https://www.americancityandcounty.com/wp-content/themes/acc_child/assets/images/logo/footer-logo.png
  • Home
  • Co-op Solutions
  • Hybrid Work
  • Commentaries
  • News
  • In-Depth
  • Multimedia
    • Back
    • Podcast
    • Latest videos
    • Product Guides
  • Resources & Events
    • Back
    • Resources
    • Webinars
    • White Papers
    • IWCE 2022
    • How to Contribute
    • Municipal Cost Index – Archive
    • Equipment Watch Page
    • American City & County Awards
  • About Us
    • Back
    • About Us
    • Contact Us
    • Advertise
    • Cookie Policy
    • Privacy Statement
    • Terms of Service
American City and County
  • NEWSLETTER
  • Home
  • Co-op Solutions
  • Hybrid Work
  • Commentaries
  • News
  • In-Depth
  • Multimedia
    • Back
    • Podcasts
    • Latest videos
    • Product Guides
  • Resources/Events
    • Back
    • Webinars
    • White Papers/eBooks
    • IWCE 2022
    • How to Contribute
    • American City & County Awards
    • Municipal Cost Index
    • Equipment Watch Page
  • About Us
    • Back
    • About Us
    • Contact Us
    • Advertise
    • Cookie Policy
    • Privacy Stament
    • Terms of Service
  • newsletter
  • Administration
  • Economy & Finance
  • Procurement
  • Public Safety
  • Public Works & Utilities
  • Smart Cities & Technology
  • Magazine
acc.com

Commentaries


ItNeverEnds from Pixabay

Article

Digital supply chain challenge to cities and counties—another cyber minefield to navigate

Digital supply chain challenge to cities and counties—another cyber minefield to navigate

  • Written by Dr. Alan R. Shark
  • 15th September 2021

As cities and counties have steadfastly turned to managed service providers for enhanced improvements and security for their networks, a new type of cyberthreat has emerged to greatly undermine trust. The irony here is that many turned to managed service providers who promised greater cyber security and hardened system protections. Perhaps managed services sounded too good to be completely true as cities and counties looked to their providers for more secure solutions in better managing and protecting their networks from cyber intrusions. A rash of incidents in mid-2021 helped to undercut all such blanket assurances and promises. Supply chain hacks are not new but like all cybercrime they have become more pernicious.

The Colonial Pipeline hack is a prime example of a “traditional” supply chain hack when a ransomware attack caused one of the largest oil supply pipelines to cease operation for less than a week leading to gas outages, shortages and higher prices. Most thought of supply chain issues as something completely focused on getting parts and materials to suppliers in the most expeditious manner possible. In addition, the pandemic highlighted supply chain issues regarding shortages in furniture availability due to shortage of lumber and foam. Cars, trucks, boats and even appliances had to cut their production lines due to shortages in essential computer chips.

Physical or traditional supply chain issues can certainly be disruptive—but so too can digital supply chain issues. As reported, what is now being referred to as digital supply chain attacks have proved to be particularly worrisome. When a cyber services company or managed service provider’s customer downloads an update, it was once rightful to assume the update had been fully vetted, etc.

Until recently, few saw how supply hacks could occur in the cybersecurity environment when the cyber threat landscape presented no less than three digital supply chain hacks. Threat actors had successfully compromised the technology supply chains and were able to obtain access into their target’s customer base, providing them unprecedented access to thousands of unsuspecting customers. This led to large-scale attacks on governments and enterprises, impacting small and large businesses, local governments and hospitals. The SolarWinds, CodeCov and Kaseya attacks are prime examples. Threat actors were able to gain entrance to these company’s ecosystems through unknown vulnerabilities and backdoor supplier support chains.

SolarWinds is a major cybersecurity company that provides system management tools for network and infrastructure monitoring offering technical services to hundreds of organizations around the world through their Orion software product. More than 30,000 public and private organizations—including local, state and federal agencies—use the Orion network management system to manage their IT resources. Threat actors were able to infiltrate at least nine U.S. agencies and about 100 companies, plus hundreds of electric utilities in North America. The hack compromised the data, networks and systems of thousands as SolarWinds inadvertently delivered malware as a “routine” update to the Orion software.

