Securing the Digital World

Is Municipal Ransomware Something to Lose Sleep Over?

Jun 04, 2020 | by Peter Beardmore |

“What keeps you up at night?” It’s the most common and cliché question asked of Chief Information Security Officers (CISO) and Chief Risk Officers (CRO). Lately, the answers point to their organizations’ response to the current disruption: workforce, supply chain, cyber threats and security operations, and second-order effects from changes in business operations.

In my opinion, with the help of trusted organizations like RSA, the talented CISOs and CROs that work at major Fortune 1000 companies have got this under control. Although the work is far from complete, there are tried-and-true frameworks and standards – such as ISO 31000 – to follow, at least for those who know (and know how).

What keeps me up at night? The organizations we rely upon daily for a myriad of services ranging from public safety to education and utilities, who don’t benefit from the guiding hand of a CISO or CRO. In the United States there are roughly 18,000 municipalities that serve populations of under 25,000 people

Serving a population of approximately 12,000, my local town hall houses an IT department of five full-time employees, servicing a government and school district of roughly 300 employees and 1,800 students. They are led by an experienced, mid-career IT manager who has made progress in managing the town’s digital risk. The team has heeded lessons from a spate of recent municipal ransomware attacks and are keen to the scams and identity attacks that exploit disruption and anxiety from the current crisis.

But, let’s face it: small towns generally don’t have experienced executives, CISOs or CROs keeping watchful eyes on all things digital. A recent study found that many small towns lack adequate funding, support from elected and appointed leaders, staffing and training and end-user cybersecurity awareness and accountability.

Meanwhile, the resources citizens rely upon (human, digital and financial) are stretched thin. While still maintaining physical and digital infrastructures, and day-to-day operations, municipal IT teams have also recently been tasked with:

  • Enabling remote work for countless local government positions, many of which were never conceived to be remote. Meanwhile, policies, practices and procedures are evolving to help maintain critical public services
  • Surveying the entire student population for access to devices and internet services and outfitting many with both. They have also supported remote learning in collaboration with local educators.
  • Enabling a remote government through video conferencing for boards and commissions, and routing those feeds to Public Access Cable, Facebook and YouTube; all while maintaining compliance with a newly adapted open meeting law.
  • Assisting in the planning and development for a myriad of re-opening scenarios.

Suffice to say, this local IT team has been busy. Meanwhile, the attack surface is expanding every step of the way.

This brings me back to my sleeplessness. There’s no indication that threat actors have taken a sabbatical. In fact, we’ve seen some alarming reports that suggest otherwise. Ironically, there are indications that successful ransomware attacks on municipalities have decreased during the pandemic.

I wonder if the attacks are underway and have yet-to-be revealed. Let’s hypothesize that 10 percent of those living in these municipalities – so, 1,800 people in city and town governments – fell victim to a scam that employed some of the newer, more insidious ransomware. What if 9-1-1 emergency dispatch routing, access to critical records, billing and payments, all digital communications - including those between parents and schools, public works and utilities, sanitation - all came to a sudden halt?  Now imagine this disruption compounding the stress on already strained public resources amid the current disruption?

I don’t think we should wait to find out. Some federal funding has been proposed to help. RSA and its ecosystem of partners stand ready to help organizations of all sizes, private and public, manage their digital risk throughout times of disruption; especially now.