New cyberattack risk seen for state, local governments in U.S.

Municipal bond market experts say a new form of cyberattack, driven by different motives than ransomware, is on the rise.

So-called "havoc-based attacks" are launched simply to cause damage to the victims, in contrast to the financial motives behind ransomware.

Congressional testimony last week from the FBI director and federal cybersecurity director about China "further illustrates the fact that cyber assets are being used as geopolitical weapons, and the threat level for havoc-based cyberattacks is rising," said Tom Kozlik, head of public policy and municipal strategy for Hilltop Securities.

Bloomberg News

"When assessing credit risk in public finance it is important for investors to consider management and technological related steps being taken to protect infrastructure assets," he said.

The rise of havoc-based attacks is more serious because the intent is to disrupt or destroy, while ransomware users are just after money, said Omid Rahmani, a Fitch associate director who specializes in cybersecurity. Ransomware attackers can be negotiated with, and may return systems undamaged once they get what they want, Rahmani said.

The pair said they first noted the rise in havoc attacks when Russia invaded Ukraine, and then again in December when the FBI revealed the Aliquippa water authority in western Pennsylvania was the victim of such an attack, as were other unnamed water authorities.

Last week, the Department of Justice announced it had halted attempts by a Chinese government-sponsored hacking ring to conceal its preparations for attacks on American critical infrastructure at home by using a network of bots that infiltrated routers used by small businesses and remote workers, part of an operation named Volt Typhoon.

"China's hackers are positioning on American infrastructure in preparation to wreak havoc and cause real-world harm to American citizens and communities, if or when China decides the time has come to strike," FBI Director Christopher Wray testified last week before the House Select Committee on the Strategic Competition Between the United States and the Chinese Communist Party.

The Volt Typhoon malware enabled China to hide "pre-operational reconnaissance and network exploitation against critical infrastructure like our communications, energy, transportation, and water sectors," Wray said.

"Steps China was taking, in other words, to find and prepare to destroy or degrade the civilian critical infrastructure that keeps us safe and prosperous," Wray said. "And let's be clear: Cyber threats to our critical infrastructure represent real-world threats to our physical safety."

Kozlik also noted the tone and the specificity of the targets described during testimony by Wray and Cybersecurity and Infrastructure Security Agency Director Jen Easterly about the Volt Typhoon cyberattack, is unprecedented.

"This is something I have been following for quite some time," Kozlik said. "What was really striking to me is the direct language the leaders were using."

FBI and CISA directors would not be singling out targets like the water authorities and transportation systems if they didn't think there was a threat, Kozlik said.

Easterly said Chinese cyber actors are burrowing deep into critical infrastructure to be ready to launch destructive cyber-attacks in the event of a major crisis or conflict with the United States.

"This is a world where a major conflict halfway around the globe might well endanger the American people here at home through the disruption of our gas pipelines; the pollution of our water facilities; the severing of our telecommunications; the crippling of our transportation systems — all designed to incite chaos and panic across our country and deter our ability to marshal military might and citizen will," Easterly said.

Easterly described China's hacking program as so large that even if each one of the FBI's cyber agents and intelligence analysts focused exclusively on the China threat, China's hackers "would still outnumber FBI cyber personnel by at least 50 to 1."

Kozlik said the point the U.S. needed to begin thinking about protecting against havoc-based attacks was after Russia invaded Ukraine.

"But the threat from Russia and Iran is different from China," he said. "They might be similar intrusions, but the scale at which China can do this is much greater than other countries."

A havoc-based attack requires a "different type of response than a garden variety ransomware attack," Rahmani said. "We are coming to an era where you can't expect cyberattacks won't happen to you. You have to be prepared for it, and the type of attack that could result in loss of life requires a much more robust response plan. That kind of response plan is not universal across the muni world."

He added that an insurance industry shakeup that began in 2022 means the policies state and local governments and agencies had come to rely upon for risk transference in the case of a ransomware attack may no longer be available, because the prices went up and the level of coverage declined.

The best protection is for operators to be very familiar with their infrastructure, Kozlik said. They should know what virtual and physical assets they are running, and have manual overrides so that people can still communicate with each other if the technology goes down, he said.

"They have the protocol, technology and means to run whatever enterprises they are running manually," Kozlik said. "This is important, because that is no longer the case with many infrastructure systems."