This book begins with a simple question: why examine cybersecurity among America’s local (or grassroots) governments? What’s so special about these organizations that they deserve scrutiny? They are, after all, just organizations, and most, if not all organizations have certain similarities, especially the need to maintain effective levels of cybersecurity.

The need for cybersecurity is demonstrated every day and is a common staple in the popular media. And local governments do not differ much, if any, in the need for cybersecurity from organizations such as Microsoft, Target, Home Depot, JPMorgan Chase, the White House, or many others. The similarity to which readers should be aware is that all of these organizations have been successfully hacked…as has a growing number of local governments.

1.1 Most Important Reason

Perhaps the most important reason that cybersecurity among local governments warrants our attention is that these governments are increasingly targets of cybercriminals and are under constant, or nearly constant, attack (Norris et al., 2018, 2019, 2020 ). Moreover, aside from relatively few studies, little is known about the specific vulnerabilities, exposures, practices, and shortcoming of local governments in this matter – yet every local government cybersecurity official who one of the authors (Norris) helped interview in 2013 agreed that their governments were under constant attack. Among local governments responding to a survey that two of the authors (Norris and Mateczun) helped conduct in 2016, 28 percent reported being attacked at least hourly or more frequently, and 19 percent said at least once a day (for a total of 47 percent of all respondents). What is really troubling, however, is that more than a quarter (nearly 28 percent) said that they did not know how frequently they were being attacked (Norris et al., 2019).

Among local government Chief Information Security Officers (CISOs) responding to a 2020 survey of mainly large US local governments, 57 percent said that they were under attack constantly, 29 percent said at least hourly, and 14 percent said daily (Norris, 2021). Last, the frequency and severity of cyberattacks against local governments is expected to continue to grow, not to abate, because these governments have become favorite targets of cybercriminals. A reason for this undesirable outcome is that while many organizations, on average, typically do a poor job with cybersecurity, local governments do it even more poorly.

1.2 Additional Reasons

There are other reasons to be concerned about cybersecurity among local governments. The first is the sheer number of American local governments. As of the 2017 Census of Governments, there were 90,074 units of local government, of which 38,779 are general purpose governments, including 3031 counties, 19,519 municipalities and 16,360 towns and townships. There were also 38,542 special districts, most of which are single purpose districts providing such services as fire protection (5975), potable water (3593), drainage/flood control (3344), etc. Last, there were 12,754 independent public school districts (US Census Bureau, 2017). Taken together, this represents a lot of governments, especially considering that there are only 50 states and one federal government in the US.

A related point is that most general purpose (municipalities, counties, townships) local governments in the US are small. Around three-quarters of the nation’s incorporated places had fewer than 5000 residents in 2020 (Toukabri and Medina, 2020). Moreover, the great majority of American cities (78 percent) have populations of 10,000 or less (ICMA, 2013). This does not include the 12,801 municipalities with populations of less than 2500, which constituted 47 percent of all cities in 2017 (Miller, 2018; see also Chapter 13). And, because of their size, small local governments are faced with budgetary constraints not typically experienced by large local governments like those of big cities and counties. This is one reason smaller local governments are unable to to fund adequate levels of cybersecurity. See Table 1.1 that shows the dramatic differences in municipalities by population, with the vast majority (80 percent) having populations of 10,000 or less, not including the number with fewer than 2500 inhabitants (ICMA, 2015). The distribution of county governments is somewhat similar, although not quite as skewed toward those with very small populations.

Except for the smallest among them, local governments operate information technology (IT) systems that are critical to their ability to function and to provide services to their residents. Cumulatively, they spend billions of dollars each year to support their IT systems. One estimate placed state and local government spending on information technology at over $109 billion per year (GovDataDownload, 2019).

Second, local governments provide essential, often critical public services to their residents and visitors. Consider the following and their importance to the daily lives of everyone involved: public safety (police and fire especially), the courts, election systems, emergency medical services, water provision and wastewater collection and treatment, and emergency and disaster management. Disrupting any of these services or shutting them down altogether would produce serious consequences for local governments. Modern cybercriminals know this and target local governments to steal from them and/or impede their ability to function. As of this book’s writing, September of 2021,¹ the most recent trend in cyberattacks against local governments involves ransomware. Such attacks are when a cybercriminal obtains access to a local government IT system, locks it down, encrypts its data, and demands payment (ransom, often in the form of cryptocurrency) for the promised return the IT system and its data to the local government unharmed.²

Source: ICMA (2013). The Municipal Yearbook 2013. Tables 2 and 3, pp. xii and xv.

