Two years later, Potter County Judge Nancy Tanner still remembers it as “absolutely the worst, worst month.”
In April 2019, the county that includes Amarillo was hit by a ransomware attack. A breach of Potter County’s computer systems was spread by a malicious email with the immediate effect of making those machines inoperable for about 600 employees. Some data was permanently lost, and work completely stopped as the county’s six-person IT department and law enforcement scrambled to find answers and get systems back up and running.
“They shut us down. They shut us down for quite some time,” Tanner said. “It was just devastating, the darkest day ever.” The county declined to pay the ransom, believing that even if it did, it would not get all of its data back and would continue to be targeted. Some of the data, such as emails and case files, was never recovered.
The direct cost of recovering what was salvageable came to $26,738, Tanner said, but the county also paid more than $100,000 in overtime pay to employees and other expenses related to the cyberattack. In total, more than a quarter of a million dollars was spent dealing with the online attack.
“It’s never happened to any other judge before,” Tanner said. “And what good does it do? They didn’t get any information they were wanting to get. They just did it to be mean, you know?”
Potter County is only one of dozens of Texas counties that have been dealing with cyberattacks, malware and other malicious attempts to hijack data or collect funds from local governments over the past few years. The 2019 attack hit at least 22 Texas counties, and in the last year, victims of other hacks have included Bowie County, the city of Lubbock and school districts across the state. Some cyberattacks involve viruses or malware that spread when someone clicks on a malicious link in emails or through the installation of infected software. Others include planned systemic breaches of computer networks and demands for payment, often in the form of Bitcoin cryptocurrency, which can be harder to trace than cash.
There was a steady uptick in county cyberattacks reported from 2016 to 2019, and the number of attacks in 2020 matched 2019’s peak, according to Robert Ruiz, Risk Management Services Associate Director at the Texas Association of Counties. The 254 county governments in Texas are particularly vulnerable to attack because they are typically decentralized and have small IT departments.
“The very structure of county government is a challenge when it comes to response and how quickly they can adapt to it. It comes down to the human factor,” Ruiz said. “Any employee who has access to a computer system, a network for the county, and even our vendors can be a potential access point for these bad actors. Any one of them can inadvertently undo the safety protocols a county might have in place, no matter how much they’ve spent.”
Ruiz said counties can follow what’s known as the 3-2-1 for computer security: “Three sets of backups on two different types of mediums (hard drives and encrypted online backups, for example), one of them off-site.”
Not long after the Potter County attack, Jackson County was also dealing with an attack on its systems. Just after Memorial Day 2019 computers in the Sheriff’s Office were compromised by the RYUK virus, which encrypted the county’s systems and demanded a $380,000 Bitcoin ransom.
“Our IT providers knew this was serious stuff,” said Jackson County Judge Jill Sklar. “We were in over our heads. We did not know who to turn to.”
The county consulted the FBI, which went after the criminals, while Sklar and her team worked with the Texas Department of Information Resources. That led to Sklar filing the state’s first cyber emergency declaration.
Comparing the attack’s aftermath to a major disaster like a hurricane, Sklar said the encryption meant the data was still there but was completely unusable. If they were paper files, Sklar said, it would be like "ripping the label off every one of those files and just throwing it on the ground.”
Since the attack, the county has worked with a private security company to lock down its systems, making them less accessible and open to changes from employees, but much more secure.
“Whereas before, you got in one door, you got in all doors. Now you make it in one door, you’re not going anywhere else,” Sklar said. “It really isolates any type of threat that may happen.”
Justin Vasquez, who’s been the IT manager for Atascosa County for six years, said there have been some isolated hacking incidents in the district court and tax offices, but some advanced preparation has averted disaster in several instances.
A mix of hardware firewalls, good training of county employees and the practice of regularly backing up data systems has kept the county from falling victim to ransomware, he said.
“As long as you have regular backups, you don’t even have to deal with the person that actually sent the ransomware because you can recover all your files and get it all back in place.”
Vasquez also sends updates to the county’s 300 employees with tips on what to do when receiving suspicious emails.
Sam Curry, chief security officer at the Boston-based cybersecurity firm Cybereason, which has offices in Austin, said local governments are frequently a juicy target for hackers because they “sit at a perfect balance between ability to pay and relatively low security.”
Compared with banks, hospitals and defense departments, which have invested in security infrastructure for decades, Curry said, counties are more likely to have holes in their networks that are easily exploited. Many local governments that built their network more than two decades ago are now dealing with smart devices, internet-connected 911 networks and streetlights, and other critical services that are vulnerable to online attacks.
If counties aren’t spending money on security to keep up with increasingly complex networks, “then you don’t have a strategy,” Curry said. “What you have is liability avoidance, and it’s actually incentivizing the attackers.”
In addition to security spending, Curry suggests that smaller counties without enough funds work with neighboring local governments to pool their resources to develop multicounty projects. He also said local governments should have a plan in place for who should be contacted when a breach occurs and run practice simulations of phishing schemes and ransomware attacks. TAC Risk Management Consultants can assist counties with such planning; find yours at www.county.org/County-Risk-Management-Map.
One fact many counties don’t know, he said, is that it may be illegal to pay a ransom depending on who’s attacking.
“If it’s a terrorist or criminal organization, you may not legally be allowed to do so,” Curry said. “The first thing you should do is bring in a lawyer; they will find that out for you.”
Curry, Ruiz and the county judges interviewed for this story agreed that training is the most critical component for keeping government systems safe; every employee who uses a computer or has access to these networks needs to be well-versed on avoiding phishing links and following other security protocols.
The Department of Information Resources is the agency tasked with approving training programs across the state. Nancy Rainosek, the state’s chief information security officer, said that it has been important to offer free training options to local governments that can’t afford a paid option. The agency also offers a popular 28-minute YouTube video version on “Cybersecurity Awareness,” as well as a Spanish version of the training, all of which reiterate that for each government employee, security is a shared responsibility.
“It’s important they take the training,” Rainosek said. “We’ve had whole counties brought down with ransomware because somebody clicked on a link in an email and got infected. Cybersecurity is everyone’s responsibility.”
Be on the lookout for these new cyber laws
This year, the Texas Legislature passed a bill that denies criminal grant program funds to counties that haven’t gone through a cybersecurity training program certified by the Department of Information Resources. The certification deadline has moved from June of next year to Aug. 31, 2022. In fiscal year 2020-2021, 85% of Texas counties reported completion of the required training, according to the DIR.
The Legislature also passed a bill that requires counties to report security breaches to the Office of the Attorney General, if the breach involves at least 250 residents.
To read more about new state laws that affect Texas counties, read TAC’s 2021 Legislative Analysis Report.