Small cities worry cybersecurity money won't reach them

GettyImages/Laura Hedien

 

Connecting state and local government leaders

Even though small, under-resourced municipalities often fall victim to cyberattacks, many don't have the resources to put together a proposal for a share of the $1 billion in federal cybersecurity grants available through the new infrastructure law.

The ransomware attack that struck Salem, New Hampshire, a little over a year ago forced the town to shut down its entire computer network—with chaotic consequences.

Officials couldn’t process car registrations, and residents couldn’t pay taxes or water and sewer bills online. Workers couldn’t fully plan for the next year’s budget. Police and fire department computers dropped offline.

The town didn’t pay the ransom, and its cyber insurance company sent in experts to restore the network, Town Manager Chris Dillon said. Most systems were down for about a week after the October 2020 attack, but it took about a month to fully return to normal.

“It was a nightmare,” Dillon said in an interview with Stateline. “A lot of towns think their systems are OK. But it just takes one person clicking on one link to take down the whole system.”

Dillon and many other city and county government officials are excited about a new $1 billion federal cybersecurity grant program included in the $1.2 trillion infrastructure law. The money will be distributed to states over four years, beginning later this year. States will be required to divvy up at least 80% among local governments, and 25% of the total allocated to each state must go to rural areas.

But many smaller cities and counties worry they’ll miss out on the grant money because they “don’t have the knowledge and the planning to put a proposal together,” said Brenda Wilson, executive director of the Lane Council of Governments, an intergovernmental organization in Oregon.

“In rural communities, the IT person, who is probably also the public works director or the city recorder, is expected to know what software they need to buy or how at risk they are,” Wilson said. “They just don’t know. How can they put together a plan to submit to the state?”

Ransomware has wreaked havoc on local governments in the past several years. It typically spreads when hackers email malicious links or attachments that people unwittingly click on. Malware then hijacks the computer system and encrypts data, holding it hostage until victims either restore the system on their own or pay a ransom, usually in bitcoin, in exchange for a decryption key.

Last year, there were at least 77 successful attacks on local and state governments and another 88 on school districts, colleges and universities, according to Brett Callow, a threat analyst for cybersecurity company Emsisoft.

Earlier this month, officials in Bernalillo County, New Mexico’s most populous county, had to shut most of their buildings to the public for several days, suspend some services and stop visits at the jail after a ransomware attack took systems offline. A week later, the Albuquerque Public Schools district was victimized in an apparently unrelated cyberattack, prompting officials to cancel classes districtwide for two days.

While it’s typically local governments that get hit, states do as well. In December, ransomware hit the information technology agency that serves Virginia’s state legislature.

Also in December, a cyberattack crippled computers at the Maryland Department of Health. A month later, state health workers still were having problems getting important data and accessing shared drives.

States are better prepared to deal with cybersecurity attacks, though. They have IT departments, chief information security officers, staff and resources. Local governments, particularly smaller ones, often don’t, and are much easier targets, cybersecurity experts say.

Cybersecurity might not be high on the list of local governments’ priorities—but it should be, according to Alan Shark, executive director of the CompTIA Public Technology Institute, a Washington, D.C.-based nonprofit that provides consulting services to local governments.

“Digital equipment doesn’t show rust like bridges and physical stuff,” Shark said. “This money can replace that infrastructure and update stuff rather than put Band-Aids onto old legacy equipment.”

Shark said local governments badly need the grant money from the new program, which will be administered by the Federal Emergency Management Agency. The federal Cybersecurity and Infrastructure Security Agency will provide expertise and help assess grant applications.

States will need to submit plans detailing how the money would be spent, and they must be approved by the federal cybersecurity agency before any project can be funded. States also will have to match from 10% to 40% of the cost over time, depending on the plan. Local governments won’t have to submit plans to the federal agencies, and it remains to be seen what type of information they'd have to submit to the state.

Federal agencies haven’t released details about how the grant money can be used. But many state and local officials and cybersecurity experts think it will include things such as training and education, conducting cyber assessments, replacing hardware and updating software.

The law makes it clear that governments can’t use the money to pay ransom after an cyberattack.

The grant money should be used not only to prevent governments from being blindsided by cyberattacks, Shark said, but also to ensure that they have adequate backup systems that aren’t connected to the network. That way, if they’re attacked, they can restore their systems more easily.

But Shark also worries that the grant process might turn out to be too complicated for many smaller local governments.

“There are smaller jurisdictions figuring, ‘There’s no way I can do this.’ They don’t have the staff resources to fill out reams of paperwork. Requirements may be too onerous. Or they figure they’ll never get it anyway,” Shark said. “Hopefully, the states will find a way to reach those smaller jurisdictions that have a need as much as anybody else.”

Wilson, of the Lane Council of Governments in Oregon, said many of her state’s more than 240 incorporated cities are tiny and rural. Her group, whose members include Lane County and the city of Eugene, contracts with small governments that can’t afford their own staff and acts as their city attorney, finance department or IT department.

Wilson said she wants to see state agencies and statewide associations such as hers guide smaller communities, to help them get a share of the money and to come up with their own cybersecurity strategies.

But even larger Oregon cities, such as Eugene, which has its own IT and cybersecurity staff, could use some of that funding, she added. In July, Eugene officials said they needed $3.4 million for cybersecurity software and system upgrades.

Dan Lohrmann, a chief information security officer at Presidio, a global digital services and cybersecurity company, said it’s not just local governments that need help. In many state governments, for example, not all systems have multi-factor authentication, a security technology that confirms identity before someone logs in, usually through a randomized one-time password or number sent to a smartphone or email address, he noted.

“States could use the grant money to raise the bar across the board and make sure they are able to face the new round of threats in 2022,” said Lohrmann, a former chief information security officer for Michigan.

But the primary goal for states, he added, will be to help local communities.

“Each state is going to have to figure out how they move the football down the field to improve the cybersecurity of the cities, counties and townships,” Lohrmann said.

Town Manager Dillon hopes Salem is one of them. While it upgraded its email scanning software after the ransomware attack and made some other improvements, leaders want to do more, he said.

“We will be applying for whatever we can. We’re hoping we can use it to do a complete cybersecurity audit of our system so we can identify areas where we may need improvement,” he said. “I’m excited about this grant program. I think it’s a great opportunity for towns like ours.”

This article was first posted on Stateline, an initiative of The Pew Charitable Trusts.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.