Map Reveals Cyberattack Risk for all 50 States

By

Ian Randall is Newsweek’s Deputy Science Editor, based in Royston, U.K. His focus is reporting on science and health. He has covered archeology, geology, and physics extensively. Ian joined Newsweek in 2023 from the Daily Express U.S. and had previously worked at Express.co.uk and MailOnline, alongside freelancing for various specialist science publications including Science, Physics World and Chemistry World. He is a graduate of the University of Oxford and City, University of London. You can get in touch with Ian by emailing i.randall@newsweek.com. Languages: English.

Ian Randall

Deputy Science Editor

A new map has revealed the cyberattack risk for thousands of county governments across all 50 U.S. states.

Developed by researchers from the University of Maryland, the map reveals that risk is heightened in California and the Southeastern U.S.—particularly Florida and Virginia.

“This is a big issue, and we’re putting real, holistic numbers around the risk level posed by cybercriminals to critical infrastructure,” said paper author and former National Security Agency (NSA) intelligence officer professor Charles Harry in a statement.

As the researchers explain, state and federal governments cannot control the cybersecurity measures adopted by individual municipalities.

They can, however, incentivize enhanced security via grants, with the team hoping that their findings will help authorities prioritize such investments.

The research has been published mere months after the City of Columbus, Ohio fell victim to a cyberattack from the Rhysida hacker group in July, 2024.

The attackers lifted personal information relating to some half a million residents, with the goal of extorting the city to the sum of $1.7 million. The stolen data was subsequently leaked online.

According to the Center for Internet Security, malware attacks on state and local governments have more than doubled between 2022 and 2023.

In their study, Harry and colleagues collected data on 42,735 Internet-facing devices and 51,487 open network ports across 3,095 local governments—representing 98 percent of all U.S. counties.

Having assessed the potential points of entry and vulnerabilities an attacker could exploit, the team plotted their data into a “heat map” of cybersecurity risk.

(The researchers have steered clear of singling out particular counties, they explained, for fear they might unintentionally lead hackers to vulnerable targets.)

“County governments are neglected when it comes to cybersecurity—it’s a black box,” said paper co-author and social scientist professor Ido Sivan-Sevilla in a statement.

“Through our computational tools, we bring a glimpse into what’s happening, assess weak sports and determine where we should direct resources.”

The team also report that the two most common types of vulnerabilities are a misconfigured domain-name service (DNS — the system that turns user-friendly domain names into the IP addresses used to identify devices online) and insecure authorizations (when a system fails to confirm identities properly, allowing an attacker to masquerade as legitimate user.)

The researchers say that they would like to work proactively with state governments to address the vulnerabilities they have identified—and also to apply their method to sectors like hospitals, schools and transit systems.

In fact, the team recently briefed the National Governors Association about their findings, and are reaching out to 19 counties which they say need to take immediate action.

“I’m frankly sick and tired of people saying, ‘Oh it’s a hard problem we can’t solve’,” said Harry.

He added: “With this integrated approach, we’re a little closer to the truth.”

Do you have a tip on a science story that Newsweek should be covering? Do you have a question about cybersecurity? Let us know via science@newsweek.com.

Reference:

Harry, C., Sivan-Sevilla, I., & McDermott, M. (2025). Measuring the size and severity of the integrated cyber attack surface across US county governments. Journal of Cybersecurity, 11(1). https://doi.org/10.1093/cybsec/tyae032