The number of ransomware attacks on cities and public institutions is skyrocketing. In 2018, targeted cyberattacks on government agencies jumped 39% compared to 2017, and the expected number of reported incidents is expected to increase again in 2019. While the known effects of these hacks can be described as expensive, disruptive and frustrating, their true potential may be much more dangerous — even deadly.
Ransomware attacks against government institutions are often carried out to achieve the same goal as attacks on corporations: to extort money. However, compared to the impact of an enterprise attack, the potential for a government ransomware attack could be exponentially greater.
Ransomware is a type of malware that encrypts a victim’s files and blocks access to servers, effectively shutting down entire OSes until a ransom is delivered. In the case of a private corporation, a successful ransomware attack can shut down a billing department or customer service wing, forcing the company to pay ransom to restore those services. In the case of a government hack, however, a properly targeted attack could shut down communications capabilities for emergency services, cripple power and water grids, and more.
In a recent ransomware attack carried out against the city of Baltimore, residents were unable to make property transactions or pay their municipal bills for weeks — frustrating, disruptive and expensive consequences that could total more than $18 million in recovery costs.
What if the city ransomware attacks carried out so far have just been warmups to far more damaging and dangerous incidents? How much would a city like New York be compelled to pay to restore police and firefighting services? What would the toll on the people of Los Angeles be if ransomware successfully crippled the Department of Water and Power during a summer heat wave?
The catastrophic capabilities of ransomware attacks on public institutions are astounding. If an attack on a major city is successfully carried out, it would likely qualify as a national emergency.
The vulnerabilities behind city ransomware attacks
To understand why cities, counties and public agencies are at an increased risk of ransomware, it is critical to understand the root causes of what makes them susceptible to attack.
The first issue is the erosion of the traditional network perimeter. At one point in our not-too-distant past, the majority of work was done within the confines of the office. As public institutions identified their cybersecurity weaknesses and needs, they installed hardware-based security systems that protected users from viruses and threats as they worked at their desks and on government property.
This sedentary workforce has evolved, and legacy cybersecurity systems are no longer equipped to address modern threats. Today’s workforces are increasingly mobile, with employees carrying out a number of tasks at home, on the road or in public locations. A recent study reported that more than two-thirds of employees work remotely at least once a week. Traditional hardware-based cybersecurity systems, which are only capable of protecting employees when they are on premises, leave employees who access government files and use work-provided devices at home and in public susceptible to attacks that can compromise central government servers. Employing mobile workforces without security that follows them wherever they go is akin to racing down a highway without a seatbelt.
The second issue is that ransomware attacks are executed through ever-evolving, well-disguised and subtle methods. Phishing attacks, which are often used to hide ransomware, were once poorly designed and carried out indiscriminately. Today, however, these attempts are incredibly targeted, harder to spot and frighteningly effective. Modern hackers identify vulnerable individuals and devices, research targets’ friends, family and colleagues, and use social media and other public channels to develop and carry out sophisticated attacks that boast a high probability of success.
Mitigating ransomware attacks on cities
In a perfect world, state and federal agencies would be tasked with ensuring government bodies maintain a measurable, baseline level of cybersecurity protection. Considering the fact that government institutions are responsible for both safeguarding a vast amount of citizen data and maintaining critical public works and services, this would only make sense. However, we don’t live in a perfect world. As it currently stands, public institutions are on their own when it comes to implementing and maintaining comprehensive security measures.
To ensure the safety and security of their citizens, it is critical for cities, counties and towns to begin migrating away from legacy cybersecurity protections. The most efficient way to prevent these expensive, dangerous and embarrassing hacks is to understand that traditional network perimeters have eroded. To ensure the safety of their systems, their employees and the people they serve, public agencies must implement cyberdefenses that protect employees, no matter where they are. Otherwise, they risk severe consequences, which, to be frank, are yet unknown.
As president and co-founder of Iboss, Peter Martini has played a major role in developing Iboss’ technology and has helped shepherd Iboss’s growth since its founding. He has been awarded dozens of patents focused on network and mobile security and, with his brother, has been recognized by the industry with several awards, including Ernst & Young’s Entrepreneur of the Year and one of Goldman Sachs’ 100 Most Intriguing Entrepreneurs. More recently, Iboss was ranked No. 3 for security companies in the Deloitte Fast 500.