In August, the online group known as Anonymous hacked its way into 70 law enforcement computer systems, defacing websites and exposing sensitive information, such as email, tips on suspected crimes and profiles of gang members, according to the Associated Press. It was another example of a growing trend labeled “hacktivism,” involving activists who launch cyberprotests by targeting the computers of public- and private-sector organizations. The attack was aimed at law enforcement agencies that had been pursuing and arresting members of Anonymous.
But this time the attacks didn’t occur at large federal, state or local law enforcement departments. Instead the hacktivists went after small, mostly rural police and sheriff offices. The ease with which they broke into the websites and exposed information was a strong reminder that cyberattacks can happen in any state or locality. That’s bad news for small municipalities and counties that can’t afford a chief information officer, let alone an information security chief to oversee data protection on a round-the-clock basis. Nonetheless, those same small-town agencies are increasingly running critical services on computers that can be easily shut down by hackers, cybercriminals or just a disgruntled employee.
Compounding the problem is a certain lack of urgency among senior-level public officials in many local governments, large and small. While data isn’t available on how much towns, cities and counties are spending to protect information systems and prevent data breaches, a recent report by the National Association of State Chief Information Officers (NASCIO) found that 50 percent of states reported spending less than 3 percent of their IT budget on security. The private sector spends 5 percent or more. And state spending on cybersecurity is actually trending downward, according to NASCIO. Local governments are likely to show similar spending trends.
Smaller local governments are also less likely to appreciate the magnitude of a cyberattack and its ramifications, says Clifford Clarke, CIO of the Public Technology Institute (PTI). “Personal data tends to be undervalued. Some municipalities don’t think they have anything to protect, since the information is considered public.” The result: less emphasis on prevention and protection. For very small governments with just a couple of servers, all it takes is one employee to open an email attachment with a virus, and the town’s entire system will be affected. “Local governments are doing so many transactions online these days, so the risk of a single virus that hits, spreads and shuts down the entire system is real,” says Mark Ryckman, city manager for Corning, N.Y., a municipality of 11,000 that has no IT staff of its own. “We’re reliant on these systems, so it’s a big impact when they go down.”
Hacktivism is just one of a growing number of cyberthreats that governments and the information security industry are closely watching. In 2010, security firms discovered 20 million new strains of malware -- botnets, viruses, worms, Trojan horses and other types of malicious software programs that can disrupt a computer, steal data, deny a website’s operation or shut down an entire network -- according to PandaLabs Security.
The explosive growth in mobile devices such as smartphones and tablet PCs has increased the number of targets for cybercriminals. Other new targets arise as more people -- and governments -- use social media. Sites such as Twitter and Facebook are considered trustworthy services, which makes them an even more attractive target for criminals and troublemakers.
Cloud computing, in which data is stored and processed on third-party servers accessible over the Internet, has grown in popularity at all levels of government. But the Multi-State Information Sharing and Analysis Center (MS-ISAC), which assists state and local governments with cybersecurity needs, warns that cloud computing will attract new cybercriminals “who will identify new methods to infiltrate these environments and gain access to data.”
Watching these trends closely is Kristin Judge, former commissioner of Washtenaw County, Mich., and now the director of partner engagement at MS-ISAC. She knows that local governments, especially counties, have a vested interest in keeping things secure because of the high level of sensitive information they store and the number of systems they use that share data with state and federal government programs.
Cyberthreats are becoming more nuanced and sophisticated. One such tactic goes by the name of “spear phishing,” according to Judge. Rather than a random attack, these email spoofs typically arrive from a trusted source and often go after a company’s trade secrets or government information. “Today’s hackers aren’t kids. They are experienced computer hackers in China or Russia,” says Judge. “They can get into your system and they stay in.”
Yet another trend involves the ominous threat of cyberwar and its potential impact on the country’s energy grid and water supply, critical infrastructure systems that rely increasingly on information technology such as smart grids to manage these complex functions. Such e-terrorism was once considered a far-fetched fear. But recent events -- like last year’s Stuxnet virus, which infected Iran’s nuclear program -- have made these sci-fi problems a very real concern. For now, big cities, with their large-scale water treatment plants and close relationships with energy providers, have the most to worry about. But as a recent report by PTI points out, “as [energy and water] systems become increasingly interconnected and interdependent, however, the level of security for all communities is increasingly equalized.”
