Local Idaho governments are vulnerable to cybersecurity attacks

Government IT departments are increasingly the target of cybersecurity attacks that not only put the public’s personally identifiable information at risk but can cost taxpayers money.

“It’s a huge problem,” said Lt. Gov. Brad Little, who served as chairman of a task force that recommended the creation of a state office of cybersecurity. “All the municipalities – city, county, school district, highway districts, ditch companies – all of them, literally everybody, needs to be doing their homework on what they need to be cyber-resilient.”

Idaho governments have been relatively lucky. The state has been hit by a few attacks, most recently on the legislative website and at the Idaho Tax Commission, as well as previous attacks on computers at the Idaho Department of Fish & Game.

On a local level, the Teton County website was electronically vandalized by a common web attack mechanism, an SQL injection attack, in February 2017. “We had some people deface our website with an SQL injection attack,” said Greg Adams, IT administrator for the county, in Driggs. “It was down for maybe an hour. We had it back up in that time and it wasn’t that big a deal. It didn’t get into our network.”  And did the county plug that security hole? “You betcha,” he said. “We’re immune to SQL injection attacks now.”

But Teton County wasn’t alone. “Bingham [County] got nailed,” Adams said.

Bingham County officials didn’t want to comment, but according to published reports at the time, the county was the victim of an unrelated attack around the same time. The attacker first looked for unprotected software ports on county servers, which were then used to gain administrative access, and then to corrupt files. The county was told to pay approximately $28,000 to get access to its files. Instead, the county resorted to backups and restored the data itself. But in the process, it reportedly spent more than $100,000, along with $3,000 it eventually paid in ransom for three servers that had not been backed up.

And Bingham County was lucky. A March attack on Atlanta, Georgia, with a $50,000 ransom ended up costing the city more than $2.7 million, according to published reports. And attacks on local governments are increasing. The Jerome School District was also reportedly the victim of an attack in December 2017; the district did not respond to inquiries.

One organization working to help is the Multistate Information Sharing and Analysis Center (MS-ISAC), based in East Greenbush, N.Y., and funded by the Department of Homeland Security to provide cybersecurity services to those entities nationwide, said Brian Calkin, vice president of operations.

The organization has 3,000 members. Idaho members of MS-ISAC include the state cybersecurity office, as well as Ada, Canyon, Fremont, Latah, and Valley counties; Boise State University and Eastern Idaho Technical College; the cities of Boise, Idaho Falls, Jerome, Meridian, Nampa, Pocatello, and Sandpoint; and the organizations Association of Idaho Cities and the Idaho Counties Risk Management Program, which had insured Bingham County.

Backups can help, Little said, as well as standard cybersecurity practices. “All these little entities of government we have in Idaho have got to be aware of the risk, and they have to do their training and have a backup and have their patches up to date.” And governments can’t simply rely on antivirus software to help. “There’s no shortage of vendors that show up at their meetings and want to sell them stuff,” he said. “But the issue of buying McAfee or Norton or whatever, people have to realize that doesn’t do it anymore.”

But like the Idaho State Tax Commission — which recently fell prey to a phishing attack, where a piece of email purports to be from a trusted source to get a person to click on a link or open an attachment with malware – governments remain vulnerable, Calkin said. One of MS-ISAC’s services is to perform phishing exercises, where it sends out controlled email to see how many employees fall for it. “We see, on average, that we can get 20 percent of an organization’s population to do whatever we ask them to do,” he said. “Typically all you need is one person, and that’s enough to compromise an organization.”