Sounding the alarm about cyber-threats in the public finance arena

WASHINGTON – A cyber-attack last month against the Matanuska-Susitna Borough near Anchorage, Alaska that forced some employees to revert to using typewriters highlights how far-reaching this threat is for state and local governments and the municipal finance sector.

A new report on cyber-related risk released Wednesday by S&P Global said the credit rating agency hasn’t yet taken any rating actions based on any cyber-attack, but notes that “a successful attack on an entity with limited resources could have a credit impact.”

Eric Wyatt, the IT director for Matanuska-Susitna Borough, estimated his community was No. 210 among those hit by the same ransomware.

The S&P Global report said the municipal finance sector is particularly vulnerable because of the public reporting requirements that can be exploited by hackers.

“Because nearly every budget decision is in a public forum and all major infrastructure projects receive press coverage, it is easy for cyber-criminals to anticipate the timing of when decisions to access capital markets will happen, and when money will change hands,” S&P said. “Corporate entities also fund costly infrastructure projects, but those decisions are often made behind closed doors, making public transactions easier targets for opportunistic cyber-criminals.”

In 2017 Southern Oregon University was victimized by cyber-criminals who sent fraudulent instructions to change the routing numbers on the days of public bond sales, S&P cited as an example.

Emily Brock, federal liaison for the Government Finance Officers Association

Although Cyberseek.org estimates there are over 750,000 people employed in the U.S. cybersecurity industry, the S&P report said that same organization estimates there also are more than 300,000 unfilled positions in the same field. That makes filling those positions in state and local governments even more difficult.

Moreover, the report said, “Becoming a cyber-criminal is getting easier by the day. On the ‘dark web,’ one can already purchase ransomware that comes with a money-back guarantee should it not work, and some come with [frequently-asked-questions] akin to customer support.”

Tom Wagner, managing director for financial services operations and technology for the Securities Industry and Financial Markets Association, said the securities industry and its government partners are a target of cyber-attacks a daily basis.

“Cybersecurity is a top priority for SIFMA and the industry, and we are constantly working to improve cyber defenses, resiliency and recovery through massive monetary investment in technology and personnel, regular training, best practices development, and industry tests,” Wagner said.

The Government Finance Officers Association held sessions on this topic at each of its last two annual conferences.

“Our members are very aware of the cyber-risks in our environment, some members have been adversely impacted by cyber-threats,” said Emily Brock, director of GFOA’s federal liaison center. “We are working on several projects this fall in order to share best practices and mitigate the challenges cyber-risks pose to state and local governments.”

Last year the PBS Newshour reported on the rise of hacktivism, which is described as “a blend of hacking and activism for a political or social cause.” The number of hacktivist attacks rose to 160 in 2016 from 65 a year earlier, according to the Multi-State Information Sharing and Analysis Center.

Examples cited by PBS Newshour include the attack on Michigan’s state website to highlight the drinking water problems in Flint and the disruption of computer services in the wake of the fatal August 2014 shooting of Michael Brown in Ferguson, Mo.

Other recent examples cited in the S&P report include an attack that took Baltimore's emergency management system offline for hours, a hack into the District of Columbia’s police cameras, and an attack on Atlanta that will reportedly spend than $35 million to prevent future attacks.

For reprint and licensing requests for this article, click here.
Cyber security Cyber attacks Malware Credit reporting Government finance Munis Munis SIFMA GFOA Washington DC Alaska Oregon Michigan Maryland Georgia
MORE FROM BOND BUYER