The big picture: Cyberattacks targeting government institutions are nothing new, but they may be approaching new levels of severity. Recent cases this fall reveal that entire municipal or even national governments could be vulnerable to major disruptions from cybercriminals. The effects can knock whole populations decades back in time technologically.
Since early November, the government of the Pacific Island nation of Vanuatu has been offline due to a cyberattack. Details on the nature of the attack are still unclear, and only around 70 percent of government services have been restored after a month.
Vanuatu’s newly elected government started noticing problems with official computer systems on the first day of its term on November 6. Eventually, all government computer services were disabled.
Officials couldn’t access government email accounts, citizens couldn’t renew their driver’s licenses or pay taxes, and medical and emergency information became inaccessible. For many everyday functions, the country reverted to pen and paper.
The government admits that it detected a breach in its centrally-connected systems in early November but won’t say any more. Some sources, including the press in nearby Australia, which sent specialists to help repair systems, claim the incident was a ransomware attack. However, Vanuatu’s government hasn’t yet confirmed the nature of the breach.
One reason to believe it could be ransomware is that a very similar incident occurred in a New York county about a month before Vanuatu’s government systems shut down.
On September 8, Suffolk County detected a ransomware attack and responded by shutting down its computer systems. The blackout affected government divisions ranging from the police to social services, which were forced to revert to early 90s technology for weeks. That meant using radio dispatches, paper checks, and fax machines.
Furthermore, the county announced that the attackers stole citizens’ personal information like driver’s license numbers. A county executive blamed a cyber gang called BlackCat – previously known for attacks in Italy and Florida.
Little information has emerged about Vanuatu’s level of preparedness before its incident, but concerns from Suffolk County officials were rebuffed months before the September attack. The US county’s computers weren’t using two-factor authentication and ran on obsolete computer systems that would be too expensive to upgrade.
Regions like Suffolk County or small countries like Vanuatu make for ideal cyberattack targets due to their lack of resources compared to large governments. Because there are many other small targets across the globe for cybercriminals to hit, similar incidents will likely occur in the future.