xml:space="preserve">
Officials confirmed Tuesday the city had fallen victim to hackers demanding payment to unlock encrypted files. (Ian Duncan/Baltimore Sun video)

Cyberattacks cost governmental organizations in the U.S. millions of dollars annually, and they can be downright embarrassing. The city of Baltimore, which recently experienced its second hack in as many years, certainly knows this. The current one is expected to cost the city $18 million, and it continues to disrupt city business activity. It took the city nearly 80 days after the attack to begin issuing water bills again.

Baltimore’s example is but one in a seemingly never-ending series of successful hacks of America’s local governments, and it won’t be the last. We know because we are members of a team of researchers at the University of Maryland, Baltimore County (UMBC) that conducted the first ever nationwide survey of local government cybersecurity.

Advertisement

One of the key findings of our research is that local governments are under constant cyberattack. A sizable fraction of them do not even know if they are under attack or whether they have been breached, and most are unprepared (often woefully) for the cybersecurity challenges they face. Our research found that one of the top barriers to effective local government cybersecurity is the lack of cybersecurity awareness and support from top elected and appointed local officials. If the very people in charge of local governments do not understand the need for cybersecurity and fully support it, it is more likely than not that they will experience serious cybersecurity problems. After experiencing a ransomware attack in 2018, the mayor of Atlanta admitted that cybersecurity had not been a priority. It soon became one!

Additional barriers that our research revealed include: lack of adequate funding for cybersecurity, insufficient staff, outdated technology that is not properly maintained and updated, lack of cybersecurity training for local governmental staff and officials, and lack of or poor enforcement of cybersecurity policies.

What should local governments do to improve their cybersecurity? First, top officials must make cybersecurity a priority. Cybersecurity must be properly organized and managed — something our research found is too often not the case. These officials must provide the funding needed for such things as cybersecurity personnel, technology, policy and training. High quality cybersecurity personnel are difficult for local governments to recruit and retain. This is especially true in the Washington-Baltimore region, where local governments compete not only with private industry but also with various federal agencies that are deeply involved in cybersecurity. But this is no excuse for not trying.

Ethics forms for Baltimore officials now back online after site freed from hack

The Baltimore City Board of Ethics’s electronic filing website was back up and running, more than three months after the May 7 ransomware attack, offering the curious a look at city officials' ethics forms once again.

Local officials must insist on creating and maintaining a culture of cybersecurity within their governments. Among other things, this means promoting cybersecurity awareness and training for all employees as well as holding employees, including the top officials themselves, accountable for their cybersecurity decisions and actions. To make cybersecurity an organizational value, everyone must understand its importance to the protection of citizen data and the provision of public services.

Local governments should consider purchasing cybersecurity insurance, which can help address existing cyber vulnerabilities and reduce recovery costs in the event of a breach. Slightly less than half of the local governments in our survey had purchased cyber insurance, but the trend seems to be on the increase. No wonder: Cybersecurity insurance pays off. In June, Lake City, Fla., experienced a ransomware attack that took down its computer systems, email, phones and more. The hackers demanded a $470,000 ransom to release the systems. Lake City officials agreed, but only had to pay $10,000 out of its budget, the cyber insurance deductible, while the insurance carrier negotiated and paid the rest.

It is essential that local governments make cybersecurity a real priority, but doing so will not be cheap or easy. Yet, as many local governments have learned the hard way, failure to do so can be far more damaging and expensive, the embarrassment factor aside. Local governments must act now and act continuously to protect their information assets at the highest levels of security. As they say in the industry, “it’s not whether you will be breached, but when.” Local governments that are fully committed to cybersecurity have a much better chance of preventing breaches and of recovering from them more easily and at less cost than those that are not.

Donald F. Norris (norris@umbc.edu) is professor emeritus of public policy at the University of Maryland, Baltimore County (UMBC) where he leads a research team on the subject of local government cybersecurity. Laura Mateczun is a Ph.D. student in public policy at UMBC and is writing her doctoral dissertation on this subject.

Advertisement
Advertisement
Advertisement