By Stephen Smoot
As County government and those who work in and use its services continue to deal with the aftereffects of a cyberattack, individuals and media outlets are calling for details on the attack in the name of transparency.
Full transparency on the incident itself, however, may not serve as the best policy for County government or the citizens.
Gov Tech, a trade publication on governments and technology, quoted Brian Nussbaum, a University of Albany professor of emergency management on the balance that city and county governments must strike in such situations.
Especially in the aftermath of an attack, local governments should be careful about what information they share. One one hand, like earthquakes, cyberattacks could come in multiples. Attacks in some areas could be probing defenses while others wait to find vulnerabilities on the true intended target. Nussbaum stated that local governments likely should withhold information while “sorting out second order effects” in assessing damage and understanding the problem.
Releasing details of what was attacked, how, and by whom could interfere with both criminal investigations and ongoing site attack defenses. It is rarely clear what information released could prove useful to cyberattack malefactors.
Nussbaum added that sometimes, elected local governments will provide too much information in an effort to serve the public. He said, “Elected officials who are accountable to citizens often have impulses to do things that people in the business line don’t have the same incentives to want to do, because they are not directly talking to the citizens in the same way. I don’t think this is a problem that’s unique to local government cybersecurity, but rather a problem for government writ large.”
Last August Middletown, Ohio, with a population of over 50,000, fell victim to a cyberattack. Outside of emergency dispatch and court proceedings, much of city government went dark. Even internal communications proved challenging.
Smaller American cities and counties generally have more vulnerability. This can stem from outdated systems, insufficient attention to cybersecurity best practices, and the general (false) idea that smaller cities with less money would fly under the radar of foreign criminals and others. All too often, however, criminals see these areas as “low hanging fruit” compared to major cities with millions to invest in protecting their systems.
Middletown never released the nature of the attack, nor whether or not it paid for recovery. Experts believe, however, that it fell victim to a ransomware attack. Ransomware is one of the most common attack vectors against local government. According to the National Telecommunications and Information Administration, “Ransomware is a form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption.”
Ransomware ofen “sneaks” into systems through malware attachments to emails that appear either innocuous or urgent. In too many instances, these attachments get opened, leaving the door open for malicious software to infect the system, then spread as far as possible within it to hijack as many key functions or records as possible.
“Ransomware incidents,” The FBI alert adds “can severely impact business processes and leave organizations without the data they need to operate and deliver mission-critical services.” Once they breach the system’s defenses, “Malicious actors engage in lateral movement to target critical data and propagate ransomware across entire networks. These actors also increasingly use tactics, such as deleting system backups, that make restoration and recovery more difficult or infeasible for impacted organizations.”
While NTIA warns that paying the ransom serves as no guarantee of a restoration of service, the Federal Bureau of Investigation has confirmed that multiple foreign actors run “ransomware as a service” illicit businesses. Organizations that operate in this fashion have taken over 911 emergency dispatch, records from cardiology units of hospitals, and key government-to citizen functions that place people at the least in great inconvenience, at the most in great danger.
This creates motivation to pay and also motivation on the part of the criminals to restore service promptly to ensure that future victims will pay, rather than fight. That said, other cyberattackers are more interested in sabotage than profit and victims can rarely tell the difference between the two types.
By 2021, according to an FBI alert “local US government agency victims were primarily among smaller counties and municipalities, which was likely indicative of their cybersecurity resource and budget limitations.”
The same alert gave examples of county government responses without naming the localities afflicted. For example, “in January 2022, a US county took computer systems offline, closed public offices, and ran emergency response operations using “backup contingencies” after a ransomware attack impacted local government operations.”
One situation where the county refused to pay came after ransomware forced “the closure of the county courthouse and the theft of a substantial amount of county data (to include personal information on residents, employees, and vendors).” Because of the refusal to pay, “the actors posted the data on the Dark web when the county refused to pay the ransom.”
Middletown has never released details of the attack or how it reacted, but it had two options open. First is a costly restoration of the system, often from the ground up. Baltimore and Atlanta spent tens of millions to rebuild rather than pay. A hospital in Melbourne Australia, however, several years ago simply paid the ransom to regain access to patient records.
In such cases, Nussbaum suggested that local governments stay as transparent as possible on issues that affect public access to government information and services. That said, details on the attack itself may inadvertently share vulnerabilities and spark more problems.
WBOY quoted Harrison County Administrator Laura Pysz-Laulis as saying that last Monday “Internet access has been successfully restored and all operations are now online.” The County also has put in place a new website in the time being.
She also told WBOY of the attack that “actions are being taken deliberately to protect our systems and support a thorough investigation and remediation process.”
