“Public Insecurity:” The Special Vulnerability of Public Facilities
March 28, 2024
Privacy Plus+
Privacy, Technology and Perspective
This week, let’s focus on the ransomware attacks on public facilities —a persistent challenge highlighting the critical need for robust cybersecurity measures within government operations and critical infrastructure.
Background:
Ransomware—malicious software that encrypts data and systems, rendering them unusable until a ransom is paid—can severely impact government operations and critical infrastructure. Cities, towns, and public facilities are increasingly popular targets due to their essential services, like traffic management systems and water treatment facilities, along with their extensive repository of a wide array of personal data, including health records, financial information, and personal identifiers.
A Growing Threat:
The FBI reports that last year, government facilities were the third largest critical infrastructure targeted by attackers. For details on this, click on the following link:
High-Profile Incidents Highlight Vulnerabilities:
However, the targeting of public facilities has been going on for years. For example, in Texas, the state judiciary was targeted in 2020, and again in 2024. You can read about each of these incidents respectively by clicking on the links below:
Texas Judiciary 2020: https://www.govtech.com/security/justice-hacked-when-cyber-criminals-come-for-the-courts
Texas Judiciary 2024: https://thehill.com/policy/cybersecurity/497154-texas-court-systems-hit-by-cyberattack/
In 2023, the City of Dallas – including its police department—and the North Texas Municipal Water District also fell under attack. You can read about each of these incidents respectively by clicking on the links below:
Dallas police 2023: https://www.keranews.org/news/2023-05-09/dallas-ransomware-cyberattack-federal-investigation)
North Texas Water District 2023: https://www.dallasnews.com/news/2023/11/28/one-of-north-texas-largest-water-suppliers-is-latest-victim-of-cyberattack/
Most recently, the Tarrant County (Fort Worth) Appraisal District recently was hacked for the second time in 18 months. It now faces a ransomware demand of $700,000, with 2024 property appraisals about to be sent out. You can read about that attack here:
Tarrant County Appraisal District 2024: https://www.keranews.org/texas-news/2024-03-26/ransomware-group-demands-700-000-from-tarrant-appraisal-district
Our Thoughts:
1. CISA Goals as a Resource: Public facilities are unique and uniquely vulnerable. They must constantly coordinate across their offices and up through regions, districts, and counties to the state level, as well as with other agencies they work with, and often with federal counterparts as well. When one changes, all must change to various degrees. This “compatibility issue” of systems, equipment, and procedures often turns what might seem like the simplest problem into a horrendously complex one that complicates public facility protection especially. Therefore, we would recommend committing to a standardized risk-based cybersecurity approach.
Recognizing the fact that the risk to public facilities has now risen to a point that threatens national security, the United States Cybersecurity & Infrastructure Security Agency (CISA) has developed Cybersecurity Performance Goals to ensure a strong cybersecurity posture. State and local governments would be wise to consider these goals, which align with the NIST Cybersecurity Framework, as a baseline set of risk-reducing cybersecurity practices. A link to those goals follows:
https://www.cisa.gov/cross-sector-cybersecurity-performance-goals
2. Recommended Actions: At minimum, it would be “pound-wise” to invest in stronger state-level, cybersecurity support of local agencies, which should:
· Establish cyber governance and planning;
· Assess and evaluate systems and capabilities;
· Implement security measures commensurate with risk, and partition critical systems; and
· Build and train a cybersecurity workforce.
Note that the above recommendations are not ours, but also developed by CISA.
3. Addressing Cloud Services and AI: Our experience underscores the peril in the increasing reliance on cloud services and vendor cybersecurity assurances. Large gaps exist between marketing materials and contractual commitments. Traditional procurement practices and legacy government contracts often don’t address today’s realities. To bridge this gap, government agencies should alter their procurement and contract negotiation practices to prioritize the following:
· Privacy and Cybersecurity: Ensuring that contracts explicitly define the data privacy protections and cybersecurity measures that their vendors must adhere to.
· Data Use: Restricting data use and sales.
· Ongoing Compliance and Monitoring: Establishing mechanisms for continuous monitoring of vendor compliance.
· Adaptability to Technological Advances: Incorporating clauses that require periodic updates to cybersecurity practices in line with emerging threats and technological advancements.
· Engagement of Privacy and Cybersecurity Experts: Involving data privacy cybersecurity professionals in the procurement process to assess the reality of vendor claims.
---
Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet, and technology. Open the Future℠.