Two major U.S. cities were crippled this week by ransomware, but even in the heart of Silicon Valley, government officials assigned to protect sensitive data feel vulnerable to what they see as a constant and evolving threat.
More than a fourth of U.S. local governments are subject to hourly cyberattacks, according to a recent national survey, and about 1 in 7 experience yearly electronic security breaches that result in confirmed unauthorized access to sensitive information and systems. Nearly a third said the hackers were seeking ransom.
"Every city sees on a routine basis ransomware attacks; it's just a matter of which ones get through," said Rob Lloyd, the chief information officer of San Jose, Calif. "We've had minor ones we've been able to resolve. You lose a little ground, but you recover. We really feel for our colleagues in Atlanta and Baltimore. No one's immune to these types of attacks. Everyone is running into the same type of threats."
In Oakland, hackers in 2014 shut down various city websites, including the police department, and two years earlier released personal information of city leaders, including home addresses. Spokeswoman Karen Boyd said there haven't been any recent ransomware attacks, but it is always a concern.
"Attacks like the one that occurred in Atlanta remind us that it is critical that we continue to build upon the security systems we have in place to keep our city safe," Boyd said.
On March 22, ransomware hit Atlanta with a "digital extortion" that the New York Times called "one of the most sustained and consequential cyberattacks ever mounted against a major American city." Dell SecureWorks, an Atlanta company helping the city deal with the attack, said it was the work of a hacking crew called "SamSam" that demanded $51,000 to free the city networks.
On Sunday, an attack on Baltimore shut down the city's automated emergency dispatching for about 17 hours, according to the Washington Post. On Wednesday, the city's chief information officer declared it the work of "ransomware perpetrators."
Ransomware is one of many types of security threats governments must guard against. Hackers commandeer computer systems and threaten to destroy data or paralyze networks unless they are paid.
"It's really alarming frankly what's happening in Atlanta, but many people in the national security space have been worried about this for a long time," said Kenneth Geers, senior research scientist at cybersecurity firm Comodo.
While businesses also are subject to such cyberattacks, experts say local governments are an appealing target for several reasons. They have lots of valuable personal data such as birth certificates and operate vital public systems such as emergency dispatch and wastewater treatment. They provide lots of information on the internet and have large staffs they must train to protect their networks. And they have limited budgets for upgrading their networks and security systems.
In 2016, the International City/County Management Association, a professional organization for local-government administrators, surveyed 3,423 local governments serving populations of 25,000 or more on cybersecurity.
The association found that 26 percent reported experiencing cyberattacks, attempts to gain unauthorized access, at least once an hour, and 32 percent said the motivation was ransom. 16.3 percent reported security incidents at least once a year in which their network security was compromised. And 14 percent reported security breaches at least once a year in which unauthorized access was confirmed.
But "the most troubling results," the survey study authors said, were "the high percentage of respondents that did not know how often they are attacked (27.6 percent) and experience incidents (29.7 percent) and breaches (41.0 percent)."
"These data strongly suggest that, on average, local governments in the United States are not doing the kind of job necessary to achieve high levels of cybersecurity," the study concluded.
Cory Fleming, a senior technical specialist with the International City/County Management Association, said "it is something I don't think a lot of local government managers have stopped to think about."
"Our technology has been growing so fast, but so have the technologies to thwart that technology," Fleming said.
The cost of data breaches can be staggering. A 2016 BetaNews article put the total average cost of a data breach at $6.53 million, including $3.72 million in lost business. Fleming said it's become so costly that some municipalities buy insurance to cover the costs of cyberattacks.
Fleming said that for many ransomware victims, "it's cheaper for them to pay the ransom so they can continue to operate than to not pay them."
����
(David DeBolt contributed to this report.)
