, the others were, too. Cybercriminals like to “get the most bang for their buck so they'll attack a region” where local governments are likely to be interconnected, he says.
On the whole cities appear to be dealing adequately with the ransomware and other malware infections that come their way. “Some of them are really taking it seriously and they're building. Not just the city of San Diego but Los Angeles is doing very well. The city of Denver is doing very well.” Even the city of Atlanta is a good example of a municipality that might now be ahead of the curve. “I think they they've learned their lessons and they're putting it together,” Hayslip says.