In 2018 and 2019, respectively, Atlanta, Georgia and Baltimore, Maryland were victims of ransomware attacks that, among other things, caused considerable disruption of their ability to perform basic functions and provide public services. (Brief discussions of the incidents in Atlanta and Baltimore appear later in this chapter.)

A third reason to examine cybersecurity among America’s local governments is that they receive, utilize, and store volumes of sensitive information, especially personally identifiable information (PII) such as names, addresses, drivers’ license numbers, credit card numbers, social security numbers, tax records, and medical information. Such information is valuable to cybercriminals and obtaining it is often the purpose of cyberattacks. In fact, over the past few years, numerous local governments have reported that they lost at least some of their PII as a result of data breaches and subsequent information exfiltration. In some cases, they were threatened with the data being released (or destroyed) unless they paid a ransom.

As noted earlier, in many ways local governments are quite similar to other types of organizations in both the public and private sectors. True enough, but they also have characteristics that set them apart in ways that challenge their ability to provide high levels of cybersecurity. This represents the fourth reason for this book’s direct focus on local government cybersecurity.

These characteristics include but are not limited to the fact that local governments are public entities that provide public services; they are subject to politics in ways that private sector entities are not; their structure is often federated; there is never enough money in a local government’s budget to cover all needs (real and perceived); and finally their residents are essentially their owners. We will address each of these characteristics briefly below.

Local governments are public entities that provide public services. This means that the “bottom line” is not quarterly or annual profits and maximizing shareholder returns, but rather the delivery of a wide variety of services such as those noted above and others. Few private sector businesses have as wide a span of responsibilities. And, within local governments, each separate function or service competes with all the rest for attention, funding, and cybersecurity.

This is where politics (both the good, the bad, and the ugly) comes in. Decision-making in local governments involves small “p” politics (so to speak) in the sense of choosing among available and fundable alternatives. One hopes that such decision-making is a more or less rational process, and that it is driven by evidence and objective analysis. Unfortunately, decisions in local government are often also driven by large “P” politics. Here, the interests of the chief elected officials and the elected councilors may clash because of political party, ideology, or electoral interests, having little to do with what is best for the city or county at that moment or in the future. Certainly, there is politics in private firms, but at the end of the day firms measure success by the financial bottom line. Local governments have no such simple metric, and each official has his or her own view of success, often involving what is politically convenient for the official. This means that the calculations made by officials when choosing among alternatives (small “p”) are often colored by large “P” factors.

The structure of local governments is typically federated among executive, legislative, and judicial branches (although courts play a more limited role in local government administration than at the state and federal levels). In a private business, what the CEO, board chairman, or owner of a firm decides is final and employees must abide by that decision or policy. This not to say that there may be spirited discussion and debate within the organization, but it is those leaders’ sole responsibility to make the decision. By contrast, in local governments, even those with structurally powerful elected executives, decisions often are made by parties in least two different and often competing branches of government (and a third if the courts are involved). In mayor-council cities, these are the mayor and city council. In council-manager cities, the chief decision-maker for city administration is the city manager, but he or she must act within the bounds of policy adopted by the city council. And council members often have differing views regarding alternative policies and courses of administration. This makes for a decision-making process in the public sector that is very different from that of the private sector (e.g., Allison, 1983).

Additionally, there is never enough money in a local government’s budget to cover all needs (real and perceived) throughout the organization. Indeed, lack of adequate funding is nearly always the number one complaint heard from Chief Information Officers (CIOs) and CISOs (Norris et al., 2019, 2020). This is almost certainly true of many private sector businesses as well, but few of them have as many different and competing functions to perform and services to provide as local government. To give a perhaps overly simplistic example, General Motors builds cars, and GM dealerships sell cars and repair cars. Yet both singularly focus all of their efforts on cars.

Cumulatively, these characteristics mean that providing high levels of cybersecurity in local governments is more complex and more difficult than in private sector organizations. They also provide good reasons to closely examine local government cybersecurity and to provide recommendations to help improve it (as this book does).

Fifth, cybercriminals have become increasingly successful in hacking both private and public sector organizations in recent years. Among many others, these have included in the private sector: Home Depot, Target, JPMorgan Chase, AT&T, Yahoo, eBay, Google, Anthem, Equifax, SolarWinds, Microsoft, and others. In the federal government: the Office of Personnel Management (OPM), US Central Command, the US Postal Service, the White House, the National Oceanic and Atmospheric Administration (NOAA), and others. Among local governments: the cities of Atlanta, Baltimore, Dallas, and New Orleans, the city and county governments of Durham, NC, and many more. A simple scan of daily headlines continues to demonstrate that all types of organizations from the government and private sector remain under active cyberattack.