Codegov offers a software development tool hackers broke into that allowed threat actors to gain access to hundreds of networks belonging to the firm’s customers. Again, by gaining access to a company’s customer base that supplies digital products and services to its customers, cyber criminals were able to penetrate and find a plethora of opportunity for ransomware to unsuspecting customers.

Kaseya, another well-respected tech-management company found that as many as 1,500 customers from among the private and government sectors found their operations paralyzed by a ransomware attack into their system in which threat actors were able to carve a pathway to their entire customer base. At least three local governments were impacted.

Leonardtown, Md., was one of the first local governments to be hit with a ransomware attack as a result of the Kaseya hack. But thanks to the quick thinking of the town’s outsourced IT managed service provider, they were on it almost immediately. They were able to successfully mitigate the situation to the town and more than 100 other customers—almost at the same time.

These three instances provided an early warning of the dangers of digital supply chain hacks where cyber criminals were able to imbed themselves into a company’s customer base and thus hitchhike along with their malware—greatly multiplying the damage and threat. Of course, managed service providers at all levels of support are painfully aware and working on hardening their systems and seeking immediate remedies.

The lesson here is that we can never allow ourselves to be complacent as threat actors consider their work a rather profitable 24-hour profession—they are always seeking new weaknesses to exploit. For cities and counties, it is completely understandable for them to seek out managed service providers as they have struggled to maintain on-premises systems with the latest cyber defense systems let alone the challenges to attract and retain qualified cyber expertise. As convenient and even necessary as it was to place such trust in a managed service provider, it must be remembered that cyber responsibility can never be signed away by contract or be delegated in any form or fashion. Cities and counties are still viewed (legally and morally) as the rightful stewards of citizen records and information. As with any cyber security risk assessment, careful attention needs to focus on a managed service providers security protocols as well as restoration plans of records and systems in case of a cyber hack as if the governing policies were on premise.

 

Dr. Alan R. Shark is the executive director of the Public Technology Institute (PTI), now part of the Computing Technology Industry Association (CompTIA) in Washington, D.C., since 2004. He is a fellow of the National Academy for Public Administration and chair of the Standing Panel on Technology Leadership. Shark also is an associate professor for the Schar School of Policy and Government, George Mason University, and is course developer/instructor at Rutgers University Center for Government Services. His thought leadership activities include keynote speaking, blogging, conducts a bi-weekly podcast called “Sharkbytes,” and is the author or co-author of more than 12 books including the nationally recognized textbook, Technology and Public Management as well as CIO Leadership for Cities and Counties.

Tags: homepage-featured-3 homepage-featured-4 Administration Public Works & Utilities Smart Cities & Technology Commentaries Administration Commentaries Public Works & Utilities Smart Cities & Technology Article

Most Recent


  • How 5G is making cities safer, smarter, and more efficient
    This article first appeared on Urgent Communication. It’s a scenario we’ve all experienced: an ambulance with a blaring siren racing against time to get a person in medical distress to a hospital through traffic. What we don’t see is 5G connectivity enabling paramedics to communicate with hospital staff via video conference and coordinate care in […]
  • ARPA funds
    Spending American Rescue Plan Act funds: A primer for municipalities
    The American Rescue Plan Act (ARPA) of 2021 is a $1.9 trillion legislative package that includes funding for states, local governments and tribal nations to respond to the economic and public health impacts of the COVID-19 pandemic. While initially restricted, subsequent guidance from the federal government has expanded what those funds can be used for. […]
  • landslides
    Managing landslides along road corridors using remote sensing
    Maintaining roads is an optimization problem. Local officials must balance limited and sometimes shrinking budgets with the needs of their communities to have safe and reliable transportation systems. Unfortunately, the importance of a particular maintenance issue is often judged based on anecdotal information and complaints from the public rather than hard data. This approach is […]
  • resilience
    Report: Prioritizing neighborhood infill, expanding transit options increases neighborhood resilience
    With the threat of climate change looming, cities that prioritize neighborhood resilience and equity will be best equipped to withstand future challenges. Last week, the United States Conference of Mayors and the Wells Fargo Institute for Sustainable Finance released a report highlighting strategies for communities looking to address the impact of the climate crisis. “Mayors […]

