Across all levels of government in the United States cybersecurity, in the wake of digital transformations, remains the top-most priority across departments.
“Ronald Regan could rise up from the grave and walk into our city government and not be too surprised at [the technology] he sees,” said Kate May, Director of IT Operations at the City of Rochester.
The City of Rochester, the fourth-most populous city and the 10th most-populated municipality in New York, received just over $200 million in American Rescue Plan funds.
According to the city’s ARPA Spending Plan, budget allocations were organized around the vision detailed in Rochester 2034, the City’s fourth Comprehensive Plan.
Out of the $202 million ARPA funding, $3 million was allocated to the city’s IT department, approximately 1.4% of the overall sum.
Roughly two-thirds of that was put toward replacing switches and other physical network infrastructure. Roughly, $1M remains and May says it will more than likely be spent by the end of next year.
“I think the big challenge, especially after that first wave of digitization that happened before I got here, was not really envisioning what could be. It was mostly, ‘OK, we’ve got a paper process, let’s take that current state and make that a digital process,’” said May.
Along with digital transformation is the need for improved network security. Data breaches at local governments across the U.S. have grown increasingly commonplace over recent years.
“It’s the biggest risk that can really shut down a whole city. It can shut down not just access to your data, but potentially important life and safety things like water or public safety,” said May, adding that cybersecurity remains the top agenda point of the department, given what other cities have had to traverse through.
Of the ARPA funds allocated to IT, however, Rochester allocated $150,000 of funding to cybersecurity upgrades, which is a starting point, according to May.
IBM’s 2023 report titled Cost of a Data Breach claimed that $4.45 million is the global average cost to governments — and thus the taxpayer — when a breach occurs. This figure is an increase of $100,000 from last year’s calculation.
The report continues, “Since 2020, when the average total cost of a data breach was $3.86 million, the average total cost has increased 15.3%,” highlighting the need to pursue the strengthening of IT systems and data capabilities.
The 2023 Federal Budget contributed $2.5 billion to the Cybersecurity and Infrastructure Security Agency, a $86 million increase above 2021, to modernize its systems and combat cybercrime.
This past summer Dallas was hit with a ransomware attack that affected 27,000 residents, as well as 911 dispatch services for police and fire departments. Also affected in the attack were local courts, utilities systems, and more, which has already cost taxpayers more than $8.5 million to date, according to the local government.
Hackers were able to obtain names, addresses, medical data, and other information through the city’s servers.
Dallas Fire Association President Jim McDade said, “I got two letters, one for myself and one for my son. The letter to may 10-year-old son says, ‘Our investigation to date has indicated that some of your minors’ sensitive personal information was impacted.”
The information stolen: the minor’s name, address, Social Security number, date of birth, insurance, information claims, information, diagnosis, and other identifiers.
A handful of years before a similar cyber-attack was directed at the City of Baltimore.
In 2019, Baltimore’s servers were compromised by a variant of the infamous ransomware coined Robinhood. The infamy not only arises from its use in several cyber-attacks, but also from its origins. Speculation arose that it was a computer exploitation tool called EternalBlue, developed by NSA, which was stolen in 2017.
According to a May 2019 article by the New York Times, people directly involved in the investigation in Baltimore told the Times that the EternalBlue, was “found in the city’s network by all four contractors hired to study the attack and restore computer services.”
The Maryland-based city was the second major U.S. city (population over 500,000) to fall victim to this ransomware attack in 2019 alone. The first being Greenville, North Carolina.
The Baltimore Sun reported that, in total, $18.2 million was the estimated cost impact to the city’s taxpayers.
The city’s information technology office spent $10 million on recovery efforts since the ransomware struck. The other $8.2 million in impact is “from potential lost or delayed revenue, such as money from property taxes, real estate fees and some fines,” said city officials at the time.
Atlanta was attacked the previous year from a remote ransomware cyber-attack on the local government’s obsolete computer networks. This attack cost the city up to $17 million in losses directly related to the cyber-attack and the associated costs to resolve the issue. In this attack, up to six million people were reportedly affected.
Local governments have made news headlines for ransomware cyber-attacks that have resulted in significant data breaches, so much so that according to May, “Everything in local government now has a cybersecurity focus.”
At the local level, there are approximately 30,000 government entities across the U.S.
Amidst the tail-end of the pandemic, the American Rescue Plan Act (ARPA) legislated $1.9 trillion in economic relief. Of that sum, $130 billion (roughly 14.6%) in fiscal aid was distributed directly to local government entities via the State and Local Fiscal Recovery Funds program for modernization efforts to infrastructure and more.
“All companies are now tech companies in some form—and that goes for governments, too,” said Steve LaFleche, IBM’s general manager for the US Public and Federal Market, in a March 2021 blog at IBM.com. He added, “The top companies in the private sector are innovating and modernizing endlessly. Governments, likewise, must become citizen-focused, rapid-response tech companies.”