The ransomware attacks against more than 20 Texas towns this week are significant. Though little is known about the origins of the attacks, the spread of ransomware across small-town America has exposed a deep problem in how the country approaches cybersecurity.
That's because local governments commonly share single service providers, making many vulnerable at once. On top of this, ransomware has often been used to mask more targeted, malicious activity by nation-states, and there are clear indications this will happen again in the future.
Ransomware, which is malicious software that spreads across networks and shuts down computers until a ransom is paid, can have a significant impact on the technology that runs local services, including water, power, wastewater treatment and emergency services.
Small towns can't afford significant information technology departments, so they frequently outsource those services to managed service providers, who in turn use the same software and same applications for all of the governments they serve, explains Chris Morales, head of security analytics for Vectra AI, a cyberthreat detection company.
That ubiquity makes them vulnerable to one big attack and provides a big target to criminal hackers who want to increase their odds by hitting as many at once as possible, he said. Two Texas municipalities caught up in the recent spate of ransomware have now confirmed that an unnamed managed service provider was exploited.
There is no quick, easy solution to this problem, said Morales.
"They work off a tax budget," Morales said. "Can you imagine telling taxpayers you are spending millions on cybersecurity when there are potholes in the roads?"
In addition, small towns aren't subject to wider initiatives to secure government infrastructure, such as the relatively recent designation of elections infrastructure as critical.
Indeed, smaller towns and cities are "largely under-funded, and live on what we call the 'edge of existence' in terms of cyber," said George Simonds, president of cybersecurity company InfraShield and founder of the International Critical Infrastructure Security Institute. "Ransomware is a threat that basically everyone is facing," Simonds said, including local governments and counties, large cities and utility providers. Simonds agreed that there is no quick budgetary fix for the problem.
This long-term, widespread budgetary issue is a problem, because while criminals may be exploiting cities in this latest round of attacks, hostile nation-states often use attacks like these as a convenient cover for more insidious activity.
Two of the largest-ever single-incident ransomware attacks, known as WannaCry and NotPetya, took place in 2017. The attacks shut down health-care services by Britain's NHS, hobbled the logistics operations of shipping giant AP Moeller-Maersk and stymied the production of the HPV vaccine by drugmaker Merck, among a slew of other case studies.
But the attacks weren't "ransomware" in the traditional sense. These attacks netted a relatively paltry profit for the instigators and are largely believed to have served as a way to spread chaos rather than obtain funds. WannaCry was ultimately attributed by the U.S. government to North Korea and NotPetya to the Russian military.
The Texas attacks have not yet been attributed to any group, and investigating the origin of the attackers is taking a backseat — as it usually does — to containing the situation, according to the state's Department of Information Resources. But if city systems are susceptible to this kind of damage, even if from simple criminals, they would be just as susceptible to an attack from other hostile forces.
The DIR originally said 23 towns had been affected, then it lowered the number to 22 without explanation.
For years, government pundits have warned that nation-state attackers, whether from Iran, Russia or China, could directly take down one of the country's critical industries, often through supposedly highly sophisticated processes and long-term hacks. But the ransomware incidents of 2017 and the relative ease ransomware criminals have had in attacking U.S. cities — including major hubs such as Baltimore, Atlanta, San Francisco and Albany — show the vulnerability of local government infrastructure is plenty worrisome.
"The fact that we are seeing an acceleration of attacks that are reportedly successful tells me that we have not prepared," said Eddie Habibi, CEO of industrial systems security company PAS Global.
While many industrial systems are administered on unique systems that "require greater sophistication," Habibi explained, "some of these [ransomware] attacks are made on the Windows operating system that is used to run the utilities that run power plants or water utilities. Consequences of attacks on the industrial sector can be a lot more serious than on data," he said.