Ohio is facing a pressing issue of the absence of a statewide standard for cybersecurity. The gap in cybersecurity protocol is largely due to Ohio’s home rule system, which empowers municipalities to govern themselves.
As Kirk Herath, Ohio cybersecurity strategic advisor, noted, “We have home rule in this state. I don’t have authority over any of these folks. They don’t have to do anything uniformly.” This lack of uniformity has left Ohio’s cities vulnerable to cybercriminals who exploit these inconsistencies, often demanding ransoms for stolen personal data.
Disparate Responses to Ohio Cybersecurity Challenges
The contrasting responses from Ohio cities highlight the challenges of managing cybersecurity at the local level. In June, when a ransomware group linked to Russia targeted Cleveland, city officials promptly reached out to the Ohio Cyber Reserve for assistance. In contrast, Columbus, which experienced a similar attack a month later, took three weeks to respond to the state’s offer of help. Columbus officials ultimately opted for RSM Security, a private cybersecurity firm already familiar with the city’s systems.
Herath remarked on this stark difference: “It was night and day difference in what they (Cleveland) asked us to do and the timing of it.” This inconsistency can lead to varying levels of security preparedness among Ohio municipalities, leaving some more exposed than others, reported Dispatch.
The situation of Ohio cybersecurity challenges was further complicated when Huber Heights, a suburb of Dayton, fell victim to a cyberattack last November without seeking help from the Ohio Cyber Reserve. This incident compromised the personal information of nearly 6,000 residents, highlighting the potential consequences of a fragmented approach to cybersecurity in Ohio.
Proactive Measures and Training Initiatives
While the Ohio Cyber Reserve typically responds to attacks, the state is also taking proactive measures to bolster cybersecurity. Ohio cybersecurity experts are conducting training sessions and risk assessments at the county level. Initially launched in six smaller counties, the program has expanded, with 39 more municipalities signed up for the free service. Herath emphasized the improvements made over the past few years: “Our ability to help today is dramatically improved from even two or three years ago.
In addition to assisting local governments, the state is addressing its own cybersecurity vulnerabilities. Ohio experiences thousands of cyberattacks daily, as Herath likened the state’s efforts to Captain America defending against constant threats. A notable incident occurred when cybercriminals attacked the Ohio Lottery on Christmas Eve 2023, stealing sensitive data, including patrons’ full names and Social Security numbers. The state successfully rebuilt the lottery’s network within weeks.
Funding and Resource Challenges
Despite these initiatives, funding for improved cybersecurity remains a significant hurdle. Gov. Mike DeWine’s administration intends to request financial support from lawmakers in the next budget cycle to acquire more advanced cybersecurity tools than its current Microsoft Office setup. However, the specific funding needs have yet to be determined, according to DeWine’s spokesman, Dan Tierney.
Local governments, many of which are already struggling to provide basic services, face resource challenges when it comes to enhancing cybersecurity measures. Keary McCarthy, executive director of the Ohio Mayors Alliance, acknowledged this issue, stating, “This comes down to a resource issue.
Columbus Mayor Andrew Ginther echoed these sentiments, asserting that cities require additional support to bolster their defenses. As foreign cyberattacks become more frequent and sophisticated, it’s clear that we need a renewed federal effort to provide cities with additional resources to defend against these rapidly changing and increasingly complex threats to our residents,” Ginther said.