Most Kansas counties’ websites lagging behind on cybersecurity

Topeka — When it comes to cybersecurity, most Kansas counties are behind.

Overall, only eight county websites end in .gov, a domain extension that’s only given to governments. Most of Kansas’ 105 counties, including Douglas County, have websites ending in .org or .com.

And 60 counties don’t use a basic security protocol called SSL; their website URLs start with “http” rather than the more secure “https.”

Both make it easier for hackers to impersonate websites in an effort to install malware, trick residents into giving out personal data or sway elections.

Experts say it could be a serious concern for smaller governments, which may not be able to afford stronger protection at a time of increasing cyberattacks. The result could be putting the personal data of residents at risk.

It’s fairly common for companies to have subpar cybersecurity, and local governments are no exception, said Allan Liska, an analyst at security company Recorded Future.

“If you’ve got the choice of potentially protecting against a ransomware attack or stopping people from dying from heroin overdoses, you’re going to pick the stopping people from dying from heroin overdoses every time,” Liska said. “That is the story that these IT people that work for these state and local governments were hearing over and over.”

Even adequate security measures can be expensive. They include training for employees to recognize phishing and other scams, antivirus software, firewalls, updating old programs that could have vulnerabilities, and hiring enough IT staff to handle it all.

Security concerns have become more prominent as local governments have become a more frequent target of cyberattacks, such as ransomware, in which hackers hold data hostage in exchange for money. Local governments don’t have as much ability to pay to get their data back, Liska said, but they’re appealing targets nonetheless.

“You’re disrupting services to a whole lot of people,” he said. “They can’t pay their water bill or they can’t buy a house. They can’t register their car. Court dates have to move. All of these different things that now come because these services have been digitized.”

The increased risk of ransomware attacks has led more local governments to purchase cybersecurity insurance, said Tad McGalliard, director of research at the International City/County Management Association.

His group surveyed local government IT departments about cybersecurity in 2016. The organization plans to conduct another survey this year, and McGalliard expects the results will show that cities and counties are increasing their investment.

“There’s been much more proactive purchasing and upgrading of all the various tools that local governments can put in place to protect themselves,” he said.

Election tampering is also a concern. The Kansas Secretary of State’s office is providing counties with dedicated computers and iPads so voter registration systems don’t interface with the rest of a county’s IT system, which might cover a range of departments.

Plus, in smaller, more rural counties, an election official may also be a county clerk who takes payments and files business documents, office spokeswoman Katie Koupal said.

“The best way we can ensure that voter data is protected and not compromised is by providing local election officials with these devices,” she said.

Small county, big county

The website for Cloud County in north-central Kansas doesn’t use SSL and ends in .org. It doesn’t worry IT Director Jerry Collins, though. He’s reassured by the fact that the site is hosted by an in-state company and is mainly a resource for county information.

Cybersecurity for the local landfill is basic, he said. But for other departments, like the courthouse, it’s more serious.

“Where we have the personal data on people,” Collins said, “I have everything pretty tight.”

Collins is the only IT person working for the county. Sometimes, the government outsources more complicated IT tasks to private companies.

In 2018, a ransomware attack happened on the same day the county was scheduled to switch out its servers for new ones. Collins had just backed up all the data and already reached out to the outside IT companies for help with the move. The servers were only down for a day and the county didn’t need to pay the ransom.

“We were pretty fortunate,” Collins said. “We just took the old out, put the new in and put all of our stuff back on from our backups.”

He admitted money is a concern, but it’s no different than the rest of the industry — where it’s common to just choose the best antivirus program you can afford.

“It can get expensive if you try to cover everything,” he said. “It’s kind of like a balancing act of how much security you can get for your money, but not go overboard.”

Budget is less of a concern in Johnson County, one of the state’s largest and most prosperous local governments.

Chief Information Officer Bill Nixon, who heads one of the county’s four IT departments, oversees more than 100 employees.

He’s only been on the job for about six months, but said he’s been impressed with the amount of cybersecurity training employees get. He also tries to use funding and support from the federal government.

“I’m taking advantage of as much of those as possible to reduce the cost to the county,” he said.

Johnson County doesn’t have a .gov domain. But to prevent impersonation, it bought out a few similar domain names. It also pays for a registry lock, which helps prevent its domain from being stolen.

It pays to have as many protections as possible, Nixon said, like multiple firewalls and backups.

“In the security world, you always want to have layered security,” he said. “You don’t want to have just one control, one key to the door.”

— The Kansas News Service, ksnewsservice.org, is a collaboration of KCUR, Kansas Public Radio, KMUW and High Plains Public Radio focused on health, the social determinants of health and their connection to public policy.

COMMENTS

Welcome to the new LJWorld.com. Our old commenting system has been replaced with Facebook Comments. There is no longer a separate username and password login step. If you are already signed into Facebook within your browser, you will be able to comment. If you do not have a Facebook account and do not wish to create one, you will not be able to comment on stories.
[vivafbcomment]