Sixth, cyberattacks are deployed not only by individuals and organizations, but also by nation-states and their surrogates and by transnational, non-state actors such as terrorists. One of the clearest and most frightening examples is the ongoing “meddling” in US elections by the Russian government. Here, American intelligence agencies have unanimously concluded that hackers under the control and by the direction of the Russian government interfered in the 2016 American presidential election with the intent of helping Donald Trump, the Republican nominee, become president. Indeed, since 2016, American intelligence agencies continue to identify active Russian efforts to use cyberattacks (e.g., hacking) in supporting traditional influence activities such as misinformation and disinformation intended to interfere with America’s domestic elections.

Hacking by nation-states also reaches down to the local government level. In the ransomware attack in March of 2020 against the city and county governments of Durham, NC, cybercriminals deployed malware of Russian origin. According to the North Carolina State Bureau of Investigations, the attack was the work of Russian hackers using the Ryuk malware delivered via phishing emails (Ropek, 2020). This is the same malware that took down the City of New Orleans IT system in 2019.

Seventh, cyberattacks are very costly to the US and world economies. Cybersecurity Ventures estimates that by 2025 the annual cost of data breaches will reach $10.5 trillion worldwide, up from $3 trillion in 2015, and would represent the greatest transfer of economic wealth in history (Morgan, 2020). As discussed below, the attacks on Atlanta and Baltimore cost those cities at least $17 and $18 million, respectively, not including the cost of lost productivity. These are only two of many local governments that have experienced breaches recently. Expect more to be similarly impacted in coming years.

Eighth, The Internet of Things (IoT), also called “cyber-physical systems,” is a rapidly expanding phenomenon that introduces new vulnerabilities and risks for local governments. In many cases, this is evidenced through initiatives aimed at creating “smart cities” that deploy internet-connected devices to sense, collect, and share data and in some cases, directly control physical systems, for improved monitoring and management of assets and resources. To provide a sense of the enormity of the IoT, the research firm Statistica estimated that there would be 13.8 billion IoT and non-IoT devices connected to the internet in 2021. This was expected to more than double to 30.9 billion by 2025 (2021). By contrast, just a few years ago, a typical US household with broadband internet service had one or two computers connected. According to one source, in 2020 such homes had a Wi-Fi router connecting 12 devices that include computers, televisions, thermostats and smoke alarms, security cameras and smart speakers like Amazon Echo, which is expected to increase to 20 by 2025 (Parks Associates, 2020).

Local governments increasingly use IoT devices to better support their services, such as monitoring traffic and parking, detecting rubbish levels in trash receptacles, smart meters, and security cameras. Moreover, as they increasingly manage “smart” cyber-physical systems, such as wastewater, electricity, etc., the consequences of poor defense are more than just data breaches or system failures – they now include physical harm and damage to the community.

For local governments, the spread of IoT devices greatly increases the “attack surface” that makes them vulnerable to cybersecurity threats.³ This attack surface was expanded significantly with local government employees working from home during the COVID-19 pandemic of 2020–2022. Moreover, the set of IoT devices and cyber-physical systems may be large and very heterogeneous, with different manufacturers, capabilities, and interfaces. The result is an environment that is inherently difficult to monitor and update as new security vulnerabilities are discovered.

One prominent risk is that some IoT devices could be infected and used to launch Distributed Denial of Service (DDoS) attacks on internet services and sites. For example, in 2016 the Mirai Botnet compromised as many as 600,000 IoT devices and used these to attack and disable several popular internet sites (Antonakakis et al., 2017). Other risks are that such devices can be disabled, have their sensor data stolen or modified, or have their activator functions used inappropriately that could result in damage. Before incorporating IoT technologies, local governments must understand and plan for the additional security risks they introduce by developing and supporting policies that will protect them from current and future threats.⁴

Ninth, the expanded attack surface arising from the shift to working from home is yet another reason local government cybersecurity warrants attention. Working from home strains computer networks and poses additional risks such as the use of insecure Wi-Fi networks and the use of personal devices when working with sensitive information. COVID-19 and other disasters bring a surge of phishing attacks, often bearing ransomware, and these only become worse with the enlarged attack surface from working at home. Cybercriminals take advantage of both the trends of the day and the human element of cybersecurity.

