Bonds

The small size of most of America’s municipal governments may once have offered them anonymity and a degree of safety from hackers seeking bigger ransomware payouts from larger organizations.

That dynamic is changing and cybercriminals, balancing risk and reward in a shifting security landscape, have found local governments a path of low resistance for smaller but quicker paydays.

“One thing becoming clear is that size is not necessarily a barrier to being attacked,” according to Omid Rahmani, associate director with Fitch Ratings’ U.S. Public Finance group and a leader on Fitch’s company-wide cyber risk team. “The lowest hanging fruit is always the first to go.”

High-profile attacks haven’t gone away, but current data trends suggest cybercriminals are more frequently seeking smaller targets on easier-to-breach networks.

That spells a problem for municipally managed systems suffering from years of neglect and budget cuts.

Last year, cyber security firms tracked significant increases in attacks on small and medium-sized organizations, large drops in the average ransoms requested by hackers, and steep increases in targeting government institutions worldwide.

According to a 2021 report by cybersecurity firm Sophos, one-third of U.S. local governments reported an attempted hack, with municipal governments being targeted at roughly the same rates as federal institutions.

Hackers have targeted water treatment facilities, school systems, financial institutions, healthcare systems and more, in attacks that forced important systems offline and resulted in millions of dollars in damage.

Rahmani points to a confluence of factors to explain the shift in tactics. 

One is the lack of a unified cyber defense plan in the U.S, leaving local authorities, who often take a “cost-prohibitive” approach to cyber security, responsible for maintaining and securing their own sprawling IT networks.

“It’s really easy to show the taxpayer a dilapidated sewer plant and say look, we need to invest,” said Rahmani. “It’s much harder to take your council or your voters to a dilapidated IT system.”

After years of general and budget neglect, municipal cybersecurity is lagging behind the private sector, said Rahmani. In addition, the rising price of cybersecurity and insurance have kept top-notch coverage out of reach of all but the biggest spenders, like large companies and national governments.

And as they continue to pay considerable sums to harden their defenses, the soft underbelly of long neglected municipal networks — and the volumes of personal, public, and financial data they hold — are becoming increasingly appealing targets for attacks.

Hackers have repurposed tried-and-true tactics against the private sector against government targets, like “supply-chain attacks” that sniff out security flaws in mundane systems to allow hackers access to vital networks. 

Within the last year, such tactics gave hackers control over the locks and cameras at a county jail, hundreds of thousands of patient records from medical facilities, and a 911-operating center, according to local news reports from across the country.

They are also targeting sensitive financial databases with increasing frequency. According to Sophos, attacks in the finance sector, both public and private, were up 238% within the last year as cybercriminals sought to steal and ransom data. 

Such attacks undermine investor confidence wherever they occur, said Rahmani.

Administrators at Pleasant Valley hospital in West Virginia were stuck with $1 million in repairs after refusing to pay a ransom for hacked data.

That was among the reasons hospital administrators cited in 2020 for operating losses that led to debt-service coverage levels below an agreed-upon amount, putting the organization in breach of a covenant, according to a notice trustee WesBanco Bank posted on the Municipal Securities Rulemaking Board’s EMMA disclosure website.

The outstanding bonds were redeemed in full four months later.

In Baltimore, Maryland, the refusal to pay a $76,000 ransom resulted in around $18 million in recovery costs and in Atlanta, a $55,000 ransom, $17 million in recovery costs, according to a recent report from cyber security firm Knowbe4.

All in all, cybercrime is estimated to cost the U.S. government around tens of billions annually and experts expect that number to rise unless steps are taken to bring local defense up to speed.

While a federally organized cyber defense intuitive may bear fruit, the logistical issues presented by the many independent systems make this a distant prospect — at least for now — according to Rahmani.

Enhanced aid from the federal government can help bolster IT systems. Greater attention and support from local leaders as well as an increase in public IT employee salaries to keep talented specialists from leaving for the private sector could help as well.

Training all staff may be most important, because most security breaches take advantage of human vulnerabilities as opposed to technological weakness.

“Cybersecurity is a psychological problem,” Rahmani said, “which means that folks have to be tricked into doing something.”

Clicking a phishing email, downloading links online, or even sharing a password or personal information are all common ways malicious actors can enter an IT network. Educating employees on “cybersecurity hygiene” and best practices can help reduce those instances drastically

“Cybersecurity doesn’t have to be expensive,” Rahmani said, “if you can just make people do this.”