Spotlight on Public Finance, Spring 2018

Although they receive the most media attention, nation states, political parties, and large retailers are not the only entities being targeted by hackers. As those entities build stronger defenses, hackers have increasingly pursued lower profile and less protected yet still lucrative targets like state and local governments and other public entities. Indeed, some hospitals, school districts, and local governments have already been victims of cyber-attacks.¹ For example, in a recent Department of the Treasury announcement, it identified that “[s]ince at least March 2016, Russian government cyber actors have also targeted U.S. government entities and multiple U.S. critical infrastructure sectors, including the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors.”² Despite this risk, public entities can be unaware and unprepared to identify and protect themselves from a variety of cyber-related threats, but there are a number of preliminary steps they can take to reduce risk and to be prepared. Selected threats • Business email compromise schemes. One of the most pervasive threats usually does not involve hacking in the traditional sense. Rather, criminals can devise simple tools to send emails that appear to come from an internal senior executive or accounting employee that direct another employee to initiate a bank transfer to an account controlled by the criminal. Well-meaning employees trying to satisfy an urgent request frequently fall victim to this scam, which is low-cost and low-risk for the criminal. Further, the risk is particularly acute where criminals have access to information that allows them to tailor convincing spoofed emails (e.g., internal emails released under open records laws). The FBI has identified business email compromise schemes as a top tread in cybercrime and has published a useful, plain language overview of the issue. • Ransomware. Criminals and nation state actors are also using malicious code that locks users out of their systems or data in an attempt to extract ransom payments (like the recent cyber-attack that victimized Atlanta). User systems can be infected by visiting a compromised website or by opening a malicious email attachment. Once introduced to a network, this code—termed “malware”—can quickly spread to other devices. For example, in 2016, an employee of a Florida police department opened a malicious email attachment that spread, encrypted 160,000 city files, and triggered a demand for up to $33 million in bitcoin to unlock them.³ Some victims quietly pay the ransom rather than risk serious disruption to their business or reputational harm, but the FBI advises against doing so. Ransom payments also are rarely an option for a public entity. • Data breaches. One of the most familiar cybersecurity incidents—the theft of large amounts of sensitive personal or financial data—is a real risk for public entities. For example, the FBI recently had the contact information of 20,000 of its employees leaked online.⁴ The amount of data stolen does not have to be large to have a significant impact—criminals have stolen login credentials to financial wire systems and have been able to initiate unauthorized transfers of tens of millions of dollars. The personal and financial data held by public entities—both large aggregations of data and more discrete pieces of critical financial information—will be attractive to criminals, especially when left vulnerable on older devices or systems. • Physical effects. Any organization that is related to or supports critical infrastructure can also be subjected to threats beyond financial crimes. Actors who seek disruption of services or destruction of infrastructure may target these entities to gain a foothold in a network that controls systems in the physical world. For example, the federal government recently indicted Iranian hackers for illegally accessing the control system of a dam in Rye, New York. No physical damage occurred from that incident, but the potential for damage from similar intrusions is clear. • Credit risk. An S&P Global Ratings analyst has said that a cybersecurity incident could affect a public entity’s credit rating. This not only due to the cost of an incident, but also the accompanying loss in taxpayer trust could hinder a public entity’s ’s ability to raise taxes.⁵ We are not aware of any such downgrade that has happened yet, but it is a risk that public entities should be aware of.

Spotlight on Public Finance | 2

Made with FlippingBook Online newsletter