The recent ransomware attack by DarkSide on the Colonial Pipeline, which is one of the largest pipelines in the United States, emphasizes how vulnerable U.S. infrastructure is to a cyberattack. In an effort to contain the breach, the pipeline, which carries 45% of the fuel supplies for the East Coast, shut down operations for six days. The incident resulted in gas shortages and a spike in gas prices. The ransomware attack encrypted the company’s files.
In an interview with the Wall Street Journal, Joseph Blount, CEO of Colonial Pipeline Company, said that he authorized payment of the $4.4 million ransom because the company was not sure how badly the cyberattack had breached its systems or how long it would take to get the pipeline back up.
In order to continue to provide services and stay connected with their constituents, the onset of the global coronavirus pandemic in 2020 forced many state and local governments to quickly pivot to digital technologies. The digital transformation of state and local governments included converting to cloud-based systems and substituting many in-person functions to online processes.
While the transition to digital technology allowed state and local governments to continue to provide vital public services in the midst of the pandemic, cyberattacks increased dramatically with the global spread of the virus. Cybercriminals actively target state and local governments because they collect, process, store, and transmit vast amounts of sensitive data.
Ransomware attacks are one of the most prevalent types of cyberattacks. According to a recent report by Comparitech, there were 79 individual ransomware attacks carried out against U.S. government organizations in 2020, which cost an estimated $18.88 billion in downtime and recovery costs.
Ransomware is a malicious software designed to encrypt data on affected systems, blocking access to computer files or systems unless a ransom is paid in exchange for a decryption key. When it comes to municipalities, ransomware is particularly virulent because it can effectively shut down municipal operations. For state and local governments this can mean disrupting infrastructure services such as 911 systems, utilities, and payment platforms.
What can municipalities do to avoid being the next ransomware victim?
Proper security and preparation can reduce the risk of becoming a victim of ransomware. Improving cybersecurity without spending a lot of money may seem like an impossible task, but there are a number of simple and low-cost security measures that municipalities can proactively implement to combat ransomware attacks. Below are a few best practices that state and local governments should consider to improve their cyber resilience:
Updates and Patches
The highly publicized ransomware attacks in Atlanta, Baltimore, and Prince Edward Island, Canada, were the result of hackers infiltrating government networks by exploiting systems that had not been updated. Outdated software and operating systems are security holes that make state and local governments vulnerable to attack. Hackers are constantly on the lookout for security flaws and software vulnerabilities to exploit. Software updates are important because they not only include the latest features for the software, but they also often include software patches for dangerous security vulnerabilities. One of the easiest things that municipalities can do to thwart a ransomware attack is to consistently keep their systems updated by ensuring that automatic updates are enabled. For software that does not offer automatic updates, set reminders on Outlook or Google calendars to manually check for updates. Given the increased use of ransomware, municipalities should adopt software updating and patch management policies and procedures to ensure that all patches and updates are installed on a regular basis. It is important to make sure that all operating systems, apps, networks, servers and end user desktops, laptops and devices are updated with the most current security patches and software updates. Failure to timely update and patch all systems and devices that have access to municipal systems is like leaving your front door unlocked when you leave for vacation.
Antivirus Software and Firewalls
Municipalities are unlikely to prevent a cyberattack if they do not utilize basic security measures such as antivirus software and firewalls. A firewall can be a first line of defense in preventing unauthorized access to municipal systems by hackers. A firewall is a network security system that acts as a barrier between the municipality’s internal network and potential external threats. Based on defined security rules, a firewall monitors incoming and outgoing network traffic, filtering network traffic by blocking suspicious data while allowing safe data through. While a firewall protects both the hardware and software in the system by blocking unauthorized access, an antivirus program protects the software and system data by detecting and deleting (or quarantining) infected files. Municipalities should make sure that their antivirus software offer defenses against ransomware. Antivirus software is the most common way to protect computers, devices, and networks against internal and external sources of malware, spyware, viruses, and other malicious code. Antivirus software should be installed on all computers and devices that access the municipal network, either internally or remotely. To secure against emerging threats, it is important to set antivirus software programs to automatically run regular scans. It is also critically important to keep antivirus and firewall software regularly patched and updated.
