At least 20 local government entities in Texas found themselves targeted by successful cyber attacks this past weekend. This follows attacks on Atlanta that crippled the city government, attacks in Baltimore that cost more than $18 million, and attacks in Florida, which stood out from so many others because Riviera Beach’s city council voted publicly to pay the $600,000 ransom demanded by hackers. I wonder if that city will be a target again?
This slew of attacks makes one wonder why our cities and towns are being targeted. There are surely a number of national security reasons why a foreign adversary might want to hit our local governments with sophisticated cyber attacks, but a simpler — and likely more common — explanation is that hackers like to hit governments for the same reason lawyers like to sue governments: a city is not going anywhere, has significant revenue, and is likely to just want to make the problem go away.
Much attention has been paid to election security in our country and in North Carolina, with our State Board of Elections deliberating over which voting machines are most secure. But election security — while crucial — must not be the end of our government’s cybersecurity discussion. Local governments, commercial businesses large and small, and even nonprofits must all have the resources they need. Imagine if the online deeds system was disabled by hackers. Or if a city’s largest private employer had their systems crippled. Or if racist radicals hacked a synagogue’s or minority-majority church’s membership list with addresses. There are more examples of why a broad approach to cybersecurity policy is needed, but the takeaway is the same: any change in laws or resources regarding cybersecurity policy must take a holistic view of the problems.
To the state legislature’s credit, there is a bill proposed in the House, HB 904, which would make express requirements for businesses and nonprofits to take reasonable steps with regard to cybersecurity or face the possibility of steep liability should harm occur. This is a good start, but not enough. It seems apparent to me that both carrots and sticks need to be utilized, and the existing bill would do little or nothing with regard to local governments’ cybersecurity.
A more holistic approach would be to set aside funds for grants to local governments and nonprofits so that they can secure their systems and for a tax credit for small businesses that do the same. That carrot should be paired with the stick of steep liability in the event of poor security and harm. Finally, a more holistic approach could give much more certainty to local governments, businesses, and nonprofits by creating “safe harbors”. That is to say, name cybersecurity frameworks in the law that we know from evidence will reduce the risk of harm from a cyber attack and make alignment with those frameworks a defense to most liability. A setup like this will not end the barrage of cyber attacks, but it will lessen the damage.
There is a healthy debate in the state legislature right now about what should be done with surplus revenue, with some arguing to expand programs and others seeking to spur economic activity. Regardless of the decision, part of that conversation should be whether we invest in protecting our citizens and institutions with a holistic state cybersecurity policy.