By Tom Kozlik, Head of Public Policy and Municipal Strategy

In the December issue of Foreign Affairs Magazine, Philip Zelikow, a senior fellow at Stanford University’s Hoover Institute wrote, “The world has entered a period of high crisis.”

This quote helped set the stage during my most recent HilltopTalks podcast in which Omid Rahmani, Associate Director of U.S. Public Finance and Cyber Risk at Fitch Ratings, joined me to discuss the danger of cyberattacks on U.S. Infrastructure and what we can expect as we enter 2024.

Public Water Authorities Targeted

Both U.S. Homeland Security and the Director of National Intelligence have warned about the threat of cyberattacks targeting American interests and critical infrastructure, and they expect the risk to worsen if conflict overseas expands.

In my December 5 municipal commentary, I discussed U.S. Homeland Security’s Cybersecurity & Infrastructure Security Agency’s joint cybersecurity advisory, in which they referenced cyberattacks on a single-digit number of public water authorities. It’s important to note that these incidents are not the same as financially motivated ransomware cyberattacks we have seen. These attacks are more similar to those identified in recent Director of National Intelligence and Homeland Security threat assessments. Specifically, the Municipal Water Authority of Aliquippa in Pennsylvania was hacked by CyberAv3ngers, an Iranian Government Islamic Revolutionary Guard Corps affiliated Advanced Persistent Threat cyber actor. More information is still being uncovered about additional water authorities attacked.

Cyber Assets Being Used as Geopolitical Weapons

When I asked if cyber assets are being used as geopolitical weapons, Rahmani explained, “Yes. You have to understand that the cyber risk that public entities in the United States face has always been, to a certain degree, tied to a geopolitical interest that is extremely evident and clear now more than ever. Experts agree that we are at about as high a level of cyber risk when it comes to critical infrastructure and U.S. assets than we've ever been.”

He went on to explain that the number of very sensitive and very high-stakes regional geopolitical conflicts going on in Eastern Europe, the Middle East, and the risk of escalation in the East China Sea have led to a very diverse environment when it comes to cyber risks for municipal entities.

Ransomware Attacks vs. Havoc-Based Attacks

Rahmani and I further discuss the difference between the water agency cyberattacks and ransomware attacks that most people may be more familiar with.

“The main difference is in the motivation,” Rahmani said. “The garden variety of ransomware is something we've been dealing with more and more since COVID. COVID was really a transformative event when it comes to cybercrime. But the motivations are clear, for the most part, for ransomware. You have money. They want money. You give them money, and 99% of the time the entities get their data back and their technology back online. With havoc-based attacks, like the one we saw in Aliquippa, the motivation is very different. The motivation there is to cause, on a light note, disruption, and on a heavier note, disruption, and those types of attacks can have a human impact. Not that ransomware can’t disrupt, but the motivation for these types of havoc-based attacks is to cause disruption and destruction. They were conducted by an advanced persistent threat actor and nation state originating in the Middle East, which is active in the conflict in the Middle East.”

Managing Havoc-Based Cyberattacks

While the federal government is working to provide guidance through the Department of Homeland Security and the Cyber Security Infrastructure Security Agency, Rahmani said the U.S. legislative process is slow, and the proliferation of technology within our critical sectors has allowed this risk to come in.

“The threat landscape evolves far faster than we can respond to it from a policy perspective,” he explained. “Which means it comes down to the people on the ground, the municipalities, the utilities that are working it every day. It’s less about whether you can avoid this altogether and rather how you can weather it.”

The risk has elevated over the last couple of years and Rahmani expects the risk to continue to elevate in 2024. The people on the ground will be the eyes and ears in working to combat these havoc-based attacks.