Awareness and Training
According to CSO Magazine, 94% of malware is delivered by email and phishing attacks account for more than 80% of reported cybersecurity incidents, which underscores how technological systems alone cannot prevent a cyberattack. Regular cybersecurity training and awareness is an essential part of protecting municipal computer systems and data. State and local governments should prioritize cybersecurity awareness and training that includes guidance on how to identify and report suspicious activities or incidents such as phishing and social engineering. At the very least, periodic cybersecurity awareness reminders should be sent via email to every employee to maintain vigilance about opening emails and attachments, malicious websites and other defenses to avoid being infected by malware or ransomware. Hackers are continuously developing sophisticated methods to counter cyber resilience and ongoing awareness training is the best way to keep employees informed about these persistent threats. Given the availability of free and low-cost cybersecurity awareness and training materials, municipalities can no longer afford to use the excuse that they do not have the budget or resources for cybersecurity training. Below are a few links to organizations that offer free or low-cost cybersecurity training and awareness materials for state and local governments:
- Cybersecurity & Infrastructure Security Agency (CISA)
- New York State Office of Information Technology Services
- Texas Municipal League Intergovernmental Risk Pool
- Vermont League of Cities and Towns
Backup and Recovery
Since cyberthreats are always evolving, solutions such as antivirus software and firewalls are just one layer of an effective cybersecurity strategy. One of the easiest and least expensive cybersecurity precautions that a municipality can take to mitigate a ransomware attack is to have a backup copy of their systems and files. A backup is a stored copy of municipal data and systems, which can be recovered if their network is the victim of ransomware. Regularly scheduled backups allow a municipality to recover its data to the time before the ransomware attack occurred without losing all of the data created since the last backup. It is critically important for municipalities to establish backup procedures in order to quickly restore operations and minimize service disruptions in the event of a ransomware attack. Backups can be stored using an external hard drive or flash drive, or offsite in the cloud. To ensure their backups are protected from ransomware, municipalities should make sure that their backups are encrypted and kept offsite so that uninfected data can easily be recovered from an alternate location.
In 2018, Riverside, Ohio’s police and fire department servers were subjected to a ransomware attack that shut down the police department’s records management system. The city did not pay the ransom and lost about 10 months of data, which was not recoverable from backups. A backup is of no use if it cannot be recovered when it is needed. Backups should be routinely tested by restoring systems from a backup to verify the data has actually backed up and can be recovered. Municipalities should consider implementing policies and procedures regarding backups, including the frequency and scope of backups, identifying parties responsible for backing up, and testing data recovery.
Safeguarding state and local governments against ransomware and other cyberthreats requires ongoing attentiveness. It is important for municipalities to stay vigilant and not become complacent once they become victim to a ransomware attack or other cyberattack. About a month after the Riverside, Ohio, police and fire department ransomware attack – hackers infected their servers with another ransomware attack. Again, Riverside declined to pay the ransom, but this time they were able to quickly recover because they had learned their lesson from the first attack and had daily backups. The city of Baltimore also was the victim of two separate ransomware attacks – one in March 2018 and another in May 2019.
While there is no procedure or technology that by itself can prevent a ransomware attack with 100% certainty, there are a number of solutions that state and local governments can cost effectively implement to increase the odds that their systems are safeguarded from cyberattacks.
Lisa N. Thompson is chair of the New Hampshire Bar Association Intellectual Property Section and an attorney with Hage Hodes, P.A., and can be reached at Lthompson@hagehodes.com.
Register for ICMA's Cybersecurity Leadership Academy, a 12-week mentorship based collaborative readiness program led by CISOs and other experts who deliver their proven frameworks and insights on how to lead and secure a network and an organization – protecting data assets and the enterprise brand.