The ransomware attacks against more than 20 Texas towns this week are significant. Though little is known about the origins of the attacks, the spread of ransomware across small-town America has exposed a deep problem in how the country approaches cybersecurity. That's because local governments commonly share single service providers, making many vulnerable at once. On top of this, ransomware has often been used to mask more targeted, malicious activity by nation-states, and there are clear indications this will happen again in the future. Ransomware, which is malicious software that spreads across networks and shuts down computers until a ransom is paid, can have a significant impact on the technology that runs local services, including water, power, wastewater treatment and emergency services.

Shared service providers, small towns

Small towns can't afford significant information technology departments, so they frequently outsource those services to managed service providers, who in turn use the same software and same applications for all of the governments they serve, explains Chris Morales, head of security analytics for Vectra AI, a cyberthreat detection company. That ubiquity makes them vulnerable to one big attack and provides a big target to criminal hackers who want to increase their odds by hitting as many at once as possible, he said. Two Texas municipalities caught up in the recent spate of ransomware have now confirmed that an unnamed managed service provider was exploited. There is no quick, easy solution to this problem, said Morales. "They work off a tax budget," Morales said. "Can you imagine telling taxpayers you are spending millions on cybersecurity when there are potholes in the roads?" In addition, small towns aren't subject to wider initiatives to secure government infrastructure, such as the relatively recent designation of elections infrastructure as critical. Indeed, smaller towns and cities are "largely under-funded, and live on what we call the 'edge of existence' in terms of cyber," said George Simonds, president of cybersecurity company InfraShield and founder of the International Critical Infrastructure Security Institute. "Ransomware is a threat that basically everyone is facing," Simonds said, including local governments and counties, large cities and utility providers. Simonds agreed that there is no quick budgetary fix for the problem.

Ransomware as a cover story

This long-term, widespread budgetary issue is a problem, because while criminals may be exploiting cities in this latest round of attacks, hostile nation-states often use attacks like these as a convenient cover for more insidious activity. Two of the largest-ever single-incident ransomware attacks, known as WannaCry and NotPetya, took place in 2017. The attacks shut down health-care services by Britain's NHS, hobbled the logistics operations of shipping giant AP Moeller-Maersk and stymied the production of the HPV vaccine by drugmaker Merck, among a slew of other case studies. But the attacks weren't "ransomware" in the traditional sense. These attacks netted a relatively paltry profit for the instigators and are largely believed to have served as a way to spread chaos rather than obtain funds. WannaCry was ultimately attributed by the U.S. government to North Korea and NotPetya to the Russian military. The Texas attacks have not yet been attributed to any group, and investigating the origin of the attackers is taking a backseat — as it usually does — to containing the situation, according to the state's Department of Information Resources. But if city systems are susceptible to this kind of damage, even if from simple criminals, they would be just as susceptible to an attack from other hostile forces. The DIR originally said 23 towns had been affected, then it lowered the number to 22 without explanation.

A worrisome connection to services