As cybercrime increases, local governments face an uphill battle in hardening digital defenses

What would a small community do if its school district’s network was attacked by ransomware? What about if a municipally managed wastewater treatment plant in a rural county was shut down by a digital onslaught initiated by organized cybercriminals operating a continent away? 

With cyberthreats increasingly targeting municipal frameworks, these are the types of questions that constituents should be asking—and ones that local administrators should be prepared to answer.  

“You’re talking about tens of millions of dollars being raised from these crimes. It’s become a big business,” said Bert Kashyap, CEO of the cybersecurity firm SecureW2, which advises local governments on cybersecurity. 

Two decades ago when Kashyap entered the industry, hackers “were playing around with malware, it was less of an organized crime type of thing. Now, it’s definitely gotten to the point where there are nation states protecting these folks, and cyber gangs are basically forming syndicates,” Kashyap said. 

Last year, for example, American government organizations were targeted by nearly 80 ransomware attacks, potentially impacting 71 million people, according to a report from the consumer tech information site Comparitech.  

Recently, the Allen Independent School District in Texas was targeted with ransomware. The district refused to pay, according to reports, and parents of children in the school system have since received threatening emails warning their student’s private information will be released if the district doesn’t change course. And on Thursday, the cybersecurity firm Mandiant issued a report detailing how “an aggressive, financially motivated threat actor” that goes by FIN12 is specifically targeting “critical care functions. Almost 20 percent of directly observed FIN12 victims were in the health care industry.” 

Faced with this rapidly emerging threat, Kashyap says most of the administrators he’s talked to and advised say they’re not prepared. 

“Everyone from school district (managers) to other local officials tell us they’re concerned,” he said. “Especially with the ransomware threats, when you have a situation (that) potentially could take days if not weeks to restore all of your data, these are real things that are keeping local government leaders up at night. No. They themselves tell us they’re not adequately prepared.” 

Given the scope and sophistication of this new threat, local administrators face an uphill battle in building adequate cyber defenses. In this effort, Kashyap outlined three distinct hurdles, as he sees them, faced by municipalities: “There’s an information gap; there’s a skills gap; there’s a funding gap.” 

Compounding everything, because it’s a relatively new threat for cities and counties, most municipal leaders “are not well versed in this area. Since we talk to a lot of folks who manage the technology, they understand what’s at stake and what’s scary about it,” Kashyap said. “But they haven’t gotten enough visibility at the most senior levels, and when they do, they don’t have enough attention.” 

And it’s not just local leaders that don’t understand how big the threat is. Cybercrime is an abstract concept compared to concrete infrastructure and crumbling roadways, so the implications can be difficult for constituents to grasp, too.

“People don’t realize that there’s tons of private information that’s held by your local water utility and your local sewer utility,” Kashyap continued. And that information, if stolen from municipalities, could make its way to the far corners of the dark web in a few clicks. 

But even if a community recognized the problem and had the money to address it, Kashyap says there aren’t enough skilled workers to meet the need. When competing with high tech firms that offer high wages and comprehensive benefit packages, municipalities find themselves “unable to attract top cybersecurity talent,” he continued, estimating “there’s a shortage of a half million cyber engineers in the country.” 

To fill the funding gap, especially, the federal government in collaboration with industry leaders has taken a number of steps to try to bolster the nation’s cyber defenses. Kashyap estimated there’s about $1 billion slated for improving cybersecurity in the $550 billion bipartisan infrastructure bill that’s currently being debated in Congress. That’s not nearly enough, according to Kashyap. 

“It’s a fine start, but it’s woefully inadequate to address the size of the problem we face,” he said. ”There’s a little over 3,000 counties in the U.S. with roughly about 100,0000 residents, on average. The current plan that’s in place might be able to get you barely one fulltime cybersecurity advisor. That’s not going to really make a dent when you talk about the scale that we’re talking about here.” 

A lasting solution to the challenge, according to Kashyap, will come through grassroots efforts initiated by constituents themselves.  

“From a local government perspective, the issue here is that the fed gov cannot supplant the gap in its entirety,” he said. Local governments must “embrace and get public support to protect constituent data. Those conversations need to be had for this to have a long-term effect.” 

Legislation, which acts as a guide and can get the ball rolling, could also be helpful. In the near future, Kashyap says he anticipates that laws pertaining to cybersecurity protocols for local governments will probably be enacted—most likely modeled off the federal government’s Zero Trust Framework, which was designed following President Joe Biden’s executive order mandating updated security protocols following the Colonial Pipeline Hack. 

“Is a great blueprint for what states can do—the guidelines have been set. The federal government is taking a more active role about steps that need to be taken,” he said. 

Besides the serious risk of personal information being released into the wrong hands, poor cybersecurity has considerable financial implications, too. 

“Already, we’re seeing cybersecurity premiums skyrocket,” Kashyap said. “Longterm, that’s going to result in higher security bills, greater costs to send kids to school. Taxes are going to go up eventually if you don’t fix the problem.” 

And beyond taxes, cybercrime is here to stay—and it will probably only become more common as the world plunges further into the digital era. 

“I think that’s a direction we’re going—if you can shut down a pipeline without firing a missile, why would you fight a war?” Kashyap said. “Wars that are going to fought 40, 50 years from now are going to be fought with cyberwarfare.”