Across the country, one in four cities reported being attacked by cybercriminals every hour. That鈥檚 according to a 2016 survey, but attacks against cities have since risen.
Cities in Texas are often targets of cyberattacks, especially small cities, which often lack personnel and funds.
For example, last May, cybercriminals broke into the computer network serving the city of Shavano Park. Criminals took 2.1 terabytes hostage in a ransomware attack 鈥 including 58,000 financial and accounting files. It knocked a police server offline, which impacted basic reporting.鈥淭ypically when a cyberattack happens, no one dies. Nothing blows up. Nothing is lost, but it impacts the operations of all city departments,鈥 said Curtis Leeth, assistant to the city manager.
At the time Leeth was the only cybersecurity or IT person on staff, and those duties made up only a third of his job.
鈥淭here remains a persisting capability gap in our ability to confront the clear and present danger of cyberterrorists and cybercriminals,鈥 said the city in a January application for cybersecurity grant funds.
Shavano Park is around 3,000 people and encircled by San Antonio鈥檚 northwest side. Even though the city is small, they have information like employee health data and social security numbers that bad guys want or can ransom.
鈥淎ll we are on the internet is an IP address or a domain鈥︹ he said. 鈥淭hey鈥檙e just looking for open ports, unsecure networks.鈥
Many cities like Shavano Park lack the resources to combat the cybercrime problem. A 2017 report to the Texas legislature said only 200 of the 1,100 cities in Texas had a full-time cybersecurity employee. Some turning to volunteers to do the work.
Ultimately, Shavano Park recovered the data unaltered, but Leeth said they wouldn鈥檛 have been able to do it without outside help.鈥淎nd at that point鈥 at least for a small city like me鈥 that鈥檚 beyond my capabilities.鈥
Shavano Park turned to the the Texas Municipal League, an advocacy and resource organization for Texas cities. The city had cyber extortion insurance through the league, and it also provided legal advice and referrals for federal and state resources.
Shavano Park was assisted in turn by the as well as US Homeland Security鈥檚 Program.
San Marcos, Sugar Land, Tyler, Cockrell Hill, Houston, Del Rio are just a few of the cities breached in recent years.
TML鈥檚 cyber extortion liability insurance received seven claims in the first quarter of this year, on pace to double last year鈥檚 13 claims.
But TML doesn鈥檛 insure everyone. Cities like Dallas and Houston have from elsewhere.
So getting a complete picture of breaches in Texas is difficult. The state and the public learned about the city hacks largely because the press reported the incident.
While the number of hacks and attacks are going up, don鈥檛 expect cities to talk about it said Sid Hudson, chief information officer for McKinney, Texas.
鈥淪ome of these cities that do experience an attack. They will go underground, and they won鈥檛 even communicate with their closest peers for fear of something leaking out and being attacked further,鈥 Hudson said.
Hudson is also president of the Texas Association of Governmental IT Managers, an organization that encourages pooling knowledge. He said many do, hoping to share best practices and alert one another of possible schemes.
But some don鈥檛, and even Hudson is wary of talking publicly about how Texas cities are faring.
鈥淚鈥檓 sorry, I鈥檓 not comfortable with talking about that,鈥 he said when asked about how cities are attacked.
Hudson said he doesn鈥檛 want to make it worse, and he said stories like this one may advertise vulnerabilities.
Cities notify people when their data gets stolen but aren鈥檛 required to report to the state.
鈥淲e don鈥檛 know what we don鈥檛 know, and I don鈥檛 think we know a lot,鈥 said Giovanni Capriglione, a Texas House member from north Texas.Capriglione authored a bill that passed out of the House May 1 that addresses the issue in part. Among other things, mandates cities report breaches to the state, requires cities join regional cybersecurity information sharing organizations and creates state matching funds for local governments.
Capriglione helped pass legislation dealing with hardening the cyber infrastructure of state agencies last year.
鈥淟ocal cities, municipalities and counties are probably our most at-risk entities,鈥 he said.
He chaired the now-defunct select committee on cybersecurity. In that role he heard about cities who didn鈥檛 know they were breached six months after an attack, and about cities that hadn鈥檛 removed former employee logins in twenty years.
鈥淚 was just overwhelmed by the number of cities who said, 鈥楬ey listen, I just need someone to talk to. Someone I can have help,鈥欌 he said.
A 2016 survey from the international City/County Management Association or ICMA showed the biggest barrier to cities beefing up their cybersecurity was funding.
鈥淚t鈥檚 a budgeting dilemma that every local government has,鈥 said Cory Fleming, a senior technical specialist for ICMA. 鈥淲hat do we spend money on this year? Do we spend it on roads or do we spend it on children鈥檚 programming parks and rec?
The lack of personnel means cities may take less precautions. That鈥檚 what makes them targets, she said.
鈥淪ometimes we get caught up in thinking that we have to have the greatest technology, and it鈥檚 really the human factor and making sure that we have our people trained,鈥 said Fleming.
Making small steps like finding free or state-sponsored training and getting liability insurance makes a difference.
For Texas to make progress, many are arguing cities first have to talk about it.
Paul Flahive can be reached via email at Paul@tpr.org or on Twitter .
Copyright 2020 Texas Public Radio. To see more, visit . 9(MDAxODQzOTgwMDEyMTcyNjI4MTAxYWQyMw004))
