MY TAKE: Local government can do more to repel ransomware, dilute disinformation campaigns

By Byron V. Acohido

Local government agencies remain acutely exposed to being hacked. That’s long been true. However, at this moment in history, two particularly worrisome types of cyber attacks are cycling up and hitting local government entities hard: ransomware sieges and election tampering.

Related: Free tools that can help protect elections

I had a deep discussion about this with Todd Weller, chief strategy officer at Bandura Cyber. We spoke at Black Hat USA 2019. Bandura Cyber is a 6-year-old supplier of  threat intelligence gateway technologies. It helps organizations of all sizes but has a solution that is well suited to enable more resource constrained SMBs, tap into the myriad threat feeds being collected by a wide variety of entities and extract actionable intelligence.

Weller observed that local governments are under pressure to more proactively detect and deter threat actors, which means they must figure out how to redirect a bigger chunk of limited resources toward mitigating cyber threats. Current attack trends add urgency, and catching up on doing basic security best practices isn’t enough. For a drill down on my interview with Weller, give a listen to the accompanying podcast. Here are key takeaways:

Ransomware run

We’ve recently learned just how easy it is for ransomware purveyors to either extract huge extortion payments from local agencies, or worse, cause tens of millions of dollars of damage.

Baltimore city officials declined to pay $76,000 for a ransomware decryption key – and the city ended up absorbing an estimated $18 million in recovery costs. Atlanta refused to pay a $51,000 ransom, and ate $17 million in damage.

Meanwhile, officials from Riviera Beach, Fla., population 35,000, saw fit to cough up a $600,000 payment, and Lake City, Fla., population 12,046, paid $460,000, respectively, for ransomware decryption keys. In each case, after weeks of having city services disrupted, and facing pressure from constituents, city leaders viewed paying a six-figure ransom as the least painful, quickest resolution.

“Ransomware attacks are trendy again,” Weller told me. “If people are paying, then it’s profitable to do it. And once a soft target is identified, hackers tend to do campaigns by industry, or organization types.”

Ransomware attacks against local government entities at some point will run its course. Eventually, governments will address the risk by beefing up security and purchasing cyber insurance, which go hand in glove. The fact that the losses municipalities are sustaining is quantifiable, makes this a definable problem that can be addressed by traditional risk mitigation approaches.

By contrast we don’t yet know the depth and breadth of the damage being wrought by election tampering and disinformation campaigns that pivot off poorly defended local government networks. With the 2020 presidential race underway, there is plenty of hard and anecdotal evidence that local governments remain totally unprepared for Russia and others to repeat – and expand upon – what happened in the 2016 presidential race. For a quick, comprehensive summary review the coverage of Robert Mueller’s report and Congressional testimony.

Election tampering

The wide exposure to election tampering stems from having too many voter registration databases coming on line that were never security hardened, and by now have been plundered several times over by malicious, automated botnets. The personal data collected by the criminal botnets is the source of baseline intelligence that ideologues and propagandists continue to use to target and refine their disinformation campaigns, which they typically disperse by social media.

What’s more, not nearly enough thought was put into preserving the physical security of actual voting system hardware. There are some big, unanswered questions about supply chain security surrounding voting machines. And local government processes and policies tend to lack a security orientation; consider that it’s not uncommon to send a runner to retrieve poll results from a digital voting device that gets stored on a portable drive. These all translate into viable attack vectors wide open to motivated, well-funded threat actors.

Weller points out that there has been some progress at the local entity level, to be sure, in regard to tightening access controls, fine tuning intrusion detection and prevention systems, and stepping up threat hunting activities. Yet there remains tens of thousands of local entities, including many located in strategically important geographies, that remain highly vulnerable.


Weller, a Baltimore resident, told me he was curious what Maryland was doing in regard to election cybersecurity. “There’s actually a really good page on their website that goes through details of what the threats are and the basics of what they’re doing about them. I was impressed.”

“As much as we sometimes want to talk about the inadequacies at the state and local level and how far behind they are, it’s also important to acknowledge that they are moving forward, as well, and some progress is being made.”

Proactive threat hunting

Even so, the situation cries out for crisis intervention. It’s more crucial than ever for states, counties, cities and local agencies to manage vulnerabilities, train employees and make a commitment to robust incidence response planning and disaster recovery preparedness.

Yet to simply stop procrastinating about security practices that should have been implemented a decade ago is not going to be enough in the current environment. More proactive defense measures are required. Toward this end, Bandura Cyber has been innovating in the area of threat intelligence sharing, with a focus on helping small- to medium-sized organizations more proactively detect and deter threat actors who are on the move against them.

“We play at the intersection of network security and threat intelligence in a space called threat intelligence gateways,” Weller told me.  “Fundamentally, we’ll look at network traffic and make an ‘allow’ or ‘deny’ decision, and it’s all based on a massive amount of third-party threat intelligence indicators.”

Bandura Cyber complements existing firewalls and intrusion detection and prevention systems. It provides another layer of protection based on a broader and more diverse array of threat intelligence and can also integrate and take action on threat intelligence from the on-premises security systems the organization already has in place.

“All companies need a broad view of threat intelligence, and no one single vendor can provide you everything you need,” Weller says. “We leverage lots of feeds and we’re also open to integrating any threat intelligence feed the customer wants.”

Smaller organizations by definition are resources-strained. SMBs tend not to have ready access a dedicated security operations center (SOC) or an army of analysts and security techs. So, Bandura Cyber has stepped up to offer just such a solution to SMBs. “We want to make this easy for them in a turn-key way that’s easy to deploy.” Weller says.

For big enterprises that do have SOCs and who are already power users of multiple threat feeds, Bandura Cyber can help integrate an expanding number of threat feeds and provide the ability to take enforcement actions in easier and more scalable way than can be done in NextGen firewalls. “We can provide relief to a NextGen firewall that might be bogged down doing deep packet inspections, and enable organizations to use third-party intelligence from other sources,” he says.

It’s a positive development that Bandura Cyber and other security vendors are focused on making higher use of threat intel feeds generally, and helping SMBs, specifically. Small banks, credit unions, retailers, manufacturers and service professionals are in much the same boat as local governments. The attacks on smaller government agencies shows how attackers opportunistically cycle to different segments over time. Stemming the ransomware extortion wave, and preserving the sanctity of the 2020 elections would be a good place to start turning the tide.  I’ll keep watch.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone