Virtually at the mercy of hackers: The IT security situation in public administration remains more than critical

Ransomware attacks on public authorities are becoming more frequent. Experts agree that the IT security situation of local authorities is alarming.

The headlines about successful cyber attacks are not abating - on the contrary. The topic of IT security has meanwhile taken on central importance for companies, and most of those responsible have realised the dangers posed by hacker attacks. But what about the IT security situation in municipalities? Both financially and in terms of knowledge, the cyber security of cities in Germany often lags behind the minimum standards - with the result that it is often made too easy for cyber criminals to carry out successful ransomware attacks on public authorities.

Ransomware attacks on public authorities - examples from the recent past

In recent years, cyberattacks on state authorities have increased dramatically. The incident in the district of Anhalt-Bitterfeld has attracted particular attention. In early July 2021, the district administration declared Germany's first cyber disaster. Large parts of the IT infrastructure had fallen victim to a ransomware attack on the authority. The cyber criminals encrypted entire servers. As a result, authorities such as the vehicle registration office had to suspend services and payments in the area of social and youth welfare were also cancelled. Even weeks after the incident, the administration was still struggling to restore the systems.

However, this is by no means an isolated case. Between 2014 and 2021, there were over 100 cyber attacks on administrations, authorities and other state institutions in Germany. This is according to information from the interior ministries of the federal states and the federal government. The number of unreported cases is even higher, as no data is available at all from some federal states such as North Rhine-Westphalia, Hesse or Berlin.

There are also known cases of ransomware attacks on public authorities in Germany, in which public institutions gave in to the blackmail of the hackers. In 2019, for example, the Stuttgart State Theatre paid 15,000 euros to regain access to its own data. Thus, taxpayers' money also flows into the hands of cybercriminals.

The current IT security situation of municipalities

The number of cyber security incidents and the associated effects and reactions of municipalities allow us to draw realistic conclusions about their current IT security situation. Even if in principle there is no complete security against cyber attacks, the reported cases certainly show serious - and thus high-risk - deficiencies in the cyber security of cities, authorities and other public institutions.

Examples of this are the incidents in the Stuttgart State Theatre and in the Anhalt-Bitterfeld district. In Stuttgart, those responsible were forced to respond to the blackmail demand. So the alternative seemed to be a complete loss of data. This reveals that no backup and recovery strategy was in place. The situation is similar for the administration of the district of Anhalt-Bitterfeld. Since it took weeks until the most important authorities were somewhat operational again, there seems to be no or only insufficient incident response readiness in the case of ransomware attacks on authorities.

The analysis of the incident in Anhalt-Bitterfeld also revealed that the security vulnerability used by the cybercriminals had been known for some time. Although the municipality affirmed that the corresponding security update was promptly applied to close the gap, deficiencies in the incident response readiness of the municipalities can be deduced from this. On the one hand, it seems possible that the necessary security update for the Windows operating system was not installed quickly enough or not on all computers in the network. This suggests that the update routines in the administration are in need of improvement. On the other hand, it seems that the cybercriminals were active in the administration's network for a longer period of time without being noticed. The attackers used this time to spy on the structures of the network and distribute the ransomware on as many servers as possible. Obviously, a solution was lacking at this point that is capable of promptly recognising unusual activities of unauthorised users in the network.

Although there are guidelines from the Federal Office for Information Security (BSI) regarding cyber security for cities and other public institutions, there is still a lack of control bodies. In addition, each municipality is responsible for managing its own IT (security). This ensures that the IT security situation of the municipalities can also be assessed quite differently. Some administrations have more financial resources than others, so that they were able to set up their IT security team on a larger scale early on and implement appropriate tools and comprehensive protective measures for their IT security.

The Saxony-Anhalt Association of Towns and Municipalities also recently pointed out this shortcoming. While some municipalities have a high level of IT security, the state director of the Association of Towns and Municipalities noted that other administrations still have a lot of catching up to do. A review of the IT security situation in the municipality of Wittenberg, for example, showed that improvements were necessary in some areas of IT security. The district of Harz began building a new data centre because of what happened in Anhalt-Bitterfeld. In doing so, those responsible attach importance to implementing the current state of the art in IT security, as required by the BSI.

The current IT security situation of the municipalities shows that the government did not foresee the disproportionately rapid increase in cyber threats. Experts assume that it will take years before a uniformly high level of cyber security is achieved in cities and municipalities. Some IT security experts also complain that the foundation for this goal has not even been laid. The specifications for IT security, including a control body, must be established by the federal government and the state governments.

These forms of cyber attacks threaten cities and municipalities

The cyber security of cities and other public authorities must deal with a broad front of cyber threats. The everyday threats of malware or viruses are only one factor. However, these malicious programs are harmless compared to ransomware attacks on government agencies. These are usually targeted, planned and manually controlled attacks. Behind such cyber attacks there is usually a high level of criminal energy as well as financial interests. The focus on IT infrastructures of public institutions is no coincidence. Hackers are of course also aware of the weak points in the IT security of municipalities and cities. On the one hand, this makes it easier for attackers to penetrate the systems. On the other hand, the chances of successful blackmail are greater, as it is likely that the authorities also have weaknesses in the area of disaster recovery management.

Once the attackers have found a gap in the cities' cyber security, the ransomware is distributed as widely as possible. In this way, the cyber criminals try to cause as much damage as possible. If the hackers manage to completely paralyse authorities with ransomware attacks, the administrations come under massive pressure to act as quickly as possible. Especially the administrations of municipalities and cities depend on their ability to act, otherwise parts of public life will come to a standstill. This increases the chance for criminals that those responsible will respond to the ransom demand in order to regain access to their own data.