In August 2022, Mykel Kroll, the director of emergency management for Southern Colorado’s Fremont County, was awakened at 2 a.m. for an emergency like none he’d ever faced before: a cyberattack.
The devastating ransomware successfully shut down the entire county: the Department of Human Services, the Department of Public Health, the Fremont County Administration Building, and the offices of the county assessor, treasurer, coroner, veterans services and planning and zoning — all shuttered.
The hackers may have also walked away with the personal information of county employees and members of the public. Some data, like jail inmate records, was simply “deemed unrecoverable.”
“I’ve been in the fire service for 15 years,” Kroll later told KKTV. “I would much rather have another natural or man-made disaster than a cyberattack.”
Fremont, of course, is not alone. A few weeks later, Wheat Ridge was hit with the same attack, BlackCat Ransomware, and the same $5 million ransom (neither government paid). Around the same time, Boulder County sent $238,000 to a hacker posing as a vendor. (The county was able to recover $237,000.) And a few years prior, the City of Lafayette had to shut down its computer network after ransomware took its files hostage. In this case, Lafayette coughed up the $45,000 ransom to unlock its data.
Nationally, Oakland declared a state of emergency just last month after a debilitating hack. And Atlanta reportedly spent upwards of $10 million to recover from a ransomware attack in 2018.
Put bluntly, local governments have become popular targets for hackers.
A recent Popular Science article lamented the challenge facing our municipalities: “The reality is that a single weak link, phishing attack, or vulnerable computer can offer hackers a way in — and keeping ahead of them is a nearly impossible task.”
But while such a daunting outlay may be discouraging, it is more imperative than ever that our local governments invest in cybersecurity — both to protect our tax dollars and to keep our localities functioning.
First and foremost, our cities and counties must provide the funding to support the technology and people (IT staff) necessary to keep our systems safe. But on top of that, we as a community must change how we think about cybersecurity.
As it stands, local governments are targets because they simply can’t compete. They tend to have limited resources, older computer systems (which potentially haven’t been updated due to a lack of resources) and the burden of functioning as a bureaucracy. The cybersecurity landscape, on the other hand, is constantly changing. For every new vulnerability a hacker finds, a security update must be found. In every security update, hackers will search for new vulnerabilities.
It can be hard to comprehend the consequences of an attack occurring on a digital plain that most of us simply don’t understand. But the truth is, we don’t need to understand the intricacy of information security to recognize that the dangers posed could be catastrophic.
On top of the huge financial blow a hack can unleash, it can also shut down an entire government — much like in Fremont County.
Gretchen Bliss, the director of Cybersecurity Programs at CU Colorado Springs, listed just a few of the many potential ramifications: Contractors might not be able to get a permit for construction because the system is down; local facilities could become inaccessible due to badge sensors not working; marriage licenses and other personal records could become inaccessible; residents might be unable to pay a bill or find that the record of a past bill’s payment might be permanently lost; and real estate transactions might become impossible to process.
“You name it,” Bliss said in an email, “any function that a local/municipal government performs (could be) stopped completely.”
Here, it could be easy to pull back and say, “Well, it’s not my problem. The city/county should fix that.” And it’s true that the onus will rest primarily on our local governments to implement the necessary changes to protect themselves from hackers and malware.
But such efforts will require tangible investments of tax dollars, which Bliss recognizes as a hard sell. Local officials and information security officers are in a “no-win situation” when it comes to cybersecurity, she said.
“If they invest upfront to protect and install security protections on their systems before they are compromised, which is a pricy endeavor, and they never get attacked … they can’t prove the investment was worth it,” Bliss said. And, counterintuitively, if the improved security protections prevent a hacker from even trying to attack a stronger system, it is even harder to prove the investment was worth it.
It might be helpful then to think of such investments as airbags: We won’t notice them every day, but they will protect us when we need them most.
(Both the City of Boulder and Boulder County declined to discuss their cybersecurity investments. The city provided a statement that noted that the city treats “the security and protection of client and constituent data and information as paramount.” The statement read in part, “Boulder security requirements supplement any, and all local, state and federal regulatory requirements that a member firm has, including, but not limited to, data protection and privacy.”)
Cybersecurity is messy and complicated and hard to understand. But it is important that we as a community take it seriously. We must educate ourselves on the best practices to keep ourselves safe and in turn our communities safe online, and we must make certain our elected officials recognize the importance of cybersecurity.
Fremont County’s director of emergency management compared that county’s cyberattack to a natural disaster.
We here have seen the devastation that natural disasters can wreak and we have reacted and invested in mitigation and resilience. The devastation that can be unleashed upon our local governments’ digital systems is there for all to see. Will we react?
— Gary Garrison for the Editorial Board