Last month’s coordinated ransomware attacks against 23 cities in Texas reflect a troubling trend for America’s cities: Bad actors are addicted to the payoff. In the 30 years since the first ransomware attack, the digital environment has changed beyond recognition, and it will only continue to mutate — by next year, approximately 30 billion devices will be connected to the internet, and by 2025, almost five billion people will have access to the web. This presents an ever-growing opportunity for cybercriminals to wreak havoc — with local governments frequently in their crosshairs.
In the simplest terms, ransomware is malware that locks up data until the victim pays money to regain access. Established ransomware tactics involve holding a user’s data hostage for a few hundred dollars in Bitcoin. But attackers also make use of new ransomware strains like “Ryuk” and “SamSam” that target and infect entire organizations, and the demands for money increase exponentially. For instance, SamSam’s ransomware extortions average about $50,000 per attack. In August, a “single threat actor” likely compromised a managed-service provider — a company that manages numerous IT systems or services — to conduct attacks against Texas municipalities, demanding a collective $2.5 million. But even after cities pay up, attackers may continue to target them and their insurers.
In August, the New York Times reported that more than 40 municipalities were hit by cyberattacks this year, affecting businesses reliant on local governments as well as systems related to emergency services. The trend isn’t surprising, as many localities are low-hanging fruit for cybercriminals. Too many municipalities remain unprepared for today’s threat-environment, with inconsistent software updates, weak IT departments, and a pattern of selecting the insurer-paid option when confronted with the cost of restoring systems from the ground up. Despite the current advice of the FBI, for instance, Lake City, Fla., paid its ransomware attackers more than $460,000 in Bitcoin this year. Riviera Beach, Fla., paid around $600,000 to regain access to its systems, and Jackson County, Ga., paid $400,000 to return online. While the U.S. government refuses to negotiate with terrorists, small counties, in effect, reward cybercriminals for taking their data hostage.
But municipalities can fight back. Tools and frameworks exist that enable local governments to secure their networks. For starters, state and local governments can follow the technical guidance of the recently created federal Cybersecurity and Infrastructure Security Agency (CISA) to harden their systems. This requires backing up data and retaining copies offline; maintaining consistent patch management; and updating security products and solutions. Overall, municipalities should embrace CISA director Christopher Krebs’ offer to let the agency serve as a consultative body for “capacity-building.”
U.S. technology companies can also help. Tech firms, responsible to shareholders and sensitive to brand reputation, are willing to work with local governments, and that’s an important opportunity for municipalities, especially with the 2020 election looming. Ransomware attacks could be game-changers in the electoral process. A manipulation of, say, a voter-registration database could materially affect election results. Even in a failed attack, the perception of a corrupted electoral process would have damaging civic effects. Municipalities should join initiatives like Microsoft’s Defending Democracy Program and Jigsaw’s Protect Your Election to collaborate on the ransomware problem. Cities can also work with private-sector engineers to craft programs like Europol’s No More Ransom initiative, which uses a bank of decryption tools to help retrieve data. Cities could then recover their data at no cost; companies, for their part, could improve their tool kits.
Local governments need to replicate the private sector’s urgent approach to cybersecurity. According to a 2017 PricewaterhouseCoopers survey, private-sector companies now invest in digital infrastructure as early as possible. This investment includes rigorous cybersecurity-awareness training, with an emphasis on tech literacy. Such literacy proves especially critical in foiling phishing emails, which can manipulate users into clicking links and infecting their devices with malware. According to the Office of Management and Budget, of more than 31,000 cyberwarfare incidents against federal agencies in 2018, almost 7,000 were phishing attacks (27% of incidents used unidentified attack methods). This vulnerability can be addressed, in part, by adopting the tech-literacy blueprints of the private companies willing to help.
Developments in artificial intelligence, particularly machine learning, are making it easier for bad actors — both nation-states and individual criminals — to increase the efficiency, breadth, and precision of their efforts. AI-enabled techniques like automated “spear phishing” will let attackers program phishing attacks at scale, increasing the odds of success. This strategy has vast implications for election security: Imagine phishing attacks, like the successful one against the Democratic National Convention in 2016, visited on every political campaign’s key staffers over and over in a concentrated timeframe. The strategic intentions of nation-state actors, cybercriminals, and “hacktivists,” moreover, are increasingly intertwined, heightening the potential for chaos.
Protecting ourselves against supercharged threats will only grow more complicated, and America’s vulnerable localities are on the front line. Those municipalities must use the best resources of the federal government, along with the ingenuity of the private sector, to assemble their defenses now.