If you’re not already worried about your local government becoming the target of a cyberattack, you should be. All government agencies, including public schools and libraries, are targets of bad actors attempting to extort the public sector for ransom, obtain sensitive information or just to be a nuisance.
Ransomware, malicious software that blocks access to information or threats to leak files unless money is paid to the hacker, specifically is growing in popularity among ill-intentioned hackers. Consider, for example, the coordinated attack against 22 cities and small-town government agencies in Texas last week. Or the attacks against two Florida cities and Baltimore, Maryland earlier this year.
In July, a cohort of public sector groups and associations teamed up to release a press release warning state and local governments that prevention is the most effective defense mechanism against these attacks. The organizations — the Cybersecurity and Infrastructure Security Agency (CISA) at the Department of Homeland Security (DHS), Multi-State Information Sharing and Analysis Center (MS-ISAC), National Governors Association (NGA), and the National Association of State Chief Information Officers (NASCIO) — emphasized the importance of a cohesive cybersecurity education and developing incident response plans in preparation for an attack.
But how can state and local governments protect themselves with limited resources?
First, make cybersecurity a priority. State and locality functions rely on keeping bad actors from interfering or disrupting services. Prioritizing cybersecurity means not leaving cybersecurity as an afterthought to other IT initiatives. Instead, cybersecurity becomes a part of everything an agency does, from budgeting to hiring to acquisition.
From there, agencies can take advantage of federal resources available for localities to help them find the talent, money and best practices necessary to decrease their odds of falling victim.
To help readers understand what resources are available at state and local governments’ disposal, GovLoop did some digging through federal websites to find grants, employee training opportunities and best practices.
Securing the Funds & Talent
Finding the money to respond to cyberattacks does not mean giving into hackers. Paying the ransom after a ransomware attack, for example, does not guarantee that files will be restored, as files are often already compromised. It also proves to hackers that ransomware is an effective way to make money, according to the No More Ransom project.
Instead, governments entities like DHS have recommended investing in cybersecurity insurance. Like car or homeowner’s insurance, cybersecurity insurance is bought before an attack to mitigate loss if an incident occurs. Cybersecurity insurance can help governments recover from data breaches, service interruption or network damage caused by malicious actors.
In the recent coordinated attacks on Texas towns and cities, cybersecurity insurance was used to pay the ransom so that agencies could resume functions. According to one mayor, the attackers requested $2.5 million to relinquish control of the systems, but insurance covered the cost. Taxpayers were only responsible for the $10,000 deductible.
That said, some remain skeptical about the benefits of cybersecurity insurance. The bad actor still gets paid and, therefore, ultimately walks away from the attack unscathed. The insurance companies don’t stop the cybercriminals. Instead, they only get the agency back to work more quickly.
For state and local governments looking to get more involved in the cybersecurity space, there are also some federal grants available to assist with security measures. While most of the grants center around research opportunities, there are funds and other opportunities available to help states and localities improve cybersecurity.
For example, emergency grants through the Federal Emergency Management Agency (FEMA) can be allocated toward cybersecurity preparedness. The Homeland Security Department (DHS) released a full manual detailing the opportunities; programs available include cybersecurity assessments, resources and protection.
For governments worried about the security of ballot boxes, whether they’re concerned with ransomware or hacking more generally, the U.S. Election Assistance Commission (EAC) provides funds to help states meet election security standards. The Help America Vote Act’s Election Security Funds can be used to enhance cybersecurity services or fund employee attendance at cybersecurity trainings.
On Capitol Hill, lawmakers are proposing other direct grants. The State Cyber Resiliency Act, for example, was introduced in April and aims to provide states with grants to fund the development and implementation of plans for addressing cyberthreats and vulnerabilities. Unfortunately, no further action has been taken on the bill since the original introduction.
For agencies having trouble finding cybersecurity talent, the National Science Foundation-funded CyberCorps program provides scholarships to recruit and train IT professionals for the public sector. Agencies have the opportunity to hire from this cohort through closed hiring events and by reaching out to program officials.
Improving Infrastructure & Organization
Preventative measures are the most effective way for agencies to defend against cyberthreats. This begins with documenting best practices and a cyber incident response plan that can be shared and implemented across the agency. These documents outline what cybersecurity looks like in your locality and what to do if you find yourself a target of an attack. Employees should know when and how to report a cyber incident, for example.
Governments should back up and store critical information offline as frequently as possible, as the CISA, MS-ISAC, NGA and NASCIO press release recommended. If an agency is hit with a file-encrypting ransomware attack, up-to-date files will still be available to make for an easier recovery.
Other best practices include investing in antivirus software, updating outdated IT and implementing zero trust policies that assume that all traffic, regardless of location, is threatening until it has been authorized, inspected and secured for verification. In combination, these efforts will start to build a cybersecurity-centric workplace culture that helps employees remain attentive to possible threats.
While adhering to these best practices, diligently researching important updates and new protocols helps agencies stay up to date. Sign up for DHS alerts flagging current security issues and vulnerabilities. If workplace computers or other devices release updates, make sure that employees install the updates in a timely fashion. Check the news regularly for data breaches or other hacks of software that your agency relies on so that your team can mitigate the impact. These strategies help localities find new security patches and other important security information to amend vulnerabilities.
Some agencies, for example, are still relying on Windows 7, a program that will no longer support security patches and updates from Microsoft in 2020. For agencies that are slow to migrate off this platform, it could cost them valuable data, time and money.
Agencies should also train all staff, not just the IT department, on basic cybersecurity guidelines. Employees should understand how to circumvent phishing attempts, the importance of maintaining best practices such as creating strong passwords and what actions to take if the systems are compromised.
Preventative and proactive measures are the best ways to protect governments at all levels from cyberattacks and data breaches. But if you find yourself or your agency the victim of an attack, be sure to take immediate action to mitigate the damage by consulting cybersecurity experts and reporting the incident to the DHS and the FBI.