Why have Cities have become Prime Targets of Cyber-crime?

As cyber-threat landscapes continue shift and advance in both public and private sectors, so too should organizations’ cyber-defenses. And while many private sector entities from a wide array of industries have prioritized cyber-security, the public sector has yet to follow suit.

Local governments across the United States have become prime targets for cyber-attacks this year. From major cities such as Baltimore and Albany to small towns such as Lake City, Florida, and Wilmer, Texas, it seems that no municipality is safe from progressively sophisticated cyber-crime.

Responding to increasing frequencies of municipalities being hit by cyber-attacks, the US Department of Homeland Security issued a warning on August 21 about a “Ransomware Outbreak” and urged cities and towns to “back up your data, system images and configurations” and keep them offline[i]. Ransomware has indeed become a pandemic in the US as hackers increasingly target larger, higher-profile victims such as municipalities. Last week alone, at least 22 Texas towns were hit by a coordinated ransomware attack; experts agree such attacks will only become more frequent.

So why have towns and cities become primary targets for cyber-crime? What kind of fallout can these organizations expect as a result of being targeted? And what can they do to prevent such attacks?

The rationale behind targeting municipalities

Many American cities have complex yet outdated IT systems which are not often updated, resulting in considerable vulnerabilities. Smaller cities, many of which lack large cybersecurity budgets and robust back-up systems, are particularly vulnerable.

Moreover- unlike private businesses- cities can’t conceal being attacked.

Though more advanced systems of banks and hospitals used to be primary targets of cyber-crime, the increased occurrence of small city attacks indicates that hackers are developing a preference for the easier (yet nonetheless lucrative) attacks of smaller cities and towns.

In short, the combination of limited resources coupled with data-rich environments make municipalities high-value targets for cyber-criminals.

Expected repercussions of an attack

When a municipality is attacked, basic services will typically be disrupted. This disruption can range from interfering with public library and billing services to completely freezing law enforcement and public safety services. Regardless of the immediate results, recovery efforts usually cost a city millions of dollars. The attack on the city of Baltimore, for example (in which hackers demanded $76,000) is expected to cost the city over $18 million in lost revenue and city expenditures[ii].

The true cost of an attack goes beyond financial repercussions. Once networks are restored, services reestablished and data reinstated, there is almost always a loss of confidence in the city itself as well as the systems that handle services such as water, power and emergency communications. Though complicated to quantify, this loss of confidence can be detrimental to a municipality’s brand as well as its relationship with its constituencies.

So who is to blame when a city is attacked?

“There is a push for accountability, which means firing people. It almost never happens,” said James A. Lewis, a researcher at the Center for Strategic and International Studies[iii]. Five states in the US have laws that refer to computer extortion or “ransomware”- California, Connecticut, Michigan, Texas and Wyoming- while others have laws that prohibit computer crimes such as use of malware. But because most of the ransomware laws have been in place for only a few years, prosecutors, court officials and lawmakers say prosecutions have been nearly nonexistent.

Lake City’s former IT director Brian A. Hawkins proved to be an exception and was blamed for the breach as well as for the time it took to recover. Yet Hawkins maintains that he warned the city about its vulnerabilities years prior to the breach but was refused the budget required to close the gaps in the city’s computer networks. “With cities from Florida to Maryland grappling with an onslaught of ransomware attacks that are costing millions, the harsh reality is that it is often one- or two-person information technology offices with meager budgets and strict spending rules that are the main lines of defense” said the New York Times’ Francis Robles in an August 22 article on Lake City’s post-breach liability[iv].

What’s more- Lake City is also one of the very few cities to have paid a ransom demand  (around $460,000 in Bitcoin) because city officials believed restructuring their systems would be even more costly and because they had purchased cyber-insurance. This summer, an insurer paid $450,000 of the $460,000 ransom.

How to prevent attacks from happening

While it may be impossible to eliminate every threat, there are practical steps every municipality can take to bolster its cyber-defenses. Optimizing an organization’s most valuable resources- its equipment, its people and its processes- to establish a proactive and protected IT landscape will build unprecedented capacity to prevent, detect, mitigate and respond to cyber-security threat vectors.

• Equipment: Identifying the right tools for your business’s security (software and hardware; local and cloud-based systems) is key to ensuring seamless cybersecurity deployment.
• People: Cybersecurity education is critical for both tech-savvy and non-tech-savvy personnel. With evolving threats emanating from new sources, there is a very real need for organizations’ cyber security preparedness to go beyond procurement and into training. This stands true for municipalities, corporations and private businesses alike. People are both an organization’s strongest line of defense as well as its weakest link; all personnel require a basic level of cybersecurity awareness.
• Processes: It is crucial to ensure that your organization has processes in place to prevent, detect, mitigate, respond to and recover from the vast array of threat vectors in today’s cyber security landscape (from phishing vectors to ransomware to data and IP theft). Many industries today have region- and sector-specific best practices available for guiding organizations through difficult cybersecurity incident scenarios.

The interplay between these golden resources- equipment, people and processes- is arguably as critical as the efficacy of the resources themselves. People must be able to leverage equipment according to various methodologies in such a way so as to stay abreast of quickly changing circumstances and make strong decisions under difficult conditions. People should be trained in how to implement SOPs, emergency protocol and incident response plans in order to mitigate damage to the fullest degree possible, before an incident escalates to a crisis.

---

[i] https://www.nytimes.com/2019/08/22/us/ransomware-attacks-hacking.html

[ii] https://www.nytimes.com/2019/08/22/us/ransomware-attacks-hacking.html

[iii] https://www.nytimes.com/2019/08/22/us/florida-ransomware-hacking-it.html

[iv] https://www.nytimes.com/2019/08/22/us/florida-ransomware-hacking-it.html