Cybersecurity officials are mission enablers regardless of the type of organization for which they work. For local governments in times of disaster, this means cyber staff must preserve the use of technology, protect the organization’s information assets wherever they might be located, and help to provide the continuous operational capability for the many critical functions of the organization that rely on technology. Their focus also needs to be on resilience during disaster, which means not only the ability to prevent a cyberattack and, if necessary, to stop a successful one, but also to recover from it while continuing critical operations in as normal a manner as possible.

Finally, as discussed elsewhere in this book, there is an enormous gap in the scholarly and professional publications on the subject of local government cybersecurity. Indeed, the extensive literature review conducted in preparation for this book identified only 14 articles about local government cybersecurity in peer-reviewed journals in the social sciences and computer science between 2000 and summer 2021 – a problem that may begin to be at least partly rectified with this book (Appendix 1.1). Likewise, this search found very few works in the professional literature directly discussing local government cybersecurity. This said, many works from the professional world are relevant to local governments, especially those that discuss common cybersecurity problems and best cybersecurity practices.

1.3 Case Studies

This chapter next examines two cases of notable instances of local governments that were successfully hacked, including Baltimore, MD and Atlanta, GA. These examples were selected to demonstrate the current state of local government cybersecurity and the impact that a successful cyberattack can have upon local communities that are not properly prepared for them.

1.4 Conclusion

In addition to the reasons discussed earlier in this chapter, the Atlanta and Baltimore examples should demonstrate clearly why it is crucial that local governments and the officials leading them understand the many cybersecurity issues they face. Failure to do so places their communities at increased risk of experiencing likely preventable cybersecurity problems.

This understanding should, at a minimum, encompass the cyberthreats that these governments face, the actions they should take to protect their information assets from attack, and to mitigate the damage after successful attacks, the gap between those actions and the need for high levels of cybersecurity at the grassroots and, finally, the barriers that these governments encounter when deploying cybersecurity. Understanding these issues will enable local officials not only to see why cybersecurity is crucial to their governments’ digital well-being but will help ensure that cybersecurity has their full support and is adequately funded and properly managed.

Appendix 1.1 Local Government Cybersecurity Articles in Peer-Reviewed Journals from 2000 to mid-2021

