How municipalities are dealing with being low-hanging targets for hackers

On cybersecurity veteran Niel Harper’s first day as virtual CISO at a municipal agency, he was thrown immediately into the reality in which cities and town administrations find themselves today — under threat and scrambling to find the resources to fight back.

The new organization, which he asked not to be named for security reasons, came under a massive ransomware attack that encrypted the entire production environment in a matter of hours. The attackers compromised the network via a weak administrative password, encrypted all servers and storage systems, and reset the backup servers to factory settings. “The client had no response plan in place, so I had to build one on the fly,” he says. “I used that experience to create a detailed incident response plan with roles and responsibilities, and then followed up with annual desktop attack simulations.”

Harper, who’s provided virtual CISO services to business, municipal, and global organizations, has a unique view of the threats facing city and municipal agencies around the world. He previously served as CISO for the United Nations Office for Project Services (UNOPS) and as a director of capacity building at the Internet Society, focusing on cyber resilience, internet governance, privacy, and data protection — all of which touched local governments in developing countries.

Local governments around the world face similar security challenges

Based on his perspective, local government agencies around the world share common problems that resulted in the ransomware breach at that municipal agency he’d just started working for. The poor hygiene that led to the easily exploitable administrative account, the lack of visibility into indicators of attack, the missing response plan — all are due to lack of budget and skills.

“Local governments are spending only a small percent of their overall technology budget on cybersecurity. They already have smaller technology budgets than the private sector to begin with,” says Harper, who’s also a board member at ISACA and One In Tech. “Because of this, they don’t have comprehensive controls or the human resources for the implementation of a robust cybersecurity program.”

Local government networks have long been considered low-hanging cyber targets because of these issues. But the good news is that these agencies have new resources available to them from federal agencies like CISA (Cybersecurity and Infrastructure Security Agency), US DHS (Department of Homeland Security), and statewide intelligence sharing and analysis centers. This is due to the White House and other national governments making national cyber security a top priority for agencies and critical infrastructure, and through these programs, state and local agencies can take advantage of training, discounted or free products, intelligence sharing, and scanning services.

The threat landscape is changing for cities

As with all industries, threats change often, and groups like CISA and the FBI are now stepping in to alert government agencies of all sizes to ongoing and new threats, such as the recent MOVEit vulnerabilities being actively exploited by Russian hacking groups. Alexander Heid, chief research officer at SecurityScorecard, says his company, under the auspices of CISA, has been used by federal and local agencies to scan their IP addresses for related exposures. This is part of a suite of solutions shared with the CISA for use in government agencies for these types of cases, he adds.

The top threat Heid has uncovered in their scans against government agencies of all sizes continues to be ransomware, which amounted to nearly 90,000 IP addresses in US government agencies that were fully victimized. “There are 50 states just in the US, and within those states there are many more municipalities and townships. They were early internet adopters, so they’re going to have the oldest vulnerabilities and the largest attack surface. Unfortunately, they also have lower budgets, so they need to take advantage of federal and state resources,” he adds.

Brad LaPorte, advisor for Lionfish Technical Advisors and a former Gartner Analyst who specialized in ransomware, agrees, adding that ransomware still runs rampant in local government agencies because their small budgets, legacy systems, and lower cybersecurity maturity level makes them softer targets than other organizations.

Why work for a city or municipality?

Because of these low budgets, city and municipal agencies have more trouble competing in the hot cybersecurity job market, so it takes a special type of person to want to work for these agencies. Like Harper, who’s won several awards for his global work on digital trust and Internet policy for developing regions, Andrew Alipanah, chief ‘innovation’ security officer for the city of Riverside, California, says he is drawn to the public sector out of a sense of service.

“Yes, the private sector pays more. But, for me, it’s a personal thing: I’ve been working in city agencies for a long time and find satisfaction in being a public servant,” he explains. “That said, there are cities and then there are cities. Riverside is a beautiful city, and one of the more competitive cities where pay and benefits are better than many other municipalities.”

Alipanah took advantage of the fast-track career path leading to management, starting out as IT specialist for the City of Brea, where he wore many hats. He then moved into the role of senior information technologist at the Orange County Probation Department, then SEC Ops manager at the County of Orange, and, most recently to his current role. Sometimes, he refers to this career trajectory as a recruiting point, explaining: “It’s a matter of what you want to get out of cybersecurity as a career, whether it be hands-on or leadership.”

Municipalities must engage in creative recruiting

Even with better resources, Alipanah must be creative in recruiting and retaining security talent, particularly now that government benefits and favorable pension formulas that used to attract workers are no longer as competitive as they used to be. Another disincentive is the time it takes to complete background checks and make an offer, which often sees the candidate move on to pursue other offers.

One of the ways the City of Riverside attracts future staff is through internships that expose college students to cybersecurity operations with the hope that some of them will apply there when they graduate. (Unfortunately, government agencies cannot offer jobs to their interns because policy dictates that they open requisitions and allow other candidates time to apply before making any new hires).

Work-from-home flexibility is another attraction, Alipanah adds. “Because of the great performance we saw from people working at home during the pandemic, the city adopted a permanent hybrid telecommute policy where different departments, based on their needs, allow employees to choose what days they come in and what days they work from home. I only have to come in two days a week,” he says. “This definitely attracts more talent because people have gotten used to these types of schedules and don’t want to give them up.”

How municipalities are resourcing tools and services

When working for Orange County, Alipanah had to quickly pivot to support home workers during the pandemic, and that meant upgrading the county’s legacy VPN system and endpoint protections to support zero-trust network access. For these upgrades, cities and local governments received aid from federal programs including the American Rescue Plan, which the City of Riverside also utilized to upgrade its firewall at the time to support the large volume of home workers.

He also recommends the CISA grant program for free and discounted tools and services. “One of the CISA resources we use is free to any municipality: It will scan all your external IP addresses to reveal if you have exposed assets connected to the Internet.” This came in useful in his previous job where they found a vulnerable server setup by mistake and exposed to the internet, which they were able to quickly take offline before the vulnerability was exploited.

For threat intelligence sharing, Alipanah encourages state and local agencies to take advantage of state-owned fusion centers that were established by the Department of Homeland Security after 9-11. While at Orange County, he was active in the Orange County Intelligence Assessment Center, and now at Riverside, he’s active in the Joint Regional Intelligence Center where five major southern California counties share intelligence.

Fusion centers can be focal points for city cybersecurity

The typical fusion center will have resources from the FBI, DHS, CISA, and analysts representing the many networks within networks that the city is responsible for, including police departments, the power grid, water/sewage and other critical municipal infrastructure. This intelligence helps underfunded cities and municipalities see and prepare for threats targeting their agencies. And, he adds, “In the case of a cyber incident, the fusion center can also be a focal point for the federal agency to investigate the incident and help you get back on your feet.”

As for where to start with improving security, Harper suggests that local agencies focus first on the basics of information security: asset management, patch management, vulnerability management, secure configurations, security architecture, and security awareness, adding, “All it takes is greater effort on layered defenses, and attackers will move onto other lower-hanging fruit.”