Risk of Ransomware Attacks on Local Government

Guest Post by James Kline (first posted on CERM ® RISK INSIGHTS – reposted here with permission)

In several previous Risk Insights, I discussed the need to view state and local government computer network as part of the national infrastructure.  This was needed because of the importance of the networks in providing and supporting basic services.  Further, by viewing these networks as part of the national infrastructure they become an important part of the overall federal effort to protect and defend the nation’s computer infrastructure.  This issue is so important that another paper is appropriate.  This piece extends the prior two pieces.

The Risk

The number of cyber-attacks on local government are not clear.  However, techtalk.pcpitstop.com found 34 ransomware attacks against local government occurred in the first seven months in 2018. The attacks have been on various aspects of local government.  For instance, in January the City of Sammamish Washington was attacked.  The same month the Salisbury Police Department of Maryland was also attacked.  In March 2018, Jackson County Georgia paid $400,000 to restore their networks. In March 2018, Lincoln County Communications Center North Carolina was also attacked. In the first four months of 2019 there were 21 attacks. In August 2019 22 local governments in Texas were the victims of a ransomware attack.  Since most attacks do not get reported or the attack is reported long after it happened, these figures should on the low end. (1)

The Cost

Across the board, cyber crimes cost the world economy at $600 billion in 2017. The amount cyber crimes cost local governments is not known. What is known is that cyber-attacks can be costly.  Riviera Beach Florida paid $600,000 in Bitcoin to recover its data.  It is estimated that the ransomware attack cost the city of Baltimore Maryland $18.2 million dollars.  The cost to the city of Atlanta Georgia was similar.

The Attackers

Who is attacking local governments, is a complex question. This is because there are many attackers.  Some are individuals out for a thrill, others are criminals and still others are state actors.  The Obama administration accused Russians of interfering with the 2016 election.  The U.S. Cyber and Infrastructure Security Agency (CISA) notes that the Chinese government has been active in malicious cyber activity.  The Chinese government is trying to exploit any gap between managed service providers and cloud service providers and customers like local governments. (2)  It is one of these gaps that resulted in 22 Texas local governments being victims of a cyber-attack. While there is no indication the Chinese Government was involved in this cyber-attack, it is worth noting that local governments are vulnerable to state sponsored attacks.

So far, cyber-attacks can be group into three main categories.

1. Targeted attacks on a specific entity through business emails.
2. Ransomware attacks which block access to the network, generally through phishing email, and encrypt the organization’s data using malware.
3. A form of phishing where the attacker’s motive is to attain passwords to gain access to information like banking information, health data and social security numbers.

Reasons for Attack

Orange County North Carolina was the victim of cyber-attack.  Their network links numerous departments from health, criminal justice, transportation to real estate.  The data contained on the network is “a treasure trove” of personal information, including social security numbers, medical records and tax identification numbers. Further, since the County is part of the Research Triangle with links to numerous university and research facilities, intellectual property might also be available.   North Carolina’s State Chief Risk Officer refers to the data contained in government networks “that criminals are accessing” as low hanging fruit.  (3)

Protection

It is not the purpose of this article to provide technical cyber-security recommendations.  That is up to the organization’s IT specialists.  What is useful beyond that, is to generally take three basic actions.  The first is take the possibility of a cyber-attack seriously.  It is far to easy to believe that it will never happen to my organization.  Recognize attacks are occurring and a failure to take that possibility seriously, can create vulnerabilities that an attacker can exploit.  Second, recognize that the computer network connects the entire organization.  Experience demonstrates an attack can affect the entire organization. The last action is to develop an enterprise wide risk management approach to cyber-security.  The risk management approach should be integrated into the organization ERM process.

Conclusion

The prospect of continual cyber-attacks are extremely high.  Local governments are easy targets for thrill hackers, cyber criminals and state actors.  Local governments need to recognize this reality and act accordingly.  Local government must develop an enterprise wide cyber-security risk assessment process which is compatible with the organization’s ERM process.

 Endnotes

1. Ransomware Attacks Are Testing Resolve of Cities Across America, 2019, August 22, www/newsonthe flipside.com/Americas/ransome-attacks-are-testing-resolve-of-cities-across-america/
2. CISA, 2019, Chinese Malicious Cyber Activity, https://www.us-cert.gov/china.
3. Kaplan, Jonah, 2019, Cyber attacks-both domestic and foreign-threaten North Carolina government agencies, November 9, https://abcll.com/technology/cyber-attacks-target-north-carolina-grovernment-agencies/5676476/

BIO:
James J. Kline, Ph.D., CERM, is the author of numerous articles on quality in government and risk analysis. He is a senior member of the American Society for Quality and Six Sigma Green Belt with experience consulting for the private sector and local governments. His recent book, Enterprise Risk Management in Government: Implementing ISO 31000:2018, is available on Amazon. He can be reached at jeffreyk12011@live.com.