"We're putting real, holistic numbers around the risk level posed by cybercriminals to critical infrastructure," said cybersecurity expert Charles Harry.
A new map has revealed the cyberattack risk for thousands of county governments across all 50 U.S. states.
Developed by researchers from the University of Maryland, the map reveals that risk is heightened in California and the Southeastern U.S.—particularly Florida and Virginia.
"This is a big issue, and we're putting real, holistic numbers around the risk level posed by cybercriminals to critical infrastructure," said paper author and former National Security Agency (NSA) intelligence officer professor Charles Harry in a statement.
As the researchers explain, state and federal governments cannot control the cybersecurity measures adopted by individual municipalities.
They can, however, incentivize enhanced security via grants, with the team hoping that their findings will help authorities prioritize such investments.
The research has been published mere months after the City of Columbus, Ohio fell victim to a cyberattack from the Rhysida hacker group in July, 2024.
The attackers lifted personal information relating to some half a million residents, with the goal of extorting the city to the sum of $1.7 million. The stolen data was subsequently leaked online.
According to the Center for Internet Security, malware attacks on state and local governments have more than doubled between 2022 and 2023.
The heatmap of US cybersecurity risk produced by researchers from the University of Maryland.The heatmap of US cybersecurity risk produced by researchers from the University of Maryland.Journal of Cybersecurity / University of MarylandIn their study, Harry and colleagues collected data on 42,735 Internet-facing devices and 51,487 open network ports across 3,095 local governments—representing 98 percent of all U.S. counties.
Having assessed the potential points of entry and vulnerabilities an attacker could exploit, the team plotted their data into a "heat map" of cybersecurity risk.
(The researchers have steered clear of singling out particular counties, they explained, for fear they might unintentionally lead hackers to vulnerable targets.)
"County governments are neglected when it comes to cybersecurity—it's a black box," said paper co-author and social scientist professor Ido Sivan-Sevilla in a statement.
"Through our computational tools, we bring a glimpse into what's happening, assess weak sports and determine where we should direct resources."
The team also report that the two most common types of vulnerabilities are a misconfigured domain-name service (DNS — the system that turns user-friendly domain names into the IP addresses used to identify devices online) and insecure authorizations (when a system fails to confirm identities properly, allowing an attacker to masquerade as legitimate user.)
Read more
America's homes, infrastructure vulnerable to hackers via your car
Health care cyberattacks are on the rise. What's being done about it?
Hackers expose data of half a million Ohio residents
The researchers say that they would like to work proactively with state governments to address the vulnerabilities they have identified—and also to apply their method to sectors like hospitals, schools and transit systems.
In fact, the team recently briefed the National Governors Association about their findings, and are reaching out to 19 counties which they say need to take immediate action.
"I'm frankly sick and tired of people saying, 'Oh it's a hard problem we can't solve'," said Harry.
He added: "With this integrated approach, we're a little closer to the truth."
Do you have a tip on a science story that Newsweek should be covering? Do you have a question about cybersecurity? Let us know via science@newsweek.com.
Reference:
Harry, C., Sivan-Sevilla, I., & McDermott, M. (2025). Measuring the size and severity of the integrated cyber attack surface across US county governments. Journal of Cybersecurity, 11(1). https://doi.org/10.1093/cybsec/tyae032
