Protecting the Protectors: Learning from Cyberattacks on Municipal, Local and State Government Networks
Even a partial list of recent attacks on US municipal, local and state government agencies and offices is enough to strike fear into the hearts of public sector employees and citizens who depend on digital government services: The first half of 2019 saw attacks on Albany, NY; Fisher County, TX; Augusta, ME; Greenville, NC; Cleveland, OH; Baltimore, MD and two different cities in Florida, as well as an attack on Georgia's Judicial Council and Administrative Office of the Courts and a successful business email compromise (BEC) attack on the Virgin Islands Police Department. More recently, cyberattacks struck at several Louisiana school districts; more than 20 different towns in Texas; several county offices in Georgia, Indiana and Illinois; the Lincoln County (NC) Sheriff's Office and the Georgia Department of Public Safety.
Unlike state-sponsored cyberattacks, these high-profile attacks have not aimed to undermine the institutions of democracy or damaged critical infrastructure. But they have caused endless inconvenience for residents and businesses, embarrassment for local officials, and large, unanticipated expenditures of scarce taxpayer dollars. For at least one IT department employee, it has cost him his job.
Why are governments such attractive targets, especially for non-state actors? How should they respond when attacked? And most importantly, how can state, local and municipal government agencies avoid becoming the next cyberattack victim?
Governments can’t hide
Government agencies provide a wide range of digital services to large numbers of customers every day, so disruptions are immediately visible. Unlike businesses, cyberattacks attacks on government systems cannot be hidden behind closed doors or blandly attributed to “technical issues.” Moreover, expenses of rebuilding systems and recovering data are publicly funded, and when demands for ransom payments are involved, transparency requirements mean that decisions must be aboveboard and justifiable.
While governments disclose more attacks, it is not at all clear that they are more likely to be attacked than other sectors. In fact, similar cyberattacks are sweeping through companies and organizations in virtually all sectors – finance, healthcare, manufacturing, education and others.
Attacks make news, news makes attacks
Cybercriminals are opportunistic. While state-sponsored cyberattacks are agenda-driven, most cybercriminals’ thought process extends no further than their wallets. As such, public disclosure requirements not only alert taxpayers that their hard-earned taxes are being used to fund ransoms and/or system recovery. They also encourage copycat attacks on public organizations by malicious actors seeking quick payoffs. So while governments are not currently experiencing a disproportionate share of attacks, the extensive coverage of those attacks – and especially ransom payments – may encourage more attacks in this sector.
Either way, you pay
Governments, like other organizations dealing with ransomware attacks, often receive conflicting advice. Law enforcement officials are adamant that ransoms should not be paid (see above). But security consultants, charged with helping clients recover years of valuable information, often advise payment as the fastest, least costly way to get systems up and running.
But ransom payments come with no guarantees: Recovery is rarely complete. Even worse, some malware, such as Petya / NotPetya, claimed to be ransomware but in fact wiped systems clean, for a lose-lose scenario: Organizations paid ransoms and also paid to recreate systems from scratch.
When budgets are tight, security is apt to be loose
It’s a given that governments are hard-pressed to fund all the services they must provide. As a result, IT departments tend to be underfunded and understaffed. A third of CIOs of local governments report using outdated technology that makes them vulnerable to cyberattacks, and fewer than half held cybersecurity insurance.
All this is why hackers love government agencies.
Sometimes, they really are out to get you
While criminals are responsible for most cyberattacks on government systems, there’s no question that state actors are in on the act, especially in the lead up to elections. Voter databases and software systems were targeted by Russian hackers in almost 80% of US states before the 2016 elections. Poll software, campaign finance databases and users of election-related software and hardware were all targeted. The US Department of Homeland Security is sufficiently concerned about the 2020 elections to have warned state election officials to be on guard for phishing attacks that are often the first step in election database hacking.
Savings start with prevention...
This warning, as well as the constant stream of news about attacks on public service organizations, confirms the penny wise, pound foolishness of poor cybersecurity funding. Consider just a few examples:
- $2.3M stolen from the Virgin Islands Police Department
- $460K and $600K paid by Lake City and Riviera Beach, Fla, respectively
- $18 million expense plus a full month of work for Baltimore to repair damage from attack
These sums dwarf the costs of staffing and technologies that could prevent or limit the impact of attacks.
…And active protection
Consistent with reports that the Lake City, FL attack started with an employee opening a document that he received via email, 74% of threats enter organizations via phishing attacks, using email attachments or links, while 48% enter via web-based drive-bys or downloads.
The cost of detecting malware once it enters via these vectors is estimated at $393K if detected as soon as it enters and rises to over $1M if detected only after a week. Detection comprises a significant part of the overall financial impact of a cyberattack and goes a long way to explaining why costs top $500K for over half of all attacks. Remediation, revenue loss during the outage, damage to reputations, legal expenses and penalties and fines make up the bulk of the remaining costs.
Preventing malware from entering via the internet and protecting users from falling prey to phishing attacks would go a long way to slowing the spate of successful attacks. Protecting vulnerable endpoints from attack via these dominant vectors can save state, local and municipal governments – in fact, all organizations -- from the hassle, embarrassment and high costs of cyberattacks.
Zero Trust Browsing’s the answer
Ericom Shield is a cost-effective Zero Trust browsing solution that trusts no internet content to touch agency networks. It shuts down the dominant threat vectors through which ransomware and other malware penetrates government and other organizations, while still allowing users to freely access the websites and emails they need to get their jobs done.
Using remote browser isolation, all website content is rendered by a virtual browser located in a disposable container in the cloud, airgapped from endpoints. On their regular browsers, users view and interact completely naturally with a clean media stream, that’s free of all threats. When a tab is closed, the container and all web content are destroyed.
Beyond preventing malicious phishing downloads by opening links in remote isolation, Ericom Shield enables suspicious, uncategorized and likely-spoofed sites to be viewed in read-only mode, so unsuspecting users can’t enter credentials.
Ideally for IT-strapped government agencies, Ericom Shield is clientless and centrally-managed. Most importantly, the smooth, natural user experience and rich policy options mean lower demands on scarce helpdesk resources.