References

1. Ali, O., Shrestha, A., Chatfield, A., and Murray, P. (2020). Assessing information security risks in the cloud: A case study of Australian local government authorities. Government Information Quarterly, 37(1), https://www.sciencedirect.com/science/article/pii/S0740624X19300231
2. Allison, G.T. (1983). Public and private management: Are they fundamentally alike in all unimportant respects? In J.M. Shafritz and A.C. Hyde (Eds.) Classics of Public Administration. Wadsworth Cengage Learning.
3. Antonakakis, M., April, T., Bailey, M., et al., (2017). Understanding the Mirai Botnet. A paper included in the Proceedings of the 26th USENIX Security Symposium August 16–18, Vancouver, BC, Canada.
4. Blinder, A. and Perlroth, N. (2018, March 27). Cyberattack Hobbles Atlanta, and Security Experts Shudder. New York Times. https://www.nytimes.com/2018/03/27/us/cyberattack-atlanta-ransomware.html
5. Caruson, K., MacManus, S.A., and McPhee, B.D. (2012). Cybersecurity policy-making at the local government level: An analysis of threats, preparedness, and bureaucratic roadblocks to success. Homeland Security & Emergency Management, 9(2), 1–22. https://www.degruyter.com/document/doi/10.1515/jhsem-2012-0003/html
6. Chokshi, N. (2019, May 22). Hackers are holding Baltimore hostage: How they struck an what’s next. New York Times. https://www.nytimes.com/2019/05/22/us/baltimore-ransomware.html
7. Colorado Computer Support (CCS) (2018). The City of Atlanta held hostage by cybercriminals. https://www.coloradosupport.com/the-city-of-atlanta-held-hostage-by-cybercriminals
8. Deere, S. (2018a, April 12). Cost of City of Atlanta’s cyber attack: 2.7 million and rising. Atlanta Journal-Constitution. (Accessed March 20, 2020). https://www.ajc.com/news/cost-city-atlanta-cyber-attack-million-and-rising/nABZ3K1AXQYvY0vxqfO1FI
9. Deere, S. (2018b, August 1). Confidential report: Atlanta’s cyber attack could cost taxpayers $17 million. Atlanta Journal-Constitution. https://www.ajc.com/news/confidential-report-atlanta-cyber-attack-could-hit-million/GAljmndAF3EQdVWlMcXS0K
10. Deere, S. (2018c, November 28). Feds: Iranians let cyberattack against Atlanta, other US entities. Atlanta Journal-Constitution. https://www.ajc.com/news/local-govt–politics/feds-iranians-led-cyberattack-against-atlanta-other-entities/xrLAyAwDroBvVGhp9bODyO
11. Deere, S. and Klepal, D. (2018, March 29). Emails show Atlanta received multiple alerts about cyber threats. Atlanta Journal-Constitution. https://www.ajc.com/news/local-govt–politics/emails-show-atlanta-received-multiple-alerts-about-cyber-threats/xbFP3eVt3Eq72lw5UqjIFP
12. Duncan, I., and Zhang, C. (2018, May 17). Analysis of ransomware used in Baltimore attack indicates hackers needed “unfettered access” to city computers. Baltimore Sun. https://www.baltimoresun.com/politics/bs-md-ci-ransomware-attack-20190517-story.html
13. Duncan, I. and Zhang, C. (2019, May 17). Analysis of ransomware used in Baltimore attack indicates hackers needed “unfettered access” to city computers. Baltimore Sun. https://www.baltimoresun.com/politics/bs-md-ci-ransomware-attack-20190517-story.html
14. Falco, G., Noriega, A., and Susskind, L. (2019). Cyber negotiation: A cyber risk management approach to defend urban critical infrastructure from cyberattacks. Journal of Cyber Policy, 4(1), https://doi.org/10.1080/23738871.2019.1586969
15. Freed, B. (2019, March 22). One year after Atlanta’s ransomware attack, the city says it’s transforming its technology. Statescoop. (Accessed April 15, 2020). https://statescoop.com/one-year-after-atlantas-ransomware-attack-the-city-says-its-transforming-its-technology
16. Gallagher, S. (2019, May 20). Baltimore ransomware nightmare could last weeks more, with big consequences. Ars Technica. https://arstechnica.com/information-technology/2019/05/baltimore-ransomware-nightmare-could-last-weeks-more-with-big-consequences
17. GovDataDownload (2019, March 26). State and local government sees an uptick in IT spending; Cybersecurity remains top focus. https://govdatadownload.netapp.com/2019/03/state-local-government-sees-uptick-it-spending-cybersecurity-remains-top-focus/#.YVJQWNNKjOQ
18. Habibzadeh, H., Nussbaum, B.H., Anjomshoa, F., et al., (2019). A survey on cybersecurity, data privacy, and policy issues in cyber-physical system deployments in smart cities. Sustainable Cities and Society, 50. https://www.sciencedirect.com/science/article/pii/S2210670718316883
19. Hatcher, W., Meares, W.L., and Heslen, J. (2020). The cybersecurity of municipalities in the United States: An exploratory survey of policies and practices. Journal of Cyber Policy. https://doi.org/10.1080/23738871.2020.1792956
20. Ibrahim, A., Valli, C., McAteer, I., and Chaudhry, J. (2018). A security review of local government using NIST CSF: A case study. The Journal of Supercomputing, 74. https://link.springer.com/article/10.1007/s11227-018-2479-2
21. International City/County Management Association (ICMA) (2013). The municipal yearbook 2013. International City/County Management Association. Washington, DC: Author.
22. Kearney, L. (2018, June 6). Atlanta officials reveal worsening effects of cyber attack. Reuters. https://www.reuters.com/article/us-usa-cyber-atlanta-budget/atlanta-officials-reveal-worsening-effects-of-cyber-attack-idUSKCN1J231M
