Skip to main content

Back to Blog

Cyberattacks on Municipalities and How to Defend Against Them

Cyberattacks continue to have a massive economic impact on local and state branches of governments across the U.S. When sectors of government are breached, the credibility of their institutions is jeopardized, leading to a negative cycle of resource allocation. When focusing on municipalities, it’s particularly easy to see how detrimental the impact can be. 

A Perfect Target

Municipalities are ideal targets for cybercriminals as they provide many essential services to citizens and are responsible for safeguarding confidential information. With such liability comes vulnerability, especially at the less guarded, often local government levels. Cities and townships -which account for over a quarter of municipal targets—require financial infrastructure that is supported largely by taxpayers as well as the federal government.

Methods of Attack

Most cyberattacks on municipalities rely on ransomware, which is malware that blocks user’s access to their files until a ransom is paid to the hackers. Once an attack has occurred, and a ransom is demanded, there is no way to fully escape some type of cost. Either the city or state pays the ransom, or they pay the recovery cost. In addition, a city could lose vital information needed to provide ongoing services to the community.

To get inside a network in the first place, a bad actor needs a foot in the door. There are several methods used. One of the most common being phishing scams, in which a hacker might impersonate a trusted source via email in a bid to obtain personal information or install malware.

A single click can expose an entire database of sensitive information. The result of this is often millions of dollars in financial losses, along with thousands of invaluable, confidential records leaked to the attackers.

Recently, evidence has shown that techniques like brute force attacks and credential stuffing are overtaking phishing emails as the leading methods for distributing ransomware. This is because it’s easier for a hacker to leverage vulnerabilities in a system once they are already inside. Even access to a basic account with few privileges can provide the chance to identify vulnerabilities. The hacker can quickly work to escalate privileges and install malware without raising any red flags until it’s too late.

The core of these hacking methods is the same: a hacker obtaining a user’s credentials. The connections are straightforward: credential stuffing and password spraying are successful because of systemic password re-use. This leads to many compromised credentials, which in turn, allows the soaring frequency of ransomware attacks.

Fear of Failure 

Government entities not only fear losing investment confidence from potential stakeholders, but they require the support of their citizens. It’s a complex issue, with one major structural difference when it comes to the consequences of cyberattacks on businesses versus municipalities: businesses can go under, while governments cannot. Municipalities need to respond to the needs of their citizens, and by not funding defensive cybersecurity strategies, there can be long-term damages for all those served.

Unfortunately, according to a 2018 study conducted by the National Association of State Information Officers (NASCIO), about 50% of states don’t even have cybersecurity as a line item in their budgets.

The Best Defenses

According to the National Conference for State Legislators, about 60% of states either have “voluntary or no cybersecurity training programs at all.” Without training, our representatives, as well the thousands of other government employees, are vulnerable. Officials of both state and local governments are responsible for safeguarding citizen’s personal data. There needs to be an overhaul when it comes to in-place, user-friendly systems that don’t require legislators to also be trained in IT. It’s a necessary part of the defense to have expert personnel on staff to help with ongoing threats as well as training.

However, there are many ways that people get hacked, and one root problem is password reuse. The DBIR report revealed approximately 35% of all breaches were initiated due to weak or compromised credentials—more than any other single reason. Therefore, password hygiene should be a priority for municipalities that are unlikely to have resources for overhauling their systems.

One of the most instantly effective methods to increase network security is to check user’s passwords against a password blacklist of weak and previously compromised credentials. This action is recommended and detailed in the most recent set of NIST guidelines. A software service like Enzoic for Active Directory can provide an unobtrusive solution.

Cybersecurity is not only a topic for IT administrators, but part of a greater conversation to be had with state and national representatives. The lack of funding for cybersecurity initiatives within government is frightening, as municipalities form the backbone of civil service. By analyzing these target areas properly, and providing new perspectives on budgeting, training, and protection, we can move towards a safer future for every citizen.