- The Log4j vulnerability may expose public finance entities, including local governments, utilities and infrastructure to serious cyber risk, putting pressure on their operations and finances as bad actors feel emboldened to launch ransomware or other malicious attacks, according to Fitch Ratings.
- Many local agencies and facilities have high exposure to Log4j, which is found in hundreds of millions of devices and applications around the world. Many of these organizations have a limited number of information security experts on staff, use legacy technology and lack the resources to rapidly assess their level of exposure to the vulnerability, according to Omid Rahmani, associate director, U.S. public finance at Fitch.
- Cyber insurance coverage has become more difficult to maintain for these agencies and other local organizations, according to Rahmani. Premiums have risen sharply in recent years and insurance companies have increased demands for customers to conduct security audits and engage in best practices. In some cases insurers will deny coverage to organizations that fail to meet minimum standards.
The warning comes at a time when municipal governments and other agencies are under pressure from a combination of limited revenue following the COVID-19 lockdowns, staffing shortages from exposure of workers to the virus, and increased cyber risk from nation-state threat actors and criminal activity.
The limited funding and technical expertise has left many of these agencies exposed and unprepared to deal with sophisticated cyber threats that have debilitated more sophisticated organizations.
"There [are] a lot of proprietary or out-of-life Java-based applications that are used across the public finance world," Rahmani said during an interview. The demands on public servants are constantly increasing when it comes to IT and cyber risk.
Because of the complexity of Log4j, it's hard to translate the scope of the vulnerability to policy decision makers or taxpayers.
"Log4j is not a straightforward software like many others had previously dealt with and it's difficult to assess even if you're using it," said Randy Rose, senior director of cyber threat intelligence at the Center for Internet Security.
In years past, investors had overlooked the risk of cyber threats to municipal governments and other local organizations. Rahmani said the 2018 ransomware attack against the city of Atlanta was a huge turning point, calling it a "watershed moment."
Two Iranian nationals were later charged with launching the attack using "SamSam" ransomware, which infected almost 3,800 government computers.
More recently, small critical infrastructure sites have been the target of ransomware and other cyberattacks. Last fall, foreign threat actors targeted regional grain co-ops in Minnesota and Iowa with ransomware. In October, federal authorities warned of attacks targeting wastewater and water treatment facilities.