Leave a comment Cancel reply

-or-

Log in with your American City and County account

Alternatively, post a comment by completing the form below:

Your email address will not be published. Required fields are marked *

Related Content

  • Defending and understanding city and county digital infrastructure—Congress takes a serious look
  • Prioritizing rapid restore leads to stronger ransomware attack recovery
  • Why water utilities must invest in cybersecurity
  • The four major tech lessons public sector CIOs learned during COVID-19

WHITE PAPERS


Modernizing government services for today’s resident expectations

24th January 2023

Preparing Your Community Now for the Next Generation of Older Adults

18th October 2022

Helping Government Fleets Achieve Their Goals

30th September 2022
view all

Webinars


How To: Evaluate Digital Government Service Delivery Technologies

23rd January 2023

Using Technology to Enhance Communications

29th November 2022

Learn the benefits of transforming and automating your Contract Management process

4th November 2022
view all

Podcast


Young Leaders Episode 4 – Cyril Jefferson – City Councilman, High Point, North Carolina

13th October 2020

Young Leaders Episode 3 – Shannon Hardin – City Council President, Columbus, Ohio

27th July 2020

Young Leaders Episode 2 – Christian Williams – Development Services Planner, Goodyear, Ariz.

1st July 2020
view all

GALLERIES


Report: While remote work is causing offices to empty out, walkable cities are still in high demand

26th January 2023

10 American cities with a great downtown

24th January 2023

Miami leads the way in FT-Nikkei ranking of best U.S. cities for foreign companies

20th January 2023
view all

Twitter


AmerCityCounty

How 5G is making cities safer, smarter, and more efficient dlvr.it/ShYNcx

27th January 2023
AmerCityCounty

Shifting city demographics present an opportunity to build coalitions, address inequality dlvr.it/ShYMMm

27th January 2023
AmerCityCounty

Spending American Rescue Plan Act funds: A primer for municipalities dlvr.it/ShXzvl

27th January 2023
AmerCityCounty

Report: While remote work is causing offices to empty out, walkable cities are still in high demand dlvr.it/ShVhBW

26th January 2023
AmerCityCounty

Managing landslides along road corridors using remote sensing dlvr.it/ShTpL6

26th January 2023
AmerCityCounty

Report: Prioritizing neighborhood infill, expanding transit options increases neighborhood resilience dlvr.it/ShRrFM

25th January 2023
AmerCityCounty

10 American cities with a great downtown dlvr.it/ShNxXH

24th January 2023
AmerCityCounty

With a few strategies and tools, public procurement directors can recruit new, diverse staffers dlvr.it/ShNnj4

24th January 2023

Newsletters

Sign up for American City & County’s newsletters to receive regular news and information updates about local governments.

Resale Insights Dashboard

The Resale Insights Dashboard provides model-level data for the entire used equipment market to help you save time and money.

Municipal Cost Index

Updated monthly since 1978, our exclusive Municipal Cost Index shows the effects of inflation on the cost of providing municipal services

Media Kit and Advertising

Want to reach our digital audience? Learn more here.

DISCOVER MORE FROM INFORMA TECH

  • IWCE’s Urgent Communications
  • IWCE Expo

WORKING WITH US

  • About Us
  • Contact Us

FOLLOW American City and County ON SOCIAL

  • Privacy
  • CCPA: “Do Not Sell My Data”
  • Cookie Policy
  • Terms
Copyright © 2023 Informa PLC. Informa PLC is registered in England and Wales with company number 8860726 whose registered and Head office is 5 Howick Place, London, SW1P 1WG.