Please ensure Javascript is enabled for purposes of website accessibility

Local governments a growing target for cyberattacks

FILE PHOTO/MAXIMILIAN FRANZ Tim Lorello, president and CEO of SecuLore of Maryland, says the number of cyberattacks on local governments in the U.S. is rising by about 10 percent a month.

A major cyberattack on Atlanta in March shut down city computers for five days, exposing critical vulnerabilities in the government system.

A major cyberattack on Atlanta in March shut down city computers for five days, exposing critical vulnerabilities in the government system.

Days later, Baltimore was hit with a separate ransomware attack that required 911 dispatchers to manually dispatch calls. In May, the Idaho Legislature website was taken over by hackers who posted a manifesto on its website.

SecuLore Solutions, a cybersecurity firm based in Odenton, Md., that serves the public safety industry, has been tracking attacks on local governments across the country. The number of attacks on the rolling 24-month tracker keeps rising by about 10 percent a month, said SecuLore president and CEO Tim Lorello.

“When the ransomware damages go from $1 billion to $2 billion in one year, then you know that the criminals have a business and they’re operating at full force and we need to do something to respond to it nationally,” Lorello said. “On the other hand, you’ve got thousands of jurisdictions, and even the federal government doesn’t have the resources to support and protect them.”

As small and big municipalities and counties grapple with attacks in a changing digital landscape, going it alone may not be enough. In Aurora, Colo., city officials are helping spread the word that data security isn’t something local governments can ignore.

Aurora chief information security officer Tim McCain and internal audit manager Wayne Sommer wrote on a 2016 blog for the International City/County Management Association that cybersecurity is an iceberg looming before cities. Two years later, McCain reports that attacks are on the rise.

“They’re increasing in sophistication, they’re increasing in magnitude, they’re increasing in complexity,” he said. “Government as well as other favorable sectors for these people – nation states and hackers – is a big focus for them right now.”


Aurora, next to Denver, is moving toward more smart features and data-driven innovations. To address security concerns, Sommer and McCain anticipate creating a joint register that will identify specific risk areas and rate those risks.

“The No. 1 thing to do is to realize it can still come home to roost in your community,” Sommer said. “You can’t ignore it; you have to think about it.”

In a cybersecurity survey published by ICMA in partnership with the University of Maryland, Baltimore County, city and county governments reported that a lack of funds (52.3 percent), inability to pay competitive salaries for cybersecurity personnel (58.3 percent) and insufficient number of cybersecurity staff (53 percent) were severe or somewhat severe barriers to achieving the highest possible level of cybersecurity.

And the survey revealed that most local governments believe they are being attacked at least daily and 24 percent said hourly or more – numbers that UMBC researchers believe are much higher.


Harry Holt, vice president of operations at BithGroup Technologies in Baltimore, said he was not surprised to hear local governments worry they don’t pay enough to attract top cybersecurity personnel. There simply aren’t enough cybersecurity engineers to meet the demand in the field, he said.

But he believes partnerships with local universities could attract young talent to government.

In the end, cybersecurity looks pretty similar for private and public entities. It comes down to the employees doing all they can to keep it secure, Holt said.

“Once they get in, there’s some pretty sophisticated technology folks out there that can do bad things,” he said. “The training has to be constant. And you have to do different types of tests and awareness on an ongoing basis.”


In Colorado, working together has proved a potential model.

Leaders noticed the Department of Homeland Security and other federal agencies are not able to provide enough real-time actionable intelligence on current threats.

Aurora was one of the founding members of the Colorado Threat Intelligence System, where local governments band together to notify each other of incoming attacks.


The security of the 911 systems across the country are particularly critical, as Baltimore found out.

Lorello said he hopes they will get more attention, pointing out emergency call centers are often the only 24/7 system in a government.

On Thanksgiving weekend 2016, a small county in Maryland was attacked. The IT director was on the phone at 8 p.m., asking for help, but a staffer said his job description didn’t require him to come in on weekends.

Lorello estimated 80 percent of 911 centers are only four employees or less, but being embedded in a larger system also has risks.

“That’s the problem that we’re seeing is because they’re embedded in these city and county government infrastructures, they are susceptible to the horrible attacks that are going on to those cities and counties today,” he said.


Lorello said local governments need to move forward with NextGen 911 technology, a new digital architecture for 911 that will give them access to data beyond the traditional location, call-back number and voice communication.

Instead, they would be able to accept texts, photos, videos and smart city data that could be critical to first responders in an emergency.

Additionally, jurisdictions and the private sector are working together to adopt the infrastructure, so it would move the call centers out of individual jurisdiction systems and to a more secure, resilient architecture, he said.

About 20 percent of the country has moved to NextGen, but none are yet taking photos and videos.


Another solution could be including public safety governments in Einstein, a cybersecurity program that protects federal agencies.

In 2016, then Federal Communications Commission Chairman Tom Wheeler asked a congressional committee to do so.

For now, McCain said, local governments need to remember this is about protecting data.

“Always take time to go back to the basics,” he said. “When you walk into an organization, say, “What are the basics: how are you doing access control, patching, locking down your networks?”

BridgeTower Media is the parent company of Lehigh Valley Business.

Business Journal Events

Best Places to Work in PA

Thursday, December 08, 2022
Best Places to Work in PA

Diversity, Equity, and Inclusion Summit

Wednesday, March 29, 2023
Diversity, Equity, and Inclusion Summit

Women of Influence Awards

Wednesday, May 10, 2023
Women of Influence Awards

Health Care Heroes

Tuesday, August 01, 2023
Health Care Heroes