Via College of Information / By Laurie Robinson
UMD researchers created a tool that allows county governments to assess their cybersecurity risks and make adjustments
In November 2020, a ransomware attack targeted the Baltimore County school system, causing severe and prolonged issues, particularly affecting retired teachers. As a result of the attack, the system used for managing and updating medical insurance payments was compromised. This left retired teachers unable to adjust their insurance payments, even if they had changed their policies.
The attack highlights the vulnerabilities in digital infrastructure within county governments across the country and raises concerns about the ability to secure sensitive information and government services to county residents. Charles Harry, associate researcher at the University of Maryland (UMD) School of Public Policy, Ido Sivan-Sevilla, assistant professor at the UMD College of Information (INFO), and Mark McDermott, from the UMD Center for Governance of Technology and Systems, have created a tool that allows county governments, including those in the state of Maryland, to assess their cybersecurity risks and make adjustments so that events like the one that happened in Baltimore County are less frequent.
They apply their measurement tool on 3,095 U.S. county governments (98 percent of all counties in the country), an under-protected sector. “US government counties are often a neglected space when it comes to cybersecurity. They’re underfunded, they don’t have enough resources, they struggle to maintain cyber resiliency,” says Sivan-Sevilla.
The strategic visibility tool they created enables continual monitoring. “There is no silver bullet, there is no single way to look at this. This is yet another tool, but it is a tool that is scalable, and that is repeatable,” says Harry.
“The process is fully automated. That’s why we can run it every day, every week, whenever we want, to get an accurate picture of the attack surface exposed by county governments,” says Sivan-Sevilla. This dynamic approach is crucial for keeping pace with the cyber threat landscape. Policymakers can monitor changes in vulnerabilities, trace how quickly recommended patches are applied by the different counties, and measure the impact of investing billions of dollars in national defense, ensuring resources are effectively applied.
“If you find a critical problem and you ask all the systems, ‘Please patch your systems immediately. There is a new zero-day attack that was just revealed,’ policymakers using the methodology can actually follow and see how quickly counties respond to those demands,” says Sivan-Sevilla.
Impact and Visibility
The project is deeply aligned with the U.S. government’s strategic blueprint, known as the Solarium Commission report, which advocates for a risk-based approach to defense. While the industry excels in deep specialization for protecting specific sectors, the big challenge for the federal government arises when they need to manage and govern elements beyond direct control, such as county and local-level infrastructures.
The project aims to establish partnerships that support a proactive communication approach. “We possess the capability to automatically notify technical contacts monthly if an issue arises,” says Harry.
The researchers suggest two explicit measures for the attack surface that complement one another and can give a holistic understanding of the risk posed by county governments on national resilience. Hackers often exploit valid accounts through stolen credentials obtained via data breaches. One future research path for this project will be crossing stolen credentials from the Dark Web with publicly available services that are available for exploitation across counties.
The researchers advocate for the creation and implementation of capabilities that offer a comprehensive, holistic view of cyber defense. This transformative approach marks a significant shift and involves leveraging well-understood cyber concepts in novel ways.
