Virtually at the mercy of hackers: The IT security situation in public administration remains more than critical
by Svenja Koch
Ransomware attacks on public authorities are becoming more frequent. Experts agree that the IT security situation of local authorities is alarming.
The headlines about successful cyber attacks are not abating - on the contrary. The topic of IT security has meanwhile taken on central importance for companies, and most of those responsible have realised the dangers posed by hacker attacks. But what about the IT security situation in municipalities? Both financially and in terms of knowledge, the cyber security of cities in Germany often lags behind the minimum standards - with the result that it is often made too easy for cyber criminals to carry out successful ransomware attacks on public authorities.
Ransomware attacks on public authorities - examples from the recent past
In recent years, cyberattacks on state authorities have increased dramatically. The incident in the district of Anhalt-Bitterfeld has attracted particular attention. In early July 2021, the district administration declared Germany's first cyber disaster. Large parts of the IT infrastructure had fallen victim to a ransomware attack on the authority. The cyber criminals encrypted entire servers. As a result, authorities such as the vehicle registration office had to suspend services and payments in the area of social and youth welfare were also cancelled. Even weeks after the incident, the administration was still struggling to restore the systems.
However, this is by no means an isolated case. Between 2014 and 2021, there were over 100 cyber attacks on administrations, authorities and other state institutions in Germany. This is according to information from the interior ministries of the federal states and the federal government. The number of unreported cases is even higher, as no data is available at all from some federal states such as North Rhine-Westphalia, Hesse or Berlin.
There are also known cases of ransomware attacks on public authorities in Germany, in which public institutions gave in to the blackmail of the hackers. In 2019, for example, the Stuttgart State Theatre paid 15,000 euros to regain access to its own data. Thus, taxpayers' money also flows into the hands of cybercriminals.
The current IT security situation of municipalities
The number of cyber security incidents and the associated effects and reactions of municipalities allow us to draw realistic conclusions about their current IT security situation. Even if in principle there is no complete security against cyber attacks, the reported cases certainly show serious - and thus high-risk - deficiencies in the cyber security of cities, authorities and other public institutions.
Examples of this are the incidents in the Stuttgart State Theatre and in the Anhalt-Bitterfeld district. In Stuttgart, those responsible were forced to respond to the blackmail demand. So the alternative seemed to be a complete loss of data. This reveals that no backup and recovery strategy was in place. The situation is similar for the administration of the district of Anhalt-Bitterfeld. Since it took weeks until the most important authorities were somewhat operational again, there seems to be no or only insufficient incident response readiness in the case of ransomware attacks on authorities.
The analysis of the incident in Anhalt-Bitterfeld also revealed that the security vulnerability used by the cybercriminals had been known for some time. Although the municipality affirmed that the corresponding security update was promptly applied to close the gap, deficiencies in the incident response readiness of the municipalities can be deduced from this. On the one hand, it seems possible that the necessary security update for the Windows operating system was not installed quickly enough or not on all computers in the network. This suggests that the update routines in the administration are in need of improvement. On the other hand, it seems that the cybercriminals were active in the administration's network for a longer period of time without being noticed. The attackers used this time to spy on the structures of the network and distribute the ransomware on as many servers as possible. Obviously, a solution was lacking at this point that is capable of promptly recognising unusual activities of unauthorised users in the network.
Although there are guidelines from the Federal Office for Information Security (BSI) regarding cyber security for cities and other public institutions, there is still a lack of control bodies. In addition, each municipality is responsible for managing its own IT (security). This ensures that the IT security situation of the municipalities can also be assessed quite differently. Some administrations have more financial resources than others, so that they were able to set up their IT security team on a larger scale early on and implement appropriate tools and comprehensive protective measures for their IT security.
The Saxony-Anhalt Association of Towns and Municipalities also recently pointed out this shortcoming. While some municipalities have a high level of IT security, the state director of the Association of Towns and Municipalities noted that other administrations still have a lot of catching up to do. A review of the IT security situation in the municipality of Wittenberg, for example, showed that improvements were necessary in some areas of IT security. The district of Harz began building a new data centre because of what happened in Anhalt-Bitterfeld. In doing so, those responsible attach importance to implementing the current state of the art in IT security, as required by the BSI.
