Stories
Expert Voices

How cities can guard against ransomware attacks

Illustration of a city inside of an opened bird cage.
Illustration: Aïda Amer/Axios

More than 50 cities have fallen prey to ransomware attacks in 2019 so far, with the average paying $36,295 in ransom. As a result, cities are beginning to explore new cybersecurity options. 

The big picture: As cities move more of their services online and collect more data on their communities and residents, small- to mid-sized municipalities with underfunded IT departments are particularly vulnerable to ransomware attacks and associated costs. 

By the numbers: The International City/County Management Association found that roughly 30% of local governments don't know how often their systems are attacked.

  • Of those that could, an alarming 60% said they were being attacked on a daily — if not hourly — basis. 

What's happening: When a city is attacked, critical services such as tax management and permit approval can be halted as city officials decide whether to pay a ransom or rebuild a system.

  • Paying ransom can quickly restore operations, but nearly 60% of citizens object to such action.
  • Rebuilding a system, meanwhile, is typically more expensive and can take months. 
    • Baltimore chose not to pay a ransom and has instead spent over $5.3 million in restoration costs. City officials have estimated that a complete recovery will cost over $18 million total, including lost revenue.

What's needed: Residents largely do not want municipal funds paid out to hackers, so if cities are going to rebuild, their new systems should have built-in defenses.

  • A cybersecurity policy gaining traction among municipalities is Zero Trust, which operates on the assumption that anything inside or outside of a corporate network including data, devices, systems and users is a security risk.
  • How it works: In a Zero Trust system, administrators use technologies including end-to-end encryption, multifactor authentication, identity access management and analytics to control access.

What to watch: The U.S. government is starting to invest in Zero Trust pilot programs, including a recently announced project with the Defense Information Systems Agency and U.S. Cyber Command. 

Alan Duric is the co-founder and CTO/COO of Wire, a secure collaboration platform.