So much attention has been paid to “election hacking” and the like in recent years, analysts and commentators have effectively forgotten an equally if not more pressing threat to American government at all levels: ransomware. We cannot fix the reading comprehension problems and poor critical thinking skills of more than half the nation’s population, but we can make serious progress against those who would make us digital hostages.

Ask the average citizen in your town what they think of when they think of a “cyberattack” and they’re probably going to talk about the virus of the month, compromises at banks or stores they patronize, and maybe “hacking the election,” which is usually a conflation of them hearing about horrible vulnerabilities in voting systems and foreign influence campaigns waged against the voting populace.

If you live in Atlanta, Baltimore, or any of the dozens of other municipalities that have been held hostage by ransomware, you may get lucky and find someone who has been impacted by these and more nefarious attacks: ransomware. Shutting down large swaths of or the entirety of a city government doesn’t seem like an issue on par with tampering with the election for President of the United States, but I would argue that it is worse.

The President may be the most powerful man in the free world, but he operates in a system of checks and balances. To the extent that executive orders can force unpopular policy decisions into reality on a limited basis, the fact of the matter is that the policy pendulum (different from the hyperbole around policy decisions, which can flail like a Whirling Dervish) rarely swings too far because there is value in internal peace and stability. Every political party and operative, no matter how partisan they seem, understands this.

When you shut down a government with ransomware, all branches of government are still equal: equally useless. A sufficiently effective and widespread ransomware infection in the federal government or Anytown USA means you can’t register your car, you can’t file taxes, you can’t travel internationally (or come home), you can’t record a deed to property you bought, if that property catches fire the fire department has no way of hearing about it, and if you get robbed the police are not coming. Infection impact your municipal water or power provider? I hope you have a well and candles.

Mayors and city councils can put on a brave face and say that they’ll never pay a ransom, but that’s what everyone whose never been held hostage says. The calculus gets a little more complicated when nothing works, the bills for the investigation, incident response, and clean-up radically exceed whatever the ransom would have been, and you’re wondering what its going to be like to be an ordinary citizen again, albeit one whom everyone blames for the tax hike that needed to be passed in order to pay for the fiasco you facilitated.

What happens in the absence of a functioning government? Well for starters, people begin to question the legitimacy of the government. If you say you have legitimate authority over people (the consent of the governed) but do nothing in return, historically speaking that’s never gone over well. Not for very long anyway. In Iraq we saw what happens when you ‘don’t do government’ and stand around all in your Oakleys patting yourself on the back for a war well won: someone else fills the void. In the case of Iraq: someone who wants to kill all the people in Oakleys. Become the provider of law, order, and services -regardless of what your flag looks like – and you gain authority and legitimacy.

Now a lot of people like to play act their secession fantasy on social media, and play tacticool dress-up in the town square, but the South rising again isn’t going to be a thing. Turn off the government in enough places across the country however – maybe not whole states, but certainly major metro areas, or in some cases everywhere but the metro areas – and various entities will fill the void. You see the positive results of this idea with the Cajun Navy. They have no commission or official standing, but they step in when there is a need because they have the will and the resources. We laugh at the antics of preppers and amateur weekend warriors, but under the right circumstances, a group with potable water, canned goods, and physical might – regardless of their beliefs or agenda – can seem like a better option than looking wistfully to the horizon for a FEMA that will never come. If any ad hoc authority rises up under these conditions and does a better job than the bureaucrats people used to deal with, well, things are going to get really uncomfortable when the lights come back on.

We have been enjoying widespread peace and prosperity more or less globally for several decades (I said “more or less”) but it is important to remember that this is a relatively new and extended phenomenon. Conflict and tragedy are more the norm throughout human history (the ‘war to end all wars’, the 30 years’ war, the 100 years’ war, etc., etc.).  Good, effective, effectively corruption free government has played a major role in that success. A handful of people leave this country every year for largely financial reasons; literal boat loads of people come to this country every year for safety and opportunity. We are not perfect, but you don’t have to worry about whether you’re going to wake up in the morning because your neighbor looks, talks, or worships differently than you do. If you’ve ever spent any time in the Balkans you know it doesn’t take much, or long, for people to revert to their worst instincts if given half a chance.

As significant a threat as ransomware is to government at all levels, the remedy could not be more mundane: an effective backup scheme with off-line storage. It is a basic IT system administration task that has been a part of information infrastructures, large and small, for decades. There is a security component to the problem to be sure, but remember that we’re talking about state and local government: there is barely money to operate, period, much less operate and invest in a SOC, bleeding-edge, next-gen security tech and rare-as-hen’s-teeth security talent. I mean, the nation’s preeminent cybersecurity organization can’t get it right, Pawnee, IN has no chance.

So what is a citizen to do, if she has a reasonable expectation that her home town is going to fare just as poorly – or worse – than any of the cities that have been impacted by ransomware?

1. Engage. Public officials work for you (in a round-about way). You have every right, and they are obliged, to meet with you at a mutually convenient time to talk about what they’re doing to prepare for this threat. Attend the next town hall meeting and sign up to speak. Let your neighbors know that this is an issue and get your mayor, city manager, city council members responses on the record. Your raising the issue might be the fodder the IT manager or other official needs to make this an agenda – and budget – item.
2. Prepare. Its one thing to squirrel away 30 lbs of mac and cheese in anticipation of the apocalypse, its another to make sure you’ve got all your paperwork and records in order in case the city does not and you still have to conduct some sort of official business. Find the originals and make copies of your latest city-realted bills and assessments. Deeds, leases, mortgage/loan statements, etc. Store them in a safe place (literally, a safe, ideally) that you can access in case the town hall goes dark. Be the one person in this relationship who has documentation.
3. Save. If you know there is a tax, water, or other bill due when things go dark, set that money aside. Eventually things will get back to normal and the city is going to want their money. They can blame hackers for their problems, you cannot.
4. Prepare Some More. Think about all the things your city provides in the way of services. Not just fire and police, but maintenance, refuse, traffic lights, toll booths, in some cases utilities like water, sewer, and power. If all of that went away tomorrow, would you be able to live in your home for any length of time? Again, no need to go all Mad Max, but you should think about how long you might have to operate without services and come up with a plan to stay with friends/family who are not impacted.
5. To Arms. We’ve been focusing on what happens when ransomware disables a government, but it can just as easily disable you. What do you not have that cities do? The ability to levy taxes and get others to pay for your negligence. Update and patch your OS and applications. Make sure your firewall is running and properly configured. Make sure you are making regular backups of your data, validate them, and store copies off-line. You might not survive an initial ransomware attack, but you can be resilient enough to overcome its effects.

Ransomware might not be the downfall of civilization, but as it grows unchecked (there is no indication that a national mobilization against the problem is forthcoming) it’s going to make things damned inconvenient and spark a number of difficult conversations at the federal, state, tribal, and local levels about what priority information technology should have in American society going forward. If we do this right, ransomware might be the reason why we finally start to address these problems up and down the governmental ‘stack’, down to the level of the individual citizen. If we get it wrong, well, welcome to Bartertown.