Skip to main content
Top Button
Hackers at the Gates: Is Your Local Government Prepared for a Cyber-Attack? Hackers at the Gates: Is Your Local Government Prepared for a Cyber-Attack?

Hackers at the Gates: Is Your Local Government Prepared for a Cyber-Attack?

As the COVID-19 pandemic sweeps across the nation, local governments are scrambling to find the resources—in time, money, supplies, and people—to protect their employees’ and constituents’ health and safety. Unfortunately, the looming threat of a COVID-19 outbreak requires undivided attention from local governments, which means they could be susceptible to another type of disaster: a cyber-attack. Cybersecurity researchers have seen cyber-attacks on local governments rise as much as 667% during the outbreak, and both the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) issued warnings in April 2020 describing a spike in hackers exploiting the pandemic. In this alert, Ice Miller’s Data Security and Privacy team highlights recent cyber-attacks on local governments and provides guidance on how local governments can prepare for and respond to a cyber-attack.

Recent Cyber-Attacks Produce Varying Consequences

A 2019 cyber-attack on the City of New Orleans was so severe that Mayor LaToya Cantrell was forced to declare a state of emergency. The attackers deployed a ransomware attack that affected more than 3,000 city-owned computers and servers and left the city with more than $7 million in damage. According to city officials, the attack could have been much more severe and the costs to restore the city’s infrastructure could have been millions more had the city not detected the attacker’s suspicious activity early on in the attack. Officials believe a type of Russian ransomware was responsible for the attack. In March 2020, Durham City and the County of Durham were victimized by the same Russian ransomware, and although Durham escaped the attack without having to pay any ransom to restore its infrastructure, around 80 servers must now be rebuilt and over 1,000 computers will require re-imaging.

These two attacks demonstrate that the consequences of a cyber-attack on local governments can produce severe financial consequences and disrupt day-to-day operations, both of which are particularly troublesome in light of the COVID-19 pandemic. Whether money must be drawn from COVID-19 relief funds to pay ransom or to purchase new equipment, or employees and volunteers are unable to help answer questions and provide support for residents because equipment is unusable, cyber-attacks can disrupt COVID-19 relief efforts and impact local government operations for weeks and months at a time.

What are Ransomware and Business Email Compromise Attacks?

Local governments should beware of the following common cyber-attacks:

Ransomware

Ransomware is a form of malware that attackers deploy to encrypt system files and prevent users from accessing the files until the attackers have been paid a “ransom.” Once the ransom has been paid, attackers will (hopefully) restore access to the files. Attackers typically request ransom payments in the form of cryptocurrencies such as Bitcoin because cryptocurrencies are fast, reliable, and easily automated and verified.

There are steps local governments can take to limit exposure to ransomware. First, consider updating operating systems and patching known vulnerabilities. Second, we recommend installing antivirus software that may help detect malicious programs containing ransomware. Finally, we encourage frequent “out-of-band” data backups—backups outside your main network (e.g., Cloud-based backups)—to enable quick restoration of corrupted files.

Business Email Compromise

A business email compromise attack involves an attacker “spoofing” (impersonating) an email address to induce an employee into transferring money or data. These attacks often accompany a successful “phishing” attack, wherein an attacker uses social engineering to obtain the credentials of an employee and uses the credentials to make demands for the money or data. A recent alert from the FBI noted that business email compromise accounted for $2.1 billion in losses between 2014 and 2019.

One solution to the business email compromise threat is to enable multi-factor authentication (“MFA”), which requires a system user to verify his or her email address through an additional piece of information, such as a verification code sent to a cell phone or other device. Training employees on common social engineering techniques, such as checking for grammatical errors, unknown email addresses, and unusual requests, is also an effective way to prevent business email compromise. Finally, we recommend all wire transfers or transfers of sensitive data be confirmed by telephone or in-person to reduce the risk of fraudulent transfers through email.

3 Ways to Improve Your Cybersecurity Posture

As local governments evaluate their cybersecurity awareness and preparedness in light of the COVID-19 pandemic, below are three key areas to assess.
 
  1. Cyber Liability Insurance Coverage

    Cyber liability insurance coverage is essential to mitigate damage done to local government data and finances by a cyber-attack. After the 2018 Atlanta cyber-attack and the 2019 cyber-attack in Baltimore, many local governments hurried to purchase or update cyber-liability insurance. But even if a local government has purchased cyber-liability insurance, such policies do not cover all expenses and damages born from cyber-attacks. For example, the Indiana Court of Appeals recently held that losses from ransom payments were not covered under a company’s Computer Fraud provision of its insurance. We recommend that local officials reexamine their insurance policies—both cyber policies and traditional policies such as property insurance—to evaluate the scope of their coverage.
  2. Incident Response Planning and Testing

    Another area to assess is local government incident response planning and testing. Efficient incident response is critical to mitigating the effects of a cyber-attack and restoring data systems to full functionality. Although many local governments have incident response plans for other events such as natural disasters or economic crises, cyber preparedness is equally important. If your local government does have a cyber-specific incident response plan, conducting a table-top exercise to rehearse the plan is a helpful way to assess the plan’s effectiveness.
  3. Risk Assessment and Management

    Finally, performing an overall risk assessment can help local governments identify critical assets and prioritize risks associated with those assets. The National Institute of Standards and Technology (NIST) published a Guide for Conducting Risk Assessments for federal information systems that can be tailored to address risks specific to local governments. It includes guidance for conducting cost-benefit analyses, implementing security controls, and identifying vulnerabilities, among other helpful tools for risk management.

The health and well-being of local government employees and citizens remains paramount as a global pandemic has halted commerce, travel, and socialization. But as local governments focus their efforts on providing resources to affected communities, hackers are targeting underprepared government units. Cybersecurity remains an essential component of local government planning. For more information on how your local government can prepare for and respond to cyber-attacks, consult Ice Miller’s Data Security and Privacy team. Stephen Reynolds is a partner on our Data Security and Privacy team and currently serves on the International Association of Privacy Professionals (IAPP) Board of Directors. Nick Merker is the serves as the chair of the Data Security and Privacy team and has extensive experience helping local governments develop cybersecurity programs. Mason Clark is an associate in the Data Security and Privacy Group and has previously worked on cybersecurity issues with Indiana municipalities and other government agencies. Please visit our COVID-19 Resource Center for guidance on responding to the COVID-19 crisis.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.
 
View Full Site View Mobile Optimized