The current IT security situation of the municipalities shows that the government did not foresee the disproportionately rapid increase in cyber threats. Experts assume that it will take years before a uniformly high level of cyber security is achieved in cities and municipalities. Some IT security experts also complain that the foundation for this goal has not even been laid. The specifications for IT security, including a control body, must be established by the federal government and the state governments.
These forms of cyber attacks threaten cities and municipalities
The cyber security of cities and other public authorities must deal with a broad front of cyber threats. The everyday threats of malware or viruses are only one factor. However, these malicious programs are harmless compared to ransomware attacks on government agencies. These are usually targeted, planned and manually controlled attacks. Behind such cyber attacks there is usually a high level of criminal energy as well as financial interests. The focus on IT infrastructures of public institutions is no coincidence. Hackers are of course also aware of the weak points in the IT security of municipalities and cities. On the one hand, this makes it easier for attackers to penetrate the systems. On the other hand, the chances of successful blackmail are greater, as it is likely that the authorities also have weaknesses in the area of disaster recovery management.
Once the attackers have found a gap in the cities' cyber security, the ransomware is distributed as widely as possible. In this way, the cyber criminals try to cause as much damage as possible. If the hackers manage to completely paralyse authorities with ransomware attacks, the administrations come under massive pressure to act as quickly as possible. Especially the administrations of municipalities and cities depend on their ability to act, otherwise parts of public life will come to a standstill. This increases the chance for criminals that those responsible will respond to the ransom demand in order to regain access to their own data.
These methods and measures increase the level of IT security in the municipalities
Due to the increasing number of cyber-attacks, the federal and state governments are now increasingly addressing the points raised to secure their IT and information security. The state government of Saxony-Anhalt, for example, launched an investment programme in July 2021, through which municipalities receive financial resources to increase data security. The federal government is also providing funding for IT security through the Structural Programme II and thus wants to boost investments in cyber security in cities.
An important point, however, is the current lack of uniform rules for IT security guidelines. Although the BSI sets guidelines for IT security, the implementation of these standards is often still deficient. This is mainly due to the lack of sufficient control mechanisms and mandatory certifications. A uniform level of security could be established among the IT administrations in Germany's municipalities through specifications and controls by the federal and state governments. It is precisely the infrastructures with the greatest weaknesses that benefit from such requirements, because it is here that IT security gaps are particularly noticeable and thus also dangerous. Such uniform IT security standards are indispensable to ensure that the responsible IT departments prevent ransomware attacks on public authorities in the future.
The second point, on the other hand, concerns concrete measures. It is clear that cyber attacks on cities and municipalities are successful because many administrations do not have certain IT security concepts in place or have not implemented them in a sustainable manner. This includes, for example, disaster recovery management. Even in the case of successful cyberattacks with ransomware, such a plan, with the help of backups and a strategy for recovery, enables the cyber security of cities and municipalities to get the affected systems up and running again within a short time.
Other weaknesses are evident in the area of proactive measures against undetected network intrusions. For CRITIS institutions, the implementation of systems for the active detection of cyberattacks is mandatory from mid-2023. A requirement for integration into the IT infrastructures of municipalities and cities, however, is still missing. This technology proactively identifies network anomalies and thus promptly detects intruders in the corporate network. In this way, hackers can be prevented from being active in the networks of public authorities for a long time without being detected and from planting ransomware there.
There is still a lot of room for improvement in the cyber security of cities and municipalities. Hackers are increasingly targeting public institutions and carrying out ransomware attacks on public authorities. The different standards of cyber security in cities and municipalities are a major challenge. Some administrations are well positioned in terms of IT security, others have gaps in sub-areas and in some municipalities the level of IT security can probably still be classified as poor. Important for the future IT security situation of the municipalities are nationwide, uniform rules and regulations. State control mechanisms are needed for implementation in practice. Otherwise, the IT security situation of the municipalities will remain critical in the future, at least in individual municipalities.