Small cities worry cybersecurity money won't reach them

The ransomware attack that struck Salem, New Hampshire, a little over a year ago forced the town to shut down its entire computer network—with chaotic consequences.

Officials couldn’t process car registrations, and residents couldn’t pay taxes or water and sewer bills online. Workers couldn’t fully plan for the next year’s budget. Police and fire department computers dropped offline.

The town didn’t pay the ransom, and its cyber insurance company sent in experts to restore the network, Town Manager Chris Dillon said. Most systems were down for about a week after the October 2020 attack, but it took about a month to fully return to normal.

“It was a nightmare,” Dillon said in an interview with Stateline. “A lot of towns think their systems are OK. But it just takes one person clicking on one link to take down the whole system.”

Dillon and many other city and county government officials are excited about a new $1 billion federal cybersecurity grant program included in the $1.2 trillion infrastructure law. The money will be distributed to states over four years, beginning later this year. States will be required to divvy up at least 80% among local governments, and 25% of the total allocated to each state must go to rural areas.

But many smaller cities and counties worry they’ll miss out on the grant money because they “don’t have the knowledge and the planning to put a proposal together,” said Brenda Wilson, executive director of the Lane Council of Governments, an intergovernmental organization in Oregon.

“In rural communities, the IT person, who is probably also the public works director or the city recorder, is expected to know what software they need to buy or how at risk they are,” Wilson said. “They just don’t know. How can they put together a plan to submit to the state?”

Ransomware has wreaked havoc on local governments in the past several years. It typically spreads when hackers email malicious links or attachments that people unwittingly click on. Malware then hijacks the computer system and encrypts data, holding it hostage until victims either restore the system on their own or pay a ransom, usually in bitcoin, in exchange for a decryption key.

Last year, there were at least 77 successful attacks on local and state governments and another 88 on school districts, colleges and universities, according to Brett Callow, a threat analyst for cybersecurity company Emsisoft.

Earlier this month, officials in Bernalillo County, New Mexico’s most populous county, had to shut most of their buildings to the public for several days, suspend some services and stop visits at the jail after a ransomware attack took systems offline. A week later, the Albuquerque Public Schools district was victimized in an apparently unrelated cyberattack, prompting officials to cancel classes districtwide for two days.

While it’s typically local governments that get hit, states do as well. In December, ransomware hit the information technology agency that serves Virginia’s state legislature.

Also in December, a cyberattack crippled computers at the Maryland Department of Health. A month later, state health workers still were having problems getting important data and accessing shared drives.

States are better prepared to deal with cybersecurity attacks, though. They have IT departments, chief information security officers, staff and resources. Local governments, particularly smaller ones, often don’t, and are much easier targets, cybersecurity experts say.

Cybersecurity might not be high on the list of local governments’ priorities—but it should be, according to Alan Shark, executive director of the CompTIA Public Technology Institute, a Washington, D.C.-based nonprofit that provides consulting services to local governments.

“Digital equipment doesn’t show rust like bridges and physical stuff,” Shark said. “This money can replace that infrastructure and update stuff rather than put Band-Aids onto old legacy equipment.”

Shark said local governments badly need the grant money from the new program, which will be administered by the Federal Emergency Management Agency. The federal Cybersecurity and Infrastructure Security Agency will provide expertise and help assess grant applications.

States will need to submit plans detailing how the money would be spent, and they must be approved by the federal cybersecurity agency before any project can be funded. States also will have to match from 10% to 40% of the cost over time, depending on the plan. Local governments won’t have to submit plans to the federal agencies, and it remains to be seen what type of information they'd have to submit to the state.

Federal agencies haven’t released details about how the grant money can be used. But many state and local officials and cybersecurity experts think it will include things such as training and education, conducting cyber assessments, replacing hardware and updating software.

The law makes it clear that governments can’t use the money to pay ransom after an cyberattack.

The grant money should be used not only to prevent governments from being blindsided by cyberattacks, Shark said, but also to ensure that they have adequate backup systems that aren’t connected to the network. That way, if they’re attacked, they can restore their systems more easily.

But Shark also worries that the grant process might turn out to be too complicated for many smaller local governments.

“There are smaller jurisdictions figuring, ‘There’s no way I can do this.’ They don’t have the staff resources to fill out reams of paperwork. Requirements may be too onerous. Or they figure they’ll never get it anyway,” Shark said. “Hopefully, the states will find a way to reach those smaller jurisdictions that have a need as much as anybody else.”

Wilson, of the Lane Council of Governments in Oregon, said many of her state’s more than 240 incorporated cities are tiny and rural. Her group, whose members include Lane County and the city of Eugene, contracts with small governments that can’t afford their own staff and acts as their city attorney, finance department or IT department.

Wilson said she wants to see state agencies and statewide associations such as hers guide smaller communities, to help them get a share of the money and to come up with their own cybersecurity strategies.

But even larger Oregon cities, such as Eugene, which has its own IT and cybersecurity staff, could use some of that funding, she added. In July, Eugene officials said they needed $3.4 million for cybersecurity software and system upgrades.

Dan Lohrmann, a chief information security officer at Presidio, a global digital services and cybersecurity company, said it’s not just local governments that need help. In many state governments, for example, not all systems have multi-factor authentication, a security technology that confirms identity before someone logs in, usually through a randomized one-time password or number sent to a smartphone or email address, he noted.

“States could use the grant money to raise the bar across the board and make sure they are able to face the new round of threats in 2022,” said Lohrmann, a former chief information security officer for Michigan.

But the primary goal for states, he added, will be to help local communities.

“Each state is going to have to figure out how they move the football down the field to improve the cybersecurity of the cities, counties and townships,” Lohrmann said.

Town Manager Dillon hopes Salem is one of them. While it upgraded its email scanning software after the ransomware attack and made some other improvements, leaders want to do more, he said.

“We will be applying for whatever we can. We’re hoping we can use it to do a complete cybersecurity audit of our system so we can identify areas where we may need improvement,” he said. “I’m excited about this grant program. I think it’s a great opportunity for towns like ours.”

This article was first posted on Stateline, an initiative of The Pew Charitable Trusts.