Spotlight on Public Finance, Spring 2019

Ransomware. Criminals and foreign nations continue to use malicious code that locks users out of their systems or data in an attempt to extract ransom payments. Systems can be infected by visiting a compromised website or by opening a malicious email attachment—often a spoofed email as described above. Once introduced to a network, this malware can quickly spread to other devices. Just last month, officials in Jackson County, Georgia paid $400,000 to hackers who used ransomware to take over the county’s network.1 The incident reportedly took down all online county services other than a public website and the 911 system. “We had to make a determination on whether to pay,” a county official said.2 “We could have literally been down months and months and spent as much or more money trying to get our system rebuilt.” Ransom payments are legally or politically untenable for some public entities, and generally are discouraged by the FBI, but officials may be faced with stark realties that make paying seem like the most efficient response. Data breaches . The most familiar type of cybersecurity incident—the theft of large amounts of sensitive personal or financial data— is a significant and constant risk for public entities. In a recent, characteristic example, hackers targeted the City of Bakersfield’s online payment processing system.3 Someone inserted code into the City’s Click2Gov system, which it used to process payments for building permits, utility bills and other activities.4 The code captured payment card data and the City believed that the “information taken includes name, address, email address, payment card number, expiration date and security code.”5 Approximately 2,400 citizens were affected. Credit and Infrastructure Risks The consequences of financially-motivated cyber incidents can reverberate beyond direct losses and costs. Both Moody’s and S&P Global Ratings have recognized that cyber incidents have the potential to impact to credit worthiness. “We haven’t yet moved a credit rating due to cyber risk or a cyber event, but we see the likelihood of credit-rating impact as steadily increasing,” a Moody’s executive told CNBC.6 Similarly, a recent S&P report noted the increased targeting of the public sector and concluded that successful attacks can erode public trust to the point of impacting public trust and taxing capacity.7 Although most targeting of state, municipal, and local government entities is financially motivated, the risk of physical disruption is real. Actors who intend to disrupt tangible services or destroy of infrastructure may target such entities to gain a foothold in a network that controls systems in the physical world. For example, the City of Baltimore’s 911 dispatch system was hacked and partially shut down last spring. The hack targeted the system that “populates 911 callers’ locations on mapping systems and makes connecting them with the closest emergency responders more efficient.”8 The city was forced to fall back on a patch-work of manual workaround while the affected servers were isolated and fixed. On a larger scale, last year the federal government indicted Iranian hackers for illegally accessing the control system of a dam in Rye, New York. Further, multiple reports claim that the U.S. power grid is continually probed by a variety of actors, not entirely dissimilar from preparations for a cyber-attack that took down Ukraine’s power grid in 2015.9 Actions to Take Many in the public sector are taking the threat seriously. For example, New York City has set up its own NYC Cyber Command, a “centralized organization created by Executive Order to lead the City’s cyber defense efforts, working across more than 100 agencies and offices to prevent, detect, respond, and recover from cyber threats.”10 That is good news, but such costly measures are not a practical option for all municipal entities. Fortunately, there are some practical steps that can serve as the foundation of a cyber risk management program. • Employee training . “Human error is a major factor in breaches, and trusted but unwitting insiders are to blame.”11 Familiarizing employees with the threat their organization faces, and how to respond if an incident does occur, is probably the most important thing an organization can do. Catastrophic incidents can be, and sometimes are, avoided by employees who were trained to recognize a potential threat and know how to respond.

Spotlight on Public Finance | 2

Made with FlippingBook - Online catalogs