With several months to go, 2019 is already a stark reminder of the havoc that an attack on a city’s IT systems can cause. In early May, the city of Baltimore fell victim to a major ransomware attack, which knocked numerous systems offline, grinding routine functions to a halt, all nearly one year after the city successfully mitigated an attack on its 911 servers. The costs have yet to be totaled, but early estimates reach well into the millions—far exceeding the ransom demanded by the hacker. Even more recently, ransomware attacks in Texas affected more than 20 municipalities in the state, compromising the privacy of tens of thousands of citizens.
According to a study by Allen Liska and Recorded Future, which acknowledges these types of attacks may be undercounted, 2019 had already seen about two dozen publicly-reported cyberattacks against state and local governments at the time of the latest Baltimore incident. The Texas attacks have nearly doubled that total since then, possibly making 2019 a record year for this growing challenge to city and county governments.
Local government data breaches through ransomware and phishing schemes, among other hacking tactics, are a relatively new and certainly dangerous threat to communities of all sizes across the U.S., and can often require new solutions for cyberattack mitigation or prevention. While local leaders look to affected cities like Baltimore, Atlanta, or even Riviera Beach, Fla., as strategic case studies, these threats have become too dire to depend solely on the precedent set by responses to previous attacks as guidelines to prepare communities for potential breaches.
This is not to say that there isn’t plenty to be learned from these evolving cyber threats, however. One important lesson we’ve learned from these attacks is that no local government is immune to these challenges. Attacks on Atlanta, Baltimore, and the Los Angeles Police Department were unsurprising to most considering their impact, but the damage caused to small and mid-sized communities, like those in Texas, should serve as a wake-up call to those responsible for running localities of all sizes. Local governments sit on mountains of data as more citizens access municipal services online. We’ve also learned that communities must invest in cybersecurity measures in order to prevent threats. Periodic staff training, regular system maintenance, and cybersecurity insurance policies are all low-cost and low-effort ways for local governments to mitigate potential threats to their communities. But the most valuable lessons and strategies for managing communities before, during, and after cyber crises cannot be limited to those strictly related to cyberattacks.
Local governments must classify and react to cyberattacks as the major security threats that they are. In the aftermath of the mega-disasters of the early 2000s from 9/11 to Hurricane Katrina, governments have begun taking a more serious look at disaster mitigation, resiliency, and continuity of operations planning and preparedness. Now is the time for community leadership to start thinking and preparing for this new kind of disaster using what they’ve learned from older disasters of all kinds. As a recent ICMA report on disaster recovery suggests, the question is not whether your community will need to recover from a disaster, but when.
The federal government and many states have already started elevating cyber threats as a new attack vector on the homeland: National agencies involved in cybersecurity include the U.S. Department of Homeland Security, and the Federal Bureau of Investigation. The Cybersecurity and Infrastructure Security Agency Act signed into law in November 2018 bolstered cybersecurity efforts across the federal government within the DHS. In Texas, the Division of Information Resources is leading the recovery effort for this latest attack, and the state’s Division of Emergency Management and the Texas Military Department as well as the National Guard are also involved, as they would be under similar circumstances in other states. The time is now for local governments to begin prioritizing cybersecurity as a critical public safety measure.
The organization I work for, ICMA (the International City/County Management Association), has spent years advocating that cybersecurity is not just a CIO issue; it is a C-suite challenge that deserves the full attention of elected and appointed leadership. Local leaders must start thinking about ransomware and other cyberattacks as a potential disaster threat on par with natural disasters and terror attacks on their communities.
Tad McGalliard is the director of research at the International City/County Management Association.