Dallas. Baltimore. Atlanta. These cities are spread throughout the U.S. with different resources, priorities and constituents, but all three – and many like them – have faced expensive cyberattacks compromising their data and daily operations. Now, state and local governments are asking the federal government for help.
“We are living in a different digital world now,” Atlanta Mayor Keisha Lance Bottoms said. “Nation-state actors and other foreign adversaries are attacking our state and local governments and we need a strong federal partner to defend against those threats.”
At Tuesday’s House Cybersecurity Challenges for State and Local Governments hearing, Lance Bottoms testified alongside cybersecurity professionals about what Atlanta learned from the 2018 ransomware attack. After refusing to pay its attackers the $51,000 that they demanded, Atlanta spent $7.2 million to recover its systems. The damage ran the gamut from minor frustrations, like cancelled municipal court hearings, to permanent data loss, including some police dashcam footage.
Atlanta’s growth since the ransomware attacks is like a phoenix rising from the ashes; they’ve since become one of the country’s top cybersecurity hubs. Lance Bottoms aims to spread what they’ve learned from the 2018 crisis to ensure that other cities take cybersecurity seriously.
State and local governments are especially susceptible to cyberattacks because of their limited resources dedicated to cybersecurity. Rep. John Katko (R-New York), the ranking member of the House Cybersecurity, Infrastructure Protection and Innovation Subcommittee, cited a study by the National Association of State Chief Information Officers (NASCIO) and explained that some states still spend just 1% of their information technology budget on cybersecurity. He also announced that he will be introducing a bill to allocate federal funds and resources to combat these issues.
“We cannot expect underresourced, understaffed state and local governments to defend their networks from state-sponsored hackers from Russia, China and Iran,” said Rep. Cedric Richmond (D-Louisiana), the subcommittee’s chairman.
Ahmad Sultan, Affiliated Researcher at the Center for Long-Term Cybersecurity (CLTC), suggested a holistic approach to state and local cybersecurity to help prevent these attacks, including widespread knowledge on best practices and maintaining system health.
“Promoting cyber-hygiene through trainings, public service initiatives, and public-private partnerships can lead to significant gains in the lives of underserved populations and protect businesses as well as government systems from cyber threats,” Sultan said. “But to achieve these gains, state and local governments will require support and guidance from the federal government.”
Lance Bottoms, meanwhile, shared a list of ways the federal government could protect state and local governments. Lance Bottoms said that, based on her experiences with ransomware, the federal government could help improve state and local cybersecurity by:
- Passing legislation to provide funding to aid state and local governments in preventing, preparing for, and responding to cyber threats and incidents.
- Empowering federal agencies to develop and share best practices with state and local governments.
- Expanding federal programs that share real-time threat information with state and local governments as this information is often critical in avoiding or mitigating threats.
- Having programs in place to provide cybersecurity disaster relief funding to help offset recovery and restoration costs borne by state and local governments.
Another idea, suggested by the Director of the McCrary Institute for Cyber and Critical Infrastructure Security, Frank Cilluffo, is a regional approach backed by the federal government. State and local governments could pool resources and expertise to offer each other mutual assistance in the face of attacks. It could also be used to spread awareness of best practices and other guidance on implementing cybersecurity efforts.
The witnesses and House representatives agreed that better cybersecurity systems, involving both the private sector and all levels of government, are necessary going forward.
“Before we have a catastrophic cyber event, we better get our act together and prioritize with more funding and more attention,” Katko said.
Photo Credit: Unsplash