Recent ransomware attacks have paralyzed cities in Ohio, compromising residents’ personal data and slowing down basic services.
However, Ohio has no federal requirements for how municipalities handle cybersecurity, nor do cities have to ask the state for help after an attack.
That’s because Ohio’s municipalities have the power to govern themselves, a concept called home rule. Ohio lawmakers have routinely tested the limits of home rule by banning everything from gun restrictions to limits on flavored tobacco to statewide plastic bag bans. But they haven’t addressed cybersecurity.
“We have self-governance in this state,” said Kirk Herath, Ohio’s cybersecurity strategic adviser. “I have no authority over any of these people. They don’t have to do anything uniformly.”
The result: There is little uniformity when cybercriminals take control of computers and demand payment for stolen personal identification information.
For example, when a Russian-linked ransomware group hit Cleveland in June, city officials quickly asked the Ohio Cyber Reserve to deploy its volunteer cybersecurity experts to help. When foreign cybercriminals hit Columbus a month later, it took three weeks for city officials to respond to Ohio’s offer of help, Herath said.
“What they (Cleveland) asked us to do and the timing of it was very different,” Herath said.
Columbus instead used RSM Security because the cybersecurity incident response firm was already familiar with the city, Columbus spokeswoman Melanie Crabill said. The Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency also assisted in the investigation.
Huber Heights, a suburb of Dayton, did not ask for help from Ohio Cyber Reserve when it was the victim of a cyberattack last November, Herath said. The attack compromised the personal information of nearly 6,000 people, the Dayton Daily News reported.
The Cost of Being Proactive
While the Ohio Cyber Reserve is reactive, the state is also proactively combating cybercrime. Ohio cybersecurity experts provide training and risk assessments at the county level. They started with six of the state’s smaller counties and have signed up 39 more for the optional, free service, Herath said.
“Our ability to help today has improved significantly compared to two or three years ago,” Herath said.
Ohio is also beefing up its own cybersecurity risks — no small task for an operation that includes dozens of agencies and departments. The state faces thousands of attacks every day, big and small, said Herath, who compared it to Captain America fending off attacks with his shield.
For example, cybercriminals attacked the Ohio Lottery on Christmas Eve 2023, stealing customers’ full names and social security numbers. “We effectively rebuilt the lottery’s entire network in a matter of weeks,” Herath said.
Gov. Mike DeWine’s administration plans to ask lawmakers in the next budget for money to buy a better tool than the current Microsoft Office. The state has not finalized how much that might cost, DeWine spokesman Dan Tierney said.
The cost of better cybersecurity programs can be a problem for local governments, especially those struggling to provide basic services like police and fire. “This comes down to a resource issue,” said Keary McCarthy, executive director of the Ohio Mayors Alliance.
Columbus Mayor Andrew Ginther said cities need help bolstering their defenses. “As foreign cyberattacks become more frequent and sophisticated, it is clear that we need a renewed federal effort to provide cities with additional resources to defend against these rapidly evolving and increasingly complex threats to our residents,” Ginther said in a statement.
Herath, who previously served as chief privacy officer at Nationwide, understands that the cost can be daunting for small towns and large companies alike. But there are costs to doing nothing. The average cost of a data breach in 2024 was $4.88 million, according to IBM.
“You pay now, or you pay a lot more later if there is an incident,” he said.
What to do if your personal data is at risk
Herath offered some tips for Ohio residents concerned about compromised personal identification information.
-
Use multi-factor authentication on your important accounts. Many financial institutions and email accounts may already require this, or you can use authenticators from Google, Microsoft, or Cisco Duo.
-
Place a credit freeze, or security freeze, on your credit reports. This prevents new accounts from being opened in your name.
-
Report identity theft to the Federal Trade Commission at identitytheft.gov.
Jessie Balmert covers state government and politics for the USA TODAY Network Ohio Bureau, which serves the Columbus Dispatch, Cincinnati Enquirer, Akron Beacon Journal and 18 other affiliated news organizations in Ohio.
This article originally appeared on The Columbus Dispatch: How is Ohio tackling cybersecurity amid ransomware attacks on cities?
