Researchers from the University of Maryland uncovered systemic cybersecurity vulnerabilities across **3,095 U.S. county governments**, exposing **42,735 internet-facing devices** (98% of all counties) to potential exploits. The study revealed critical gaps in security measures for public-facing nodes, databases, and online services—including school boards, wastewater systems, housing, elections, and emergency response infrastructure. Counties, often constrained by limited budgets, lack visibility into their cyberattack surface, making them prime targets for hackers seeking initial attack vectors. The exposed vulnerabilities (e.g., unpatched CVEs) risk compromising **sensitive citizen data**, disrupting **essential services** (water, elections, police response), and enabling cascading attacks on regional economies. While the researchers avoided active probing to prevent exacerbating risks, passive reconnaissance (via OSINT tools like Shodan/Censys) confirmed that poor cyber resilience at the local level could lead to **disastrous societal consequences**, including service outages, data breaches, or even threats to public safety if critical infrastructure (e.g., water treatment) is targeted.
Source: https://www.afcea.org/signal-media/cyber-edge/crucial-first-look-nations-cyber-attack-surfaces
TPRM report: https://www.rankiteo.com/company/nacodc
"id": "nac5693056100125",
"linkid": "nacodc",
"type": "Vulnerability",
"date": "10/2025",
"severity": "100",
"impact": "6",
"explanation": "Attack threatening the economy of geographical region"{'affected_entities': [{'customers_affected': 'U.S. citizens relying on county '
'services (e.g., schools, '
'housing, emergency response)',
'industry': ['Government Administration',
'Public Services',
'Critical Infrastructure (e.g., water, '
'elections)'],
'location': 'United States (all 50 states)',
'name': 'U.S. County Governments (3,095 counties, 98% '
'coverage)',
'size': 'Varies (small to large counties)',
'type': ['Local Government', 'Public Sector']}],
'customer_advisories': ['Citizens advised to monitor county communications '
'for updates on service security'],
'data_breach': {'personally_identifiable_information': ['Risk of PII exposure '
'due to unpatched '
'vulnerabilities in '
'public-facing '
'systems'],
'sensitivity_of_data': ['Potential exposure of citizen data '
'(e.g., housing, permits, elections, '
'emergency services)']},
'date_publicly_disclosed': '2025-01',
'description': 'Researchers at the University of Maryland conducted a study '
'to assess the cyber attack surface of U.S. county '
'governments, identifying vulnerabilities in 42,735 '
'internet-facing devices across 3,095 counties (98% of all '
'U.S. counties). The study, published in January 2025 in the '
'*Journal of Cybersecurity*, highlighted systemic gaps in '
'cybersecurity resilience at the county level, emphasizing '
'risks to sensitive citizen data, emergency services, '
'elections, water supply, and local economies. The research '
'relied on passive reconnaissance tools (e.g., Shodan, Censys) '
'and OSINT to map vulnerabilities without exacerbating risks. '
'Key findings underscore the urgency of addressing '
'cybersecurity in underfunded local governments, which are '
"often targeted as 'weakest links' by threat actors.",
'impact': {'brand_reputation_impact': ['Highlighted systemic neglect of '
'county-level cybersecurity, risking '
'public trust in local government '
'digital services'],
'identity_theft_risk': ['Sensitive citizen data (e.g., housing, '
'permits, elections) at risk due to '
'inadequate protections'],
'operational_impact': ['Potential risks to emergency services, '
'elections, water supply, and local '
'economies due to unaddressed '
'vulnerabilities'],
'systems_affected': ['42,735 internet-facing devices across 3,095 '
'U.S. counties']},
'initial_access_broker': {'high_value_targets': ['Public-facing databases, '
'election systems, emergency '
'service networks']},
'investigation_status': 'Completed (published in January 2025)',
'lessons_learned': ['County governments are critically under-resourced for '
'cybersecurity, despite managing sensitive data and '
'infrastructure.',
'Passive reconnaissance tools (e.g., Shodan, Censys) can '
'effectively map attack surfaces without increasing risk.',
'Lack of visibility into county-level vulnerabilities '
'creates systemic risks for elections, emergency '
'services, and public trust.',
'Collaborative research can drive policy changes and '
'resource allocation for local government cybersecurity.'],
'motivation': ['Academic Research', 'Public Awareness', 'Policy Advocacy'],
'post_incident_analysis': {'corrective_actions': ['Advocate for federal/state '
'cybersecurity grants for '
'counties',
'Establish a national '
'repository for '
'county-level vulnerability '
'data (anonymized)',
'Mandate regular '
'cybersecurity audits for '
'local governments',
'Develop training programs '
'for county IT staff on '
'threat detection and '
'response'],
'root_causes': ['Chronic underfunding of county '
'cybersecurity programs',
'Lack of standardized security '
'protocols across local '
'governments',
'Limited visibility into attack '
'surfaces due to decentralized IT '
'management',
'Over-reliance on outdated or '
'unpatched systems']},
'recommendations': ['Increase funding and resources for county cybersecurity '
'programs.',
'Implement continuous monitoring of public-facing assets '
'using OSINT tools.',
'Develop standardized cybersecurity frameworks tailored '
'to local governments.',
'Prioritize patching of known CVEs in county IT '
'infrastructure.',
'Enhance public-private partnerships to share threat '
'intelligence and best practices.'],
'references': [{'date_accessed': '2025-01',
'source': 'Journal of Cybersecurity (UK)'},
{'source': 'University of Maryland College of Information '
'Studies'}],
'response': {'communication_strategy': ['Publication in *Journal of '
'Cybersecurity* (January 2025)',
'Media outreach to raise awareness'],
'containment_measures': ['Passive reconnaissance to avoid '
'exacerbating vulnerabilities',
'Secure Python application for data '
'analysis'],
'enhanced_monitoring': ['Recommendation for counties to adopt '
'continuous monitoring via OSINT tools '
'(e.g., Shodan, Censys)']},
'stakeholder_advisories': ['Urgent need for federal/state support to address '
'county-level cybersecurity gaps'],
'title': "Holistic Assessment of U.S. County Governments' Cyber Attack "
'Surface',
'type': ['Research Study',
'Vulnerability Assessment',
'Cyber Attack Surface Analysis'],
'vulnerability_exploited': ['Unspecified CVEs identified via Shodan/Censys '
'scans',
'Public-facing nodes and databases with '
'inadequate security controls']}