50% Increase in Cyberattacks on state and local government

Many of the cyberattacks that target state, local, tribal and territorial governments are not as complicated as they seem and could potentially be avoided through “simple steps such as improved cyber hygiene and two-factor authentication, a new report states.”

In the past three years, alone, cybersecurity attacks--which the report defines as targeted instances of intrusion, fraud or damage by malicious cyber actors rather than discovery of insecure databases or accidental online leaks-- have risen by a staggering 50%, according to the “State and Local Government Security Report” that BlueVoyant, a cybersecurity firm, released Aug. 27. That amount is also reported to likely be only a fraction of the true number, the report adds.

This research ultimately confirmed the company’s prior belief that “active threat targeting happens across the board. ‘For every selected county’s online footprint, evidence showed some sign of intentional targeting,’ the report states.” Furthermore, there were five counties, approximately around 17% of those studied, demonstrated signs of compromise, and indicated that traffic from governments assets had been reaching out to malicious networks.

Former FBI special agent in New York and head of ransomware/incident response at BlueVoyant, Austin Berglas stated “There’s a collective risk here because there is no standardization. You have certain state and locals that are on dot-coms and dot-us or dot-orgs. One would think that these should be on the dot-gov domain because [that] means that you not only check the box as being a certified government site, but you get forced two-factor authentication and you’re always going to have HTTPS.”

Ransomware tends to be the primary way in which municipal assets are targeted. However, what is even more concerning than the growing rate of attacks, is the actual financial increase in ransom that is demanded. Data shows that average ransom demands rose from “a monthly average of $30,000 to nearly half a million dollars, with total monetary value of ransom demands reaching into the millions.” Even when some cities refuse to pay, the costs can still be absolutely costly. For example, the 2019 ransomware attack on Baltimore cost the city “more than $18 million in damages and remediation. ‘The notion of ‘Hey, I’m small. The bad guys aren’t going to be targeting me’ is no longer applicable,” Berglas said. “The bad guys know how valuable” state and local government data is, so they go after the personally identifiable information in tax records or disrupt entire networks in an extortion attempt. “We’ve personally seen a municipality in the past year get completely compromised, locked up with ransomware and the entire 911 system was locked down.”

Some other attack vectors include typical data breaches and “typosquatting [a term that refers to] threat actors impersonat[ing] trusted domains with near-identical website URLs, according to the report. Such sites are often created as a means of advanced threat infrastructure: pre-positioning for many phishing, spear-phishing and [social media] influence campaigns.” That being said, the COVID-19 pandemic and upcoming presidential election have aided the awareness of cybersecurity and put key cybersecurity events and issues in the public eye.

Berglas assured that as a result of the pandemic “we immediately expanded our attack surface immensely. If I’m an IT section of a company and I’ve got the responsibility of protecting and maintaining the endpoints -- the laptops, the computers, the phones -- and all of a sudden that just tripled, quadrupled in number and now my company is allowing people to use their own devices, [I need to know how] those devices managed,” he said. “Are there endpoint sensors on those devices to protect them? Are there containers that separate work from personal information? Is there data-loss protection capability on there? All of these questions come into play.”

When it comes to the particulars of election security, what’s at stake is not only the potential for changing votes, but more importantly, the specific undermining faith in the process. For example, could a potential ransomware attack target the voting process? The good news is that state and local governments can take immediate action to ameliorate their “security postures, Berglas said. The first is to implement password hygiene or the use of complex passwords that automation would struggle to detect. Second is two-factor authentication, which deters bad actors who don’t want to have to take extra steps to gain access, and the third is a review of remote desktop protocols, including ensuring that ports are closed after employees finish using them.”

In addition, agencies can build on this security from there by ensuring that sufficient backups are accounted for, as well as planning for defense-in-depth and following the least-privilege principle--meaning that people on the network can access only the information they need to do their jobs. Berglas also concluded that “agencies need visibility into the entire network so they can monitor it round-the-clock.”