City Manager Ryckman doesn’t lose sleep over a possible Stuxnet virus entering his city’s computers. He knows that’s not the main threat. Rather, the problem lies with the possibility of an employee doing a little Web browsing on the side that leads to trouble. Or a worker who’s tempted to open an email attachment for an offer that sounds too good to be true. Once it happens, the PC or server starts to slow down as fake error messages begin popping up, imploring the user to purchase anti-virus software that itself is another virus or botnet that can take further control of the computer.
For Ryckman and other town and city managers without their own IT staff, the solution is to call in a third party, a specialist in cleaning up PCs, servers and networks. According to PTI’s Clarke, that’s the typical response. “The threat at the very local level is nominal for the most part and is dealt with in a reactive way, usually by calling in an IT auditor,” he says.
But there are a number of steps that any local government can take to prevent these types of mistakes from happening. It starts with training employees on such basics as not using government computers for personal use, not opening unrecognized email and not accessing government data via unsecured mobile devices. Clarke mentions the “thumb drive test” to find out if employees are paying attention. Security audit firms will plant USB thumb drives in an organization and then see how many are turned in. Not surprisingly, a high number of employees will keep them or insert the drives into the computers, not realizing they could have launched a malware attack if the drive had been infected.
Besides educating employees, local governments can prevent a great deal of computer harm by installing firewalls, backing up data, using a strong password policy, installing only approved software applications and controlling employee Internet access. But beyond the basics, what is a cash-strapped local government supposed to do to ensure its computers stay operational and protected? In the case of Corning, the city has partnered with surrounding Steuben County, which has a sizable IT staff, to be on hand to help. These types of government-to-government support services exist throughout the country, though the practice remains informal and tends to happen between small governments and their county counterparts.
Meanwhile, with the next generation of computing becoming smaller and more mobile, local governments will need to revise their checklist of security precautions to include the ability to perform “remote wipes” of lost or stolen smartphones or purse-sized tablet computers. The good news is that cybercriminals have not turned their full attention to breaching iPhones, Androids and the growing variety of tablet PCs. But the security window for these devices may not last long. The proliferation of mobile devices is changing the “threat landscape,” and not for the better, according to MS-ISAC’s Judge. “With more governments using mobile devices, it is making [the threat of data breaches] worse. You really have to know what to do to recover, because you will be hit.”
In 2010, an ominous new type of cyberattack appeared, when the Stuxnet virus made its way into Iran’s nuclear program and allegedly wreaked havoc on the country’s uranium enrichment initiative. Suddenly the threat of cyberattacks on energy systems became very real. But it wasn’t the first time a power grid breach had occurred.
In 2009, U.S. intelligence agencies found software left by cyberspies that had penetrated the U.S. electrical grid. More recently, a Texas power company found evidence that attempts to breach its grid had originated in China, according to a report by the Public Technology Institute (PTI).
While the U.S. has not yet suffered any damage or disruption of service to its electrical grid from cyberattacks, blackouts in 2005 and 2007 in Brazil were the result of successful attacks. A PTI report titled Cyber Security Concerns for Local Government Energy Assurance Planning points out that during the next decade, the nation’s electrical grid will incorporate “numerous technologies using sophisticated computer systems and the Internet ... to improve the connectivity of electric transmission and distribution systems.”
Smart grids will bring significant benefits, such as increased energy efficiency, but come with a risk: vulnerability to cyberattacks.
Local governments, once concerned with preparing for natural disasters, must now prepare for the consequences of cyberattacks on smart grids and other types of infrastructure, caution organizations like PTI, the U.S. Department of Energy and the North American Electric Reliability Corporation.
The PTI report urges local governments to work closely with energy utilities to identify cybersecurity risks and to minimize threats, especially to the electrical grid since it is becoming increasingly interconnected. Once an attack occurs, what would once have been an isolated incident “could lead to a cascading power outage with wide-ranging impacts.”