The emails showing up on office computers asked about a recent Amazon order. Local government employees in various South Jersey towns were told to click to see the status of the order.
“And most people will click that," said Lou Romero, a cybersecurity expert. “And my question is, ‘Did you order anything on Amazon? [No.] Then why are you clicking on it?’”
Romero, not Amazon, had sent the emails to test how his cyber training was working.
And, yes, some of his pupils did click.
But had such an email come from a malicious source, a municipality’s whole system could have been compromised. The town’s ability to function could have been held hostage for a ransom. Romero has seen it happen.
Ransomware has targeted more than 70 local and state governments so far this year, according to a report by researchers at Barracuda, an IT security company. Among those hit were municipalities in Florida and Texas, and Baltimore, where hackers locked away critical files. Baltimore didn’t pay the ransom, but officials said the attack will cost the city $18 million. In July, the U.S. Department of Homeland Security partnered with national groups to urge governments to take advantage of the best practices and resources to protect themselves.
“These evolving and sophisticated attacks are damaging and costly,” the Barracuda researchers wrote. “They can cripple day-to-day operations, cause chaos, and result in financial losses from downtime, ransom payments, recovery costs, and other unbudgeted and unanticipated expenses.”
Because most municipalities don’t have millions to spend on cybersecurity the way big corporations do, they can be easy prey, Romero said. Several local governments in the region, wary of attacks, declined to talk about their cybersecurity strategies.
“The odds of a municipality becoming a cyber victim are one in four,” said Romero, a consultant for 64 South Jersey municipalities. “So it’s not a matter of if, it’s only a matter of time.”
It’s not that municipalities are being attacked by ransomware more often than individuals and corporations, said Eric Cornelius, chief product officer for BlackBerry’s Cylance, which sells cybersecurity software and services.
"It’s that everyone is being attacked by ransomware more often,” he said.
But attacks against local governments can keep them from delivering a variety of vital services to thousands of residents.
In cybersecurity, local governments are playing catch-up
An employee at a maintenance yard in Haverford Township, Delaware County, got an email with a subject line that seemed off. But it was just enough to be a tease. The worker clicked it.
“And that’s all it took,” said Rick Maclary, the township’s IT director.
A message popped up saying that someone had the computer’s files and the township had to pay a ransom to get them back. The office didn’t store vital information, but when Haverford didn’t pay the ransom, the employee lost contacts and about a month’s worth of data, which the township had not backed up. That was about six years ago.
“That’s when we really learned our lesson that we had to get more serious” about cybersecurity, Maclary said.
Cyberattackers aim to hold systems hostage so local governments can’t operate until they pay a ransom — they are called “denial of service” attacks.
Two years ago, Romero assessed more than 200 small- and medium-sized municipalities in New Jersey. More than 85% had poor password policies, such as allowing fewer than eight characters, not setting expiration dates, or not locking accounts after failed password attempts. Only 4% had any type of cybersecurity awareness training. Municipalities are far behind the private sector, even though ongoing attacks have spurred improvements among the New Jersey towns since 2017.
Attackers, too, are getting more sophisticated, even sending emails that are specific to departments, said Jerry Mascia, Mount Laurel’s superintendent of public works. For example, the permitting department will get an email that says, “Attached is my application to erect a fence.” But it’s malware that infects the municipality’s system once someone opens it.
The challenge for municipalities is figuring out how to maximize their IT security with limited budgets, Romero said. Many local governments don’t have dedicated IT departments and don’t have the resources to attract skilled IT staff, cybersecurity experts said.
‘Cyber hygiene’: Invest in systems, training, and policies
“They are better off spending the money on good-quality cyber hygiene than spending the money and giving it to the lawyers or ransoms,” Romero said. “Cyber hygiene” includes identifying vulnerabilities, using layers of encryption and fire walls to protect data, creating plans to prevent and react to attacks, and keeping up with the latest security patches and system upgrades.
Three municipalities that Romero works with decided to band together and pay a local high school, which has strong cybersecurity, to handle their IT needs.
Cornelius called cybersecurity “the cost of doing business in a digital world.”
“It’s important to realize security is a journey, not a destination,” he said.
He said municipal IT employees often inherit “Frankenstein” systems that are built piecemeal, and the lack of cohesion makes these systems difficult to defend.
Employee cyber training also is necessary. Haverford tells its workers not to use personal emails on township computers and relies on software that scans emails for suspicious behavior before employees see them, reducing the chances that a worker will click something dangerous. The IT department trains workers not to click on suspicious emails and to report them.
Although training is helpful, municipalities shouldn’t rely on it, said Cornelius, who said that over the last two decades, he has engaged in “a highly unsuccessful effort” to teach people not to click suspicious links and emails.
“One always gets clicked,” he said.
Municipalities should develop plans for how they’ll restore services if someone is holding their systems hostage. Few have them, Romero said.
Back up files and stay vigilant
A couple of years ago, Romero was surprised to find that a small South Jersey municipality was backing up its files only every three months, instead of every day, as experts recommend. It turns out that an employee was copying the files one-by-one onto a thumb drive. He showed her how to copy all the files at once.
When Romero advises government officials, he tells them, “Your backups are your lifeline.”
Haverford has taken its lesson to heart, backing up important information every few hours. Local governments also keep track of the periodic warnings the Department of Homeland Security shares about emerging cyberattacks.
“It’s scary the way it is,” Maclary said. “You just can’t trust anybody electronically anymore. You can’t let your guard down.”