The Sicilian capital of Palermo came to a standstill in early June, when hackers shut down the municipal computer network in a ransomware attack. Aside from reporting the incident, local officials have offered scant details. They now suggest that it may be three months before online tax and traffic functions return to normal.
This Italian case is indicative of escalating challenges faced by municipalities worldwide. Cities and towns cannot afford the same level of infrastructure and expertise as the private sector, making them easy targets for cyber criminals. We may not sense the urgency; many incidents fade into the news backdrop. Saving Ellsworth, Kansas from a ransomware attack may lack the techno-swagger that results from restarting key American infrastructure like the Colonial Pipeline.
The sensitive data of thousands has been handed over to criminals, who will use it to cheat, to buy, to take out loans on the shoulders of others.
Giornale di Sicilia
Local-government cybersecurity is a high-stakes matter. The US typically ranks as the nation most attacked by ransomware. Europe has seen a surge this year because of the Russian war in Ukraine. The problem, however, is a global scourge. Consider these examples:
Australia. In December, a government-owned utility in Queensland was able to thwart an attack just before malicious actors took down two major thermal coal plants. Australia has been a growing focus among criminal groups because of a widespread “It can’t happen here” attitude.
Japan. At the end of 2021, a hospital in Tokushima Prefecture was paralyzed for at least two months without the ability to access some 85,000 patient records. Japan is now in hackers’ crosshairs because artificial intelligence has made the Japanese language accessible to bad actors.
How big is the problem? Barracuda Networks, a leading cybersecurity firm, determined in recent studies that about 45% of all ransomware attacks in 2019 and 2020 were aimed at municipalities. Payments to hackers can reach into the hundreds of thousands of dollars, if not more. In a 2021 report, IBM calculates that the average recovery cost of a ransomware breach—including detection, notification, and response—is $4.6 million.
The inability to expand limited cybersecurity budgets is the biggest hindrance to controlling the problem. Just as inflation is chewing through corporate profit margins, municipalities have the same issue with the cost of services delivered. Pushing through tax or user fee increases can be politically challenging because of a turbulent macro economic outlook. In many jurisdictions, recovering from the pandemic dominates the fiscal planning process.
At least in the US, the answer may lie in federally-sourced funds. Washington has allocated $1 billion to municipalities for cybersecurity programs. The distribution of those monies, though, is still on hold. The Cybersecurity and Infrastructure Security Agency is relying on a state-level planning process, which in some cases does not yet exist. We admittedly are cynical about this effort. The program looks oddly like a variant of pandemic-era stimulus in its lack of clarity and direction.
Without deep financial resources, local officials will be measured, if not creative, in their approach to cybersecurity. Some experts have suggested that pooling of technology resources among local governments would be worthwhile. In practice, we question whether such fiefdoms would be truly interested in sharing capabilities. More realistically, heightened personnel training and more frequent cybersecurity audits may prove surprisingly effective at a manageable cost, given the low base at which many local governments would be starting these efforts.
Cyberattacks on cities, towns, and the infrastructure they control will be common over the years ahead. We see at least two issues that underscore the trend:
Nation-to-Nation Acrimony. The Russian war in Ukraine delineated an era in which governments will redouble on local cyberattacks. In addition to Moscow, Beijing, Tehran, and Pyongyang are relentless on this front. We are seeing a new vector in international affairs; the UK attorney general announced in May that defensive cyberattacks against foreign threat actors are legal.
Emerging Markets. Much of what we know about municipal cyberattacks resonates from the developed world. Across emerging markets, it may be anyone’s best guess on the scope of the problem. Certainly it is much larger than most realize, given the role of legacy computer systems and out-of-date software. The April 2022 hack of municipal computer systems in Quito, Ecuador is a timely example, among many.
In theory, tighter compliance standards imposed by federal- or national-level authorities may help mitigate the problem. That approach, however, requires expansive local-government budgets. Returning to Italy, local officials in Palermo appear to have punted on some European Union requirements for lack of funding, potentially triggering public-sector penalties.
Municipal cybersecurity is one of those issues that politicians would prefer to ignore. Discussing firewalls and endpoints offers little emotional pull, until an annual budget implodes because of the outsized cost of a hack or, worse yet, there is a catastrophic breach of public safety. ■
Our Vantage Point: Strengthening cybersecurity standards at the municipal level is a truly global challenge. One problem is that governments often view attacks as one-off events, not part of a growing, pervasive, and uncomfortably-resilient trend.
Learn more at the Giornale di Sicilia
© 2022 Cranganore Inc. All rights reserved.
Unauthorized use and/or duplication of any material on this site without written permission is prohibited.
Image shows Palermo skyline. Credit: Davide D. Phstock at Adobe Stock.
Investors looking to understand financial-market theory may want to rethink classical arguments and delve into Adaptive Markets. The author explores the baseline view that behavior may be more important than reason when interpreting the entrails of securities prices. In the struggle to understand capital markets, we may actually be lost in a forest of data analysis. The work is a fast-paced affront to opaque academic theories.
