TY - JOUR
T1 - Measuring the size and severity of the integrated cyber attack surface across US county governments
AU - Harry, Charles
AU - Sivan-Sevilla, Ido
AU - McDermott, Mark
N1 - Publisher Copyright:
© The Author(s) 2025.
PY - 2025
Y1 - 2025
N2 - Limited methodologies to measure, enumerate, aggregate, and evaluate the cyber attack surface of US county governments prevent the full estimation of the importance of local government cybersecurity to national resilience. Our study aims to address this gap. We further develop existing OSINT-based methodologies to measure the attack surface and assess the size and vulnerability of publicly accessible county infrastructures. By collecting data on 42 735 Internet-facing devices across 3095 US county governments (98% of all counties), we show, for the first time, variations in size, diversity, and vulnerability of exposed county government attack surfaces. We develop and compare service- and Common Vulnerability Exposure (CVE)-based measures for attack surface diversity and severity, each showing different correlation trends with county population. We also highlight the lack of correlation between density of CVEs and likelihood of exploitation and develop measures to quantify the risk, revealing the impact of county government vulnerability on national cyber resilience. Previously studied as islands of insecurity, our novel empirical approach holistically estimates potential county vulnerability to common attack vectors upon service misconfiguration and aggregates CVEs, their severity, and probability of exploitation across county infrastructures, shedding light on the integrated and aggregated attack surface exposed across US county governments.
AB - Limited methodologies to measure, enumerate, aggregate, and evaluate the cyber attack surface of US county governments prevent the full estimation of the importance of local government cybersecurity to national resilience. Our study aims to address this gap. We further develop existing OSINT-based methodologies to measure the attack surface and assess the size and vulnerability of publicly accessible county infrastructures. By collecting data on 42 735 Internet-facing devices across 3095 US county governments (98% of all counties), we show, for the first time, variations in size, diversity, and vulnerability of exposed county government attack surfaces. We develop and compare service- and Common Vulnerability Exposure (CVE)-based measures for attack surface diversity and severity, each showing different correlation trends with county population. We also highlight the lack of correlation between density of CVEs and likelihood of exploitation and develop measures to quantify the risk, revealing the impact of county government vulnerability on national cyber resilience. Previously studied as islands of insecurity, our novel empirical approach holistically estimates potential county vulnerability to common attack vectors upon service misconfiguration and aggregates CVEs, their severity, and probability of exploitation across county infrastructures, shedding light on the integrated and aggregated attack surface exposed across US county governments.
KW - Attack Surface
KW - County Government Cybersecurity
KW - Cyber Risk Quantification
KW - OSINT Cyber Research
UR - http://www.scopus.com/inward/record.url?scp=85216411180&partnerID=8YFLogxK
U2 - 10.1093/cybsec/tyae032
DO - 10.1093/cybsec/tyae032
M3 - ???researchoutput.researchoutputtypes.contributiontojournal.article???
AN - SCOPUS:85216411180
SN - 2057-2093
VL - 11
JO - Journal of Cybersecurity
JF - Journal of Cybersecurity
IS - 1
M1 - tyae032
ER -