Small towns fear cybersecurity money will get to them

The ransomware attack that hit Salem, New Hampshire just over a year ago forced the city to shut down its entire computer network, with chaotic consequences.

Authorities could not process car registrations and residents could not pay taxes or water and sewer bills online. The workers could not fully plan the next year’s budget. Police and fire department computers went offline.

The city did not pay the ransom and its cyber insurance company sent experts to restore the network, City Manager Chris Dillon said. Most systems were down for about a week after the October 2020 attack, but it took about a month to fully return to normal.

“It was a nightmare,” Dillon said in an interview with Stateline. “A lot of cities think their systems are OK. But it only takes one person to click on a link to delete the whole system.

Dillon and many other city and county government officials are excited about a new $1 billion federal cybersecurity grant program included in the $1.2 trillion infrastructure act. The money will be distributed to states over four years, starting at the end of this year. States will be required to allocate at least 80% to local governments, and 25% of the total allocated to each state must go to rural areas.

But many smaller towns and counties worry they’ll miss out on grant money because they “lack the knowledge and planning to put together a proposal,” said Brenda Wilson, executive director of the Lane Council of Governments. , an intergovernmental body. organization in Oregon.

“In rural communities, the IT person, who is probably also the director of public works or the town recorder, is supposed to know what software to buy or how much of a risk it is,” Wilson said. “They just don’t know. How can they come up with a plan to submit to the state? »

Ransomware has wreaked havoc on local governments over the past few years. It usually spreads when hackers email malicious links or attachments that people click on unintentionally. The malware then hijacks the computer system and encrypts the data, holding it hostage until victims either restore the system on their own or pay a ransom, usually in bitcoins, in exchange for a decryption key.

Last year, there were at least 77 successful attacks against local and state governments and another 88 against school districts, colleges and universities, according to Brett Callow, threat analyst for cybersecurity firm Emsisoft.

Earlier this month, officials in Bernalillo County, New Mexico’s most populous county, had to close most of their buildings to the public for several days, suspend some services and stop prison visits after ransomware attack took systems offline. A week later, the Albuquerque Public Schools District fell victim to a seemingly unrelated cyberattack, prompting authorities to cancel classes across the district for two days.

Although it is usually local governments that are affected, states are affected as well. In December, ransomware hit the information technology agency serving the Virginia state legislature.

Also in December, a cyberattack crippled computers at the Maryland Department of Health. A month later, state health workers were still having trouble obtaining important data and accessing shared drives.

States are, however, better prepared to deal with cybersecurity attacks. They have IT departments, information security officers, staff and resources. Local governments, especially smaller ones, often don’t and are much easier targets, cybersecurity experts say.

Cybersecurity may not be at the top of local governments’ priority list, but it should be, according to Alan Shark, executive director of CompTIA Public Technology Institute, a Washington, D.C.-based nonprofit organization that provides advisory services to local governments.

“Digital gear doesn’t show rust like bridges and physical things do,” Shark said. “That money can replace that infrastructure and update things rather than putting band-aids on old legacy equipment.”

Shark said local governments badly need the grant money from the new program, which will be administered by the Federal Emergency Management Agency. The Federal Agency for Cybersecurity and Infrastructure Security will provide its expertise and help assess grant applications.

States will have to submit plans detailing how the money would be spent, and they must be approved by the federal cybersecurity agency before a project can be funded. States will also have to pick up 10% to 40% of the cost over time, depending on the plan. Local governments will not have to submit plans to federal agencies, and it remains to be seen what kind of information they will have to submit to the state.

Federal agencies have not released details on how the grant money may be used. But many state and local officials and cybersecurity experts believe it will include things like training and education, conducting cyber assessments, replacing hardware and updating software.

The law specifies that governments cannot use the money to pay a ransom after a cyberattack.

Grant money should be used not only to prevent governments from being caught off guard by cyberattacks, Shark said, but also to ensure they have adequate backup systems that are not connected to the network. This way, if they are attacked, they can restore their systems more easily.

But Shark also worries that the grant process will prove too complicated for many small local governments.

“There are smaller jurisdictions that are like, ‘There’s no way I can do this.’ They don’t have the staff resources to fill out tons of paperwork. The requirements may be too onerous. Or they think they’ll never get it anyway,” Shark said. “Hopefully the states will come up with a way to reach those little jurisdictions that need it as much as anyone else.”

Wilson, of the Lane Council of Governments in Oregon, said many of his state’s more than 240 incorporated cities are tiny and rural. His group, whose members include Lane County and the City of Eugene, contracts with small governments that can’t afford their own staff and acts as a city attorney, finance department, or IT department. .

Wilson said she wants to see state agencies and statewide associations like hers guide small communities, help them get a share of the money and come up with their own cybersecurity strategies. .

But even Oregon’s largest cities, like Eugene, which has its own IT and cybersecurity staff, could use some of that funding, she added. In July, Eugene officials said they needed $3.4 million for cybersecurity software and system upgrades.

Dan Lohrmann, head of information security at Presidio, a global digital services and cybersecurity company, said it’s not just local governments that need help. In many state governments, for example, not all systems have multi-factor authentication, a security technology that confirms identity before someone logs in, usually via a password or number. random one-time use sent to a smartphone or email address, he noted.

“States could use the grant money to raise the bar across the board and ensure they are able to meet the new set of threats in 2022,” said Lohrmann, a former head of the Michigan Information Security.

But the main focus of states, he added, will be to help local communities.

“Each state is going to have to figure out how they move football onto the field to improve the cybersecurity of cities, counties and townships,” Lohrmann said.

City Manager Dillon hopes Salem is one of them. Although it updated its email scanning software after the ransomware attack and made other improvements, executives want to do more, he said.

“We will apply for everything we can. We hope to use it to perform a comprehensive cybersecurity audit of our system so that we can identify areas where we may need improvement,” he said. “I am excited about this grant program. I think it’s a great opportunity for cities like ours.