The hidden threat to every government’s finances

Defending against cyberattacks is expensive and imperfect. But the alternative is worse.

Photo by Michael Geiger on Unsplash

Happy Finance Friday, readers! Earlier this week, the Public Money Pod aired an episode with Omid Rahmani, the head of Public Finance Cybersecurity for Fitch Ratings, who had a lot to say about the role of public finance officials and cybersecurity. This week’s newsletter is inspired by that conversation, which got me thinking about our mindset around cybersecurity and how hard it is to spend money on something you can’t see and that will never be foolproof.

If you take anything away from this newsletter, it’s that government finance folks and cybersecurity folks need to be super friendly with one another because they are dependent on each other to succeed.

The most expensive cyberattack on record

In the Disney animated movie Ralph Breaks the Internet, the well-meaning main character, “Wreck-it-Ralph,” accidentally launches a virus that wreaks havoc on the entire internet by exploiting a vulnerability found in Ralph himself. Seizing upon Ralph’s neediness, the virus rapidly replicates, and within seconds, thousands of needy and zombie-esque little Ralph clones are covering everything they see like ants on candy.

It’s funny when it’s a cartoon but not so much when it happens in real life and ultimately costs billions of dollars to fix. That has been the case with the string of cyberattacks in late May involving the MOVEit Transfer system, which has so far affected nearly 1,000 governments and companies and 59 million people across the globe. One of the largest breaches in history, it’s estimated the cost could ultimately surpass $37 billion.

The frustrating thing is that for every successful cyberattack, thousands more are thwarted. But psychologically, it’s hard to point to a lack of anything happening and say, “Look, it’s working!” (If they haven’t already, Chief Information Security Officers (CISOs) and counterterrorism officials should start a support group.)

Which brings me to the money part. Rahmani estimates that the average municipality has something like “50% technical debt,” which is the implied cost of not maintaining technology devices. Put another way, a government would have to double its network infrastructure spending, to bring it fully up-to-date. 

Every sector within state and local government—from healthcare, to education to waste management—are becoming more reliant on technology. So, theoretically, that infrastructure should become more and more important. But in reality, said Rahmani , it’s very difficult to point to a bunch of computers and tell local officials they need investment. 

“Trying to explain to them why a network is antiquated, what that even means and why that’s a problem—that becomes a lot more abstract,” he said. “And as a result, that resource allocation gets lost. But for me, I don’t really see a difference between physical infrastructure and digital infrastructure.”

Can cyber warfare benefit from the pandemic’s lessons?

The approach to cybersecurity has similarities with our response to the Covid-19 pandemic. Much like a computer virus, the coronavirus was unseen, adapted quickly to spread more efficiently, and was enabled by individuals who chose not to take the advised protocols. Also like governments’ struggle to fully fund cybersecurity, money was siphoned away from epidemic planning for more visible needs.