The increasing cost of cyberattacks and what governments can do about it

This month, Bernalillo County, home to Albuquerque, New Mexico, joined the ever-increasing roster of governments that have fallen prey to a major cyberattack. Ransomware has clearly become the tool of choice for hackers and the financial risk to governments goes beyond the ransom demand. This week, I’ll cover some of the main issues with cybersecurity and what governments are doing about it.

But first, a plug for a free webinar I’m doing Jan. 31 with thought leader Nick Kittle on what we can learn from how governments spent their CARES Act funds and how that applies to the American Rescue Plan Act. Join us!

Register here

A crippling attack

Hackers hit the Albuquerque area twice in two weeks, dealing blows that have devastated operations. The first attack targeted the county government, followed last week by one on Albuquerque Public Schools. Both are still under investigation but news media has reported both as suspected ransomware attacks. 

APS canceled school for three days in the immediate aftermath. They reopened Tuesday, but systems are still vulnerable. “The reality is this entire time we’ve continued to be attacked, and the IT team is not only restoring our systems but continuing to protect them,” APS Superintendent Scott Elder told KRQE.

As of last week, the county government was still operating on minimal services, most buildings were closed and employees were working remotely. Many critical citizen services were still shut down including tax calculations, public records payments, and permitting.

Ransomware attacks that so dramatically affect daily operations and citizens’ access to services used to be rare, but they’ve become all-to-common. One calculation by The Washington Post estimates more than 400 cities have been hit in recent years. It’s a big reason why cybersecurity has been the No. 1 issue for Chief Information Officers in the last few years.

There are two main reasons hackers are using ransomware against the public sector. One is that attacks which hold public data, services and systems hostage are highly effective. In the early months of the pandemic, for example, cyber criminals took control of data belonging to a University of California San Francisco coronavirus vaccine research team and demanded $3 million in ransom. The university negotiated it down to $1.1 million in exchange for control.

The other reason: cyberattackers know that the public sector has typically underinvested in IT, making it potentially easy prey. According to the cyber statistics tracker Hackmageddon, health services, public administration and education were among the top targets for cyberattacks in 2021.

The cost of cyberattacks

Paying the ransom demanded by hackers is discouraged but lots of places do anyway because restoring systems themselves is expensive and time-consuming. For example, officials in Tulsa revealed recently that an attack last year cost them $2 million in damage and months of recovery.

“The FBI always advises against paying the ransom,” Adam Hardi, a higher education senior analyst at Moody’s Investors Service, told me last year. “But we have seen a fair number doing it anyway because it is more economically feasible to spend $1 million than potentially $10 million to retrieve the data.”

But there’s more to the cost of cyberattacks than the ransom or what it costs to restore systems.