A Battle Is Brewing Between Hackers and Local Governments
WHY YOU SHOULD CARE
Because if you pay your water bill online, your data is at risk.
By Daniel Malloy
Millions of times each day, the city of Austin, Texas, is attacked. It’s not as bad as it sounds. The attempted cyberintrusions are the the digital equivalent of “somebody coming by, jiggling the door handle and moving on,” says Kevin Williams, Austin’s chief information security officer. But Williams well knows that even though the city has plugged considerable resources into improving its cyber defenses, the reason it has not yet been the victim of a massive data heist has a lot to do with luck. “It’s an arms race, and asymmetrical warfare,” Williams says. “They have all the advantages, and we don’t.”
“They” are faceless hackers, from terrorists who could disrupt the power grid to, more commonly, thieves. Hackers demanding ransom paid in bitcoin recently took down web systems in Mecklenburg County, North Carolina; swiped personal data from students in Columbia Falls, Montana; erased computer data for the Sacramento Regional Transit system; and paralyzed Los Angeles Valley College.
Experts that study public administration and local government worry about small to medium-size cities and counties that hold a lot of data, but may not have the in-house resources to keep that data secure.
William Hatcher, Augusta University
Some targets pay up, others do not. All are at risk. But local governments may be particularly vulnerable, which is why some, like Austin, are stepping up. The federal government too is offering some basic guidelines and training resources. The FBI estimates that billions of dollars are spent each year to repair systems struck by cyberattacks.
“Experts that study public administration and local government worry about small to medium-size cities and counties that hold a lot of data, but may not have the in-house resources to keep that data secure,” says William Hatcher, director of the master’s program in public administration at Augusta University. Many of America’s roughly 89,000 governmental units rely on outside vendors rather than hiring their own in-house staff, or simply don’t make it a priority.
Cybersecurity has only recently become an issue for smaller governments. For a while many weren’t online, or had rudimentary websites. While online bill payment and other interactive features allow governments to improve their public services, they also lead to increased collection of data that are attractive to thieves — and public interfaces can give hackers a way to penetrate the system. Hatcher is conducting a study of small-government cybersecurity plans, and though it’s unfinished, he says many of these places fall short. “Especially over the last 10 years, local governments have cut their employees so much, they’re just trying to do the basic governing that needs to be done today,” Hatcher says. “So it’s hard to do these more long-term services like providing cybersecurity protection.”
Politics could change those calculations. If voters demand elected leaders secure their data and fix their potholes, it is more likely to get done. High-profile cases inside and outside of government — such as the data breach at Equifax — help draw attention to the issue.
The federal government offers a list of scenarios of what to do when a hacker takes down your systems. The feds advise their local counterparts against paying the hackers. “Paying a ransom doesn’t guarantee an organization that it will get its data back — there have been cases where organizations never got a decryption key after having paid the ransom,” the Federal Bureau of Investigation states in an online guide to cybercrime. “Paying a ransom not only emboldens current cybercriminals to target more organizations, it also offers an incentive for other criminals to get involved in this type of illegal activity. And by paying a ransom, an organization might inadvertently be funding other illicit activity associated with criminals.”
The typical way in is by enticing a person with access to the system to click on a malicious link or attachment, but attacks can come from a variety of directions. Local 911 systems, for example, are vulnerable to denial of service attacks if hackers can infect a bunch of cellphones and get them to call 911 repeatedly to overload the system. A teenage hacker in Arizona was arrested in 2016 for doing so as a prank.
Williams started in Austin two years ago with a charge to standardize cybersecurity across all the various departments running the 900,000-person city. It’s a job, he says, that lies at the intersection of the technology, business development, human resources, legal and law enforcement departments. He can erect defenses and deploy technology — for example, a program to block emails from being sent if they include a bunch of Social Security numbers.
But most of the job is educating people on tech common sense and wrestling with whether to ban personal devices or to limit city partners’ and consultants’ access to the internal network. “We always joke that we got into computers because we weren’t good with people, but now we spend all day dealing with people,” Williams says. Despite the popular image of the sinister hoodie-clad hacker, Williams says cybersecurity professionals’ greatest foe is internal ignorance and apathy. There’s a lot of bitcoin riding on it.