UMD Researchers Calculate Cyberattack Risk for All 50 States

One day last summer, a Russia-affiliated crime syndicate kneecapped the city of Columbus, Ohio without lifting a hammer. It had breached the city’s computer network, pirating names, Social Security numbers, bank information and other private data belonging to more than half of the city’s 900,000 residents. The hackers demanded nearly $2 million, and when the city didn’t pay, the stolen data began circulating on the dark web. The Federal Bureau of Investigation launched a probe while the Ohio governor deployed the national guard.

The episode reflects a modern reality: Local governments are common victims of cyberattack, with economic damage often extending to the state and federal levels. Policymakers at those higher levels, however, are often unaware of the collective risk that county-level hacks pose on their larger jurisdictions.

A new University of Maryland research paper in the Journal of Cybersecurity fills in the gaps, measuring cyberattack vulnerability for every U.S. state and region. The team calculated the risk for 3,065 county governments and stitched that data together to form a picture of the nation’s aggregate cyber health, finding heightened risk in California, Virginia and Florida, with the Southeast containing the most counties susceptible to all the attack methods that the researchers analyzed. The most common type of threat, meanwhile, is domain-name service (DNS) misconfigurations and insecure authorizations. (The researchers avoided singling out counties by name to avoid leading hackers to potentially vulnerable targets.)

“This is a big issue, and we’re putting real, holistic numbers around risk level posed by cybercriminals to critical infrastructure,” said Charles Harry, co-author of the paper and an associate research professor for UMD’s School of Public Policy as well as a former intelligence officer for the National Security Agency.

Though federal and state governments can’t control security measures taken by individual municipalities, they can incentivize them with grants. The UMD findings—visualized with state and regional “heat maps”—can help authorities prioritize allocations.

“County governments are neglected when it comes to cybersecurity—it’s a black box,” said Ido Sivan-Sevilla, an assistant professor with UMD’s College of Information and a co-author of the study. “Through our computational tools, we bring a glimpse into what’s happening, assess the weak spots and determine where we should direct resources.”

Recent cyberattacks have crippled governments in cities like Baltimore, Dallas and Cleveland. An FBI report on internet crime declared that municipalities are the primary victims of hacks, stressing the need for national protection, while a Center for Internet Security report found that malware attacks on state and local governments more than doubled between 2022 and 2023.

Christopher Shank, former senior adviser to then-Maryland Gov. Larry Hogan and a cybersecurity expert, recalled an incident when hackers infiltrated a unit of county government and disabled the state’s health department during the peak of the COVID-19 pandemic. He called the UMD study timely.

“These attacks are not unique—they exist in hundreds if not thousands of municipal organizations like school boards and utility departments, with far-reaching consequences,” said Shank. “This study highlights the vulnerabilities to infrastructure and provides a clarion call for policymakers to do something.”

To gather their data, Harry, Sivan-Sevilla and their collaborator, Mark McDermott, scanned the open internet to measure each county government’s “attack surface area,” or exposure across IP addresses. Next, they catalogued threats by type, likelihood and potential severity. The team measured 42,735 government devices and 51,487 “open ports” susceptible to malicious hackers.

The researchers assessed vulnerability in two ways: “service-based” measurements, which denote the diversity of attack types leveraged by hackers in prior incidents, and “common vulnerabilities and exposures” (CVE) measurements, assessed based on likelihood of being exploited and potential severity.

They found that service-based risk increases alongside a government’s “surface area,” while CVE risk increases as a county’s population decreases. Both findings can help municipalities customize safeguards, either by shrinking their digital footprint or hiring more IT administrators to patch their systems, while highlighting an approach to help prioritize scarce resources.

Harry and Sivan-Sevilla envision working proactively with state governments and ultimately applying their computations across sectors like hospitals, schools and transit systems. They recently briefed the National Governors Association about their methodology and are now contacting municipalities most susceptible to attack, noting that 19 U.S. counties require immediate action.

“I’m frankly sick and tired of people saying, ‘Oh, it’s a hard problem we can’t solve,’” said Harry. “With this integrated approach, we’re a little closer to the truth.”