Cybercriminals have Small Town, USA, in their crosshairs: How to fight back

Bustling main streets. Neighbors and business owners who greet you with your first name. Independence Day parades. These are some of the hallmarks of small-town American life. 

Increasingly, cyberattacks are joining the list as threat actors set their sights on small-town America’s critical infrastructure. 

In 2024, our nation’s small cities and counties are among the most vulnerable entities to cyberattacks, posing a significant and growing security threat to the United States and the daily lives of millions of Americans. But as we highlight below, preparation and public resources can help municipalities combat these bad actors.

Across the country, small municipal and county governments are being targeted by cybercriminals with costly and disruptive effects.

A November 2023 attack on Huber Heights, Ohio, impacted several departments including zoning, engineering, tax, finance, utilities and human resources. In Cullman, Ala., residents were unable to make online payments following a December attack that shut down county computer systems. And in Scotland, Conn. — a town of less than 2,000 residents — cybercriminals made off with more than $250,000 in a fund transfer fraud scheme targeting town accounts. 

While recent attacks on multinational companies and large federal agencies have grabbed the headlines, incidents affecting local infrastructure are equally devastating. And in responding to attacks, smaller communities without the resources and budgets of major metropolitan areas are left to fend for themselves.

Why have cybercriminals increasingly targeted smaller cities and governments? Because they are high-value targets. Small municipalities account for a significant portion of the nation’s population; according to recent census data, 76 percent of the U.S.’s approximately 19,500 incorporated places had fewer than 5,000 people. In small communities where residents rely heavily on public services, government agencies have little tolerance for disruption or downtime, making them more likely to pay a ransom to get their systems back online. 

A seven-figure ransom may seem exorbitant for a small-town budget — that is, until first responders cannot be dispatched to emergencies, financial accounts are inaccessible and hospitals or utilities’ control systems are offline. These agencies may lack the resources for robust cybersecurity training, making them more susceptible to schemes like fund transfer fraud and other social engineering attacks. Finally, government agencies possess valuable data, often highly sensitive, and there is reputational risk and loss of trust when such data is compromised. 

The good news is there are several straightforward steps local governments can take related to planning and preparation: 

• Create a network diagram and data map, which will lay out how data is collected, used, stored, shared and integrated within an IT framework. This can help identify risks and implement security measures commensurate with the volume and types of data used.
• Set rules for retention and deletion of data and implement privileged access management solutions. This helps to ensure data isn’t kept longer than needed and is accessed only by those whose jobs require it.
• Review available or existing cyber insurance and related policies to consider whether coverage is adequate. There can be unique issues for public agencies looking to insure themselves against cyber risk, and some carriers may not offer policies given the risk profile. Municipal and other small government entities may want to consider self-insuring or explore other alternatives to traditional cyber insurance. 
• Take advantage of available resources to make sure they are following best practices, staying on top of software vulnerabilities and implementing patches as needed. The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) coordinate with other agencies to distribute current and actionable information on the cyber threat environment and best practices. To give just one recent example, the FBI, CISA and the Environmental Protection Agency released a joint press release to assist owners and operators of water and wastewater systems with best practices for responding to a cybersecurity event. 

Of course, federal authorities aren’t able to respond to every incident nationwide. But resources exist at the state and local levels to fill this gap and provide more direct assistance to smaller government entities experiencing a cyberattack. 

When Bladen County, N.C., was rocked by an attack requiring it to rebuild some of its IT systems from the ground up, it called on the assistance of a multidisciplinary team of specialists, including the N.C. Joint Cybersecurity Task Force, the North Carolina National Guard, the North Carolina Local Government Information Systems Association Cybersecurity Strike Team, North Carolina Emergency Management and the state’s Department of IT.  

InfraGard is a public-private partnership between the FBI and more than 80,000 local governmental and business members, which exists to help smaller communities and the infrastructure that supports them. Our firm, Baker McKenzie, is a partner to InfraGard’s National Members Alliance.

InfraGard can help a local agency or business by providing training, education and resources — which are all free for InfraGard members. Partnerships like this also foster collaboration between industry and government, which is essential to building cyber resilience across our infrastructure sectors. 

Cities, towns and rural communities are all ecosystems in which government and industry work together to provide services and support for citizens. Engaging with businesses in critical sectors and other service providers is necessary for any municipality — big or small — hoping to understand and reduce its exposure to cyber risk.

America’s largest city offers a proof of concept for this kind of collaboration. While serving as the Manhattan district attorney, beginning in 2017, one of us convened a voluntary task force of New York City’s critical infrastructure sectors with local, state and federal law enforcement to provide real-time cybersecurity intelligence on existing or developing cyber threats so those sectors could patch their systems before an attack. Working together across sectors and agencies makes New York safer and provides a model that can be relatively easily replicated elsewhere.

Today all across America, the ability of our local communities to secure our data and recover from a cyberattack is essential to trust in public institutions. State-sponsored cybercriminals operate in no small part to undermine our sense of security in the critical industry sectors we rely upon. 

We must act with urgency to build cyber resilience in our small communities and municipal governments, ensuring that we can protect and defend the infrastructure and essential services that power and support our country.

Cyrus R. Vance is chair of the Global Cybersecurity Practice, Elizabeth Roper is a partner in the North America Litigation and Government Enforcement Practice and Justine Phillips is a partner in the North America Intellectual Property & Technology Practice at Baker McKenzie.