San Marcos

Expert: City Cyber Response Plans Likely Vulnerable to Ransomware

NBC Universal, Inc.

Nearly three weeks after ransomware crippled one of our county’s biggest health care systems, droves of patients waiting for surgeries and treatments are finally getting back on the books at Scripps Health.

But Scripps Health isn’t alone. In 2019, the city of San Marcos got hit with a cyberattack, forcing city business – like applying for a business permit – to be done in person for an entire month.

Two years later, NBC 7 Investigates wanted to know how prepared other city governments are for similar threats.

NBC 7 Investigates got responses back from 10 cities across San Diego County: Carlsbad, Chula Vista, El Cajon, Encinitas, National City, Oceanside, Santee, San Diego, San Marcos, and Vista.

The city of Vista told NBC 7 Investigates it “faces cyber threats daily.” Carlsbad said it averages “about 35,000 attempts a month from some kind of cyberattack," and San Diego said “the city experiences regular and ongoing attempts to compromise its systems.”

To combat that, we found out that most cities rely on a shared cyber response plan. NBC 7 is not sharing the details of any plans for security reasons, but one expert said unfortunately, this shared plan could have serious vulnerabilities.

“Having a plan specifically for ransomware is important and very valuable,” said Eric Cole, a former professional hacker for the CIA and author of “Cyber Crisis." He has experience with city government cybersecurity plans, though none in our county. “The two problems though is a lot of the plans we’ve seen with city governments is it’s focused on general outages and general disasters. So yes, they have a plan, but it doesn’t apply to ransomware.”

Here’s the difference: Most continuity of operations plans (which is what most cities in our county have in place) practice automatic failure and replication. So let’s say there’s a power outage, data gets copied and transferred to a backup location.

The problem is, ransomware usually infects all data storage locations and/or installs a delay. And during that delay, hackers encrypt the data while it’s moving to its backup location, defeating the purpose of the plan.

“Having multiple cities share the same general plan isn’t a bad idea because you can vet and validate,” Cole said. "However, the actual location where your data is going, that should be diversified.”

Cole said the other major component most cities miss when thinking about cybersecurity is prevention. Almost all ransomware comes in via phishing emails.

“I know no city wants to go in and say we don’t allow attachments,” Cole said. “Or we don’t allow embedded links, but if you look at the alternative of getting hit with ransomware, it’s much better to have limited access.”

Cole said if cities don’t take a stricter stance on what kinds of emails they allow and don’t invest in cybersecurity plans, they should start saving to pay off hackers.

Nearly every city said they’ve seen an increase in attempted breaches this past year.

Below are the full responses NBC 7 Investigates received from each city about its cybersecurity response plan, along with a statement from the regional task force working with cities to standardize their plans.


There is a regional effort to standardize efforts. Spearheaded through the Law Enforcement Coordination Center. The plan was not approved by council."


The City faces cyber threats daily; but we have not had an event of any kind that had a significant impact on our computer systems or business operations. The City does have a plan in place.  The plan has not been approved by the City Council.


We have not had any ransomware or cyber attacks get through, but we average about 35,000 attempts a month from some kind of cyberattack. We monitor 24/7 and get reports of attempts, but we wouldn’t be able to tell you what the specific type of attack each one was one since they didn’t get through our defenses.  So, in answer to your question, many threats, no successful attacks.

We have a continuity of government plan in place. Because it is an operational plan rather than a policy document, it is not something approved by the City Council.


The City of San Marcos faced one cyberattack in October 2019.

The City’s cyber insurance provider, California Joint Powers Authority, has a Business Continuity Program in place that outlines the processes and procedures to follow in the event of a cyberattack. Approval by the City Council was not needed given that administrative processes are managed at the staff level and do not require Council approval. The City Council has been informed in great detail both with the circumstances of the event we experienced as well as the steps we’ve taken since.

Following the 2019 threat, the City engaged a cyber security consultant, ePlace Solutions, Inc., to do a comprehensive audit with ongoing annual audits. The City has also implemented a two-factor authentication system and migrated to Microsoft Exchange. For remote access security, the City has implemented the Horizon and Duo platforms, which allow users to remotely log into the City’s servers safely. The City also deployed Carbon Black and Red Canary, both security monitoring systems that scan for attacks and viruses and notify the Information Technology department should anything be detected.


We are fortunate that we have not yet been targeted by any cyber/ransomware attacks, at least not yet. We do have a Continuity of Government Plan and an Emergency Operations Plan. The Emergency Operations Plan was last approved by our City Council on October 20, 2020. The Continuity Plan is not published due to security concerns as you mentioned.


We have not had any known attacks in the date range of Jan 1, 2019 to present. As with any other public or private organization we continually face the ever evolving cyber threats that are out there. In the event of a ransomware attack the City’s Information Technologies staff would follow internal IT related policies and plans that are structured towards cyber related incidents.


Like any organization of a similar size, the City experiences regular and ongoing attempts to compromise its systems. The City follows best practices, utilizes a layered defense approach, and continuously evolves its tactics as new threats emerge.

The City follows standard security practices in incident response as well as disaster preparation and recovery. The City also works regularly with the FBI, the U.S. Department of Homeland Security and the San Diego Law Enforcement Coordination Center to develop a proactive cybersecurity posture with threat intelligence, vulnerability analysis and proactive risk awareness. In addition, annual cyber awareness training is mandatory for all City employees.


The City of Encinitas has not experienced any successful ransomware attacks but has experienced an exponential increase in attempted breaches since 2019.

The City has an Emergency Operations Manual and Cyber Incident Response Plan that are used internally by staff during emergencies including cybersecurity responses.


The City of Chula Vista has had no cyber or ransomware attacks or threats.

In addition, we do not have a Continuity of Government Plan.

The City has cyber security control measures in place and constantly monitors threats against our established infrastructure. The Information Technology Services Department would respond to any cyber incident with assistance from partner agencies throughout the county. The City’s security controls and methodologies are based on the National Institute of Standards and Technology (NIST) Cyber Security Framework.


In general, cyber threats and attempted attacks are persistent and ongoing to the City of Santee and all government agencies.  Due to security concerns, we cannot release either the extent or number of threats that we have experienced.  However, I can confirm that we saw an increase in the number of attempts in 2020 during the pandemic.

The City of Santee does have disaster preparedness and recovery plans, which include back-up and offsite contingencies to allow for continuity of operations should data be compromised.  However, we would be putting the City and our community at extreme risk if we disclosed further details.


The basis of the regional cyber incident response plan was first developed through a series of planning meetings led by County OES around 2015. As incidents became more rampant and the type of attacks evolved, we started looking into improving on how we coordinate response to make it a more holistic approach that includes all levels of government.

The majority of attacks were ransomware. The plan addresses any cyber attack that has an operational impact on organizations, including ransomware.

Contact Us