Recent ransomware attacks have crippled Ohio’s cities, compromising residents’ personal information and slowing down basic services.
However, Ohio does not have a statewide requirement for how municipalities handle cybersecurity or a mandate that cities seek the state’s help after an attack.
That’s because Ohio municipalities are empowered to govern themselves, a concept called home rule. Ohio lawmakers have routinely tested the bounds of home rule by banning everything from firearm restrictions to flavored tobacco limits and plastic bag bans statewide. But they haven’t tackled cybersecurity.
“We have home rule in this state,” said Kirk Herath, Ohio’s cybersecurity strategic advisor. “I don’t have authority over any of these folks. They don’t have to do anything uniformly.”
The result: Little is uniform when cybercriminals seize control of computers and demand payments for stolen personal identifying information.
For example, when a Russian-affiliated ransomware group struck Cleveland in June, city officials quickly asked the Ohio Cyber Reserve to deploy its volunteer cybersecurity experts to help. When foreign cybercriminals hit Columbus a month later, city officials took three weeks to respond to Ohio’s offer to help, Herath said.
“It was night and day difference in what they (Cleveland) asked us to do and the timing of it,” Herath said.
Columbus used RSM Security instead, because the cybersecurity incident response company was already familiar with the city, Columbus spokeswoman Melanie Crabill said. The Federal Bureau of Investigation and Cybersecurity and Infrastructure Security Agency also assisted with the investigation.
Huber Heights, a suburb of Dayton, didn’t ask for Ohio Cyber Reserve help when it fell victim to a cyberattack last November, Herath said. The attack compromised the personal information of nearly 6,000 people, according to the Dayton Daily News.
The cost of being proactive
While the Ohio Cyber Reserve is reactive, the state is fighting cybercrime proactively, too. Ohio cybersecurity experts offer county-level training and risk assessments. They started with six of the state’s smaller counties and have 39 more signed up for the optional, free service, Herath said.
“Our ability to help today is dramatically improved from even two or three years ago,” Herath said.
Ohio is also shoring up its own cybersecurity risks − no small task for an operation with dozens of agencies and departments. The state faces thousands of attacks, big and small, each day, said Herath, who likened it to Captain America fending off attacks with his shield.
For example, cybercriminals attacked the Ohio Lottery on Christmas Eve 2023, stealing patrons’ full names and Social Security numbers. “We effectively rebuilt the lottery’s entire network in a couple of weeks,” Herath said.
Gov. Mike DeWine’s administration plans to ask lawmakers for money in the next budget to buy a better tool than its current Microsoft Office. The state hasn’t finalized how much that might cost, DeWine spokesman Dan Tierney said.
The cost of better cybersecurity programs can be a problem for local governments, especially those struggling to provide basic services like police and fire. “This comes down to a resource issue,” said Keary McCarthy, executive director of the Ohio Mayors Alliance.
Columbus Mayor Andrew Ginther said cities need help to shore up their defenses. “As foreign cyberattacks become more frequent and sophisticated, it’s clear that we need a renewed federal effort to provide cities with additional resources to defend against these rapidly evolving and increasingly complex threats to our residents,” Ginther said in a statement.
Herath, who previously served as Nationwide’s chief privacy officer, understands that the cost can deter small cities and big businesses alike. But there’s a cost to doing nothing, too. The average cost of a data breach in 2024 was $4.88 million, according to IBM.
“You pay it now or you pay a lot more later if there is an incident,” he said.
What to do if your personal information is compromised
Herath offered several tips for Ohioans concerned about compromised personal identifying information.
-
Use multi-factor authentication on your important accounts. Many financial institutions and email accounts might already require this, or you can use authenticators from Google, Microsoft or Cisco Duo.
-
Put a credit freeze, or security freeze, on your credit reports. This stops any new accounts from being opened in your name.
-
Report identity theft with the Federal Trade Commission at identitytheft.gov.
Jessie Balmert covers state government and politics for the USA TODAY Network Ohio Bureau, which serves the Columbus Dispatch, Cincinnati Enquirer, Akron Beacon Journal and 18 other affiliated news organizations across Ohio.
This article originally appeared on The Columbus Dispatch: How is Ohio tackling cybersecurity amid ransomware attacks on cities?