23. Kesan, J.P., and Zhang, L. (2019). An empirical investigation of the relationship between local government budgets, IT expenditures, and cyber losses. IEEE Transactions on Emerging Topics in Computing, 9(2), Advance online publication. https://doi.org/10.1109/TETC.2019.2915098
24. Li, Z. and Liao, Q. (2018). Economic solutions to improve cybersecurity of governments and smart cities via vulnerability markets. Government Information Quarterly, 35(1), 151–160. https://www.sciencedirect.com/science/article/abs/pii/S0740624X16302155
25. MacManus, S.A., Caruson, K., and McPhee, B.D. (2012). Cybersecurity at the local government level: balancing demands for transparency and privacy rights. Journal of Urban Affairs, 35(4), 451–470. https://www.tandfonline.com/doi/full/10.1111/j.1467-9906.2012.00640.x
26. Miller, B. (2018, December 3). Nearly half of U.S. cities have fewer than 1,000 residents. Government Technology. https://www.govtech.com/data/nearly-half-of-us-cities-have-fewer-than-1000-residents.html
27. Morgan, S. (2020, November 13). Cybercrime to cost the world $10.5 trillion annually by 2025. Cybersecurity Ventures. https://cybersecurityventures.com/hackerpocalypse-cybercrime-report-2016
28. Norris, D.F. (2021, July 14). A new look at local government cybersecurity: Recommendations for staying vigilant against persistent cyber threats. Local Government Review/Public Management. Washington, DC: International City/County Management Association. https://icma.org/sites/default/files/2021-07/PM%20%2B%20LGR%20July%202021%20LOW-RES.pdf
29. Norris, D.F., Mateczun, L., Joshi, A., and Finin, T. (2018). Cyber-security at the grassroots: American local governments and the challenges of internet security. Journal of Homeland Security and Emergency Management. 15(3), https://www.degruyter.com/document/doi/10.1515/jhsem-2017-0048/html
30. Norris, D.F., Mateczun, L., Joshi, A., and Finin, T. (2019). Cyberattacks at the grassroots: American local governments and the need for high levels of cybersecurity. Public Administration Review, 79(6), https://onlinelibrary.wiley.com/doi/abs/10.1111/puar.13028
31. Norris, D.F., Mateczun, L., Joshi, A., and Finin, T. (2020). Managing cybersecurity at the grassroots: Evidence from the first nationwide survey of local government cybersecurity. Journal of Urban Affairs, 43(8), Published online April 17, 2020. https://www.tandfonline.com/doi/full/10.1080/07352166.2020.1727295
32. Parks Associates (2020, August 20). Broadband difficulties driving demand for value added services. https://www.parksassociates.com/blog/article/broadband-difficulties-driving-demand-for-value-added-services
33. Phin, P.A., Abbas, H., and Kamaruddin, N. (2020). Physical security problems in local governments: A survey. Journal of Environmental Treatment Techniques, 8(2), 679–686. http://www.jett.dormaj.com/docs/Volume8/Issue%202/Physical%20Security%20Problems%20in%20Local%20Governments%20A%20Survey.pdf
34. Rector, K. (2018a, March 27). Baltimore 911 Dispatch System hacked, investigation underway, officials confirm. Baltimore Sun. https://www.baltimoresun.com/news/crime/bs-md-ci-911-hacked-20180327-story.html
35. Rector, K. (2018b, March 28). Hack of Baltimore’s 911 dispatch system was ransomware attack, city officials say. Baltimore Sun. https://www.baltimoresun.com/news/crime/bs-md-ci-hack-folo-20180328-story.html
36. Ropek, L. (2019, June 14). Over a month on, Baltimore still grappling with hack fallout. Government Technology. https://www.govtech.com/security/over-a-month-on-baltimore-still-grappling-with-hack-fallout.html
37. Ropek, L. (2020, March 11). Ransomware attach hits Durham, N.C. Government Technology. https://www.govtech.com/security/ransomware-attack-hits-north-carolina-city-county-governments.html
38. Shen, F. (2019, May 21). Baltimore’s out-of-date and underfunded IT system was ripe for ransomware attack. Baltimore Brew. (Accessed March 29, 2020). https://baltimorebrew.com/2019/05/21/baltimores-out-of-date-and-underfunded-it-system-was-ripe-for-a-ransomware-attack
39. Statistica (2021). Internet of Things (iot) and non-iot active device connections worldwide from 2010 to 2025. https://www.statista.com/statistics/1101442/iot-number-of-connected-devices-worldwide/#:~:text=The%20total%20installed%20base%20of,that%20are%20expected%20in%202021
40. Toutabri, A. and Mediona L. (2020, May 21). Latest City and Town Population Estimates of the Decade Show Three-Fourths of the Nation’s Incorporated Places Have Fewer Than 5,000 People. Washington, DC: Census Library, U.S. Census Bureau. https://www.census.gov/library/stories/2020/05/america-a-nation-of-small-towns.html
41. US Census Bureau (2017). 2017 Census of Governments. https://www.census.gov/data/tables/2017/econ/gus/2017-governments.html
42. Vitunskaite, M., He, Y., Brandstetter, T., and Janicke, H. (2019). Smart cities and cyber security: Are we there yet? A comparative study on the role of standards, third party risk management and security ownership. Computers & Security, 83, 313–331. URL is:https://dergipark.org.tr/en/download/article-file/876546