{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,26]],"date-time":"2026-03-26T16:46:52Z","timestamp":1774543612649,"version":"3.50.1"},"reference-count":51,"publisher":"Oxford University Press (OUP)","issue":"1","license":[{"start":{"date-parts":[[2025,1,17]],"date-time":"2025-01-17T00:00:00Z","timestamp":1737072000000},"content-version":"vor","delay-in-days":16,"URL":"https:\/\/creativecommons.org\/licenses\/by-nc-nd\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2025,1,17]]},"abstract":"<jats:title>Abstract<\/jats:title>\n               <jats:p>Limited methodologies to measure, enumerate, aggregate, and evaluate the cyber attack surface of US county governments prevent the full estimation of the importance of local government cybersecurity to national resilience. Our study aims to address this gap. We further develop existing OSINT-based methodologies to measure the attack surface and assess the size and vulnerability of publicly accessible county infrastructures. By collecting data on 42\u2009735 Internet-facing devices across 3095 US county governments (98% of all counties), we show, for the first time, variations in size, diversity, and vulnerability of exposed county government attack surfaces. We develop and compare service- and Common Vulnerability Exposure (CVE)-based measures for attack surface diversity and severity, each showing different correlation trends with county population. We also highlight the lack of correlation between density of CVEs and likelihood of exploitation and develop measures to quantify the risk, revealing the impact of county government vulnerability on national cyber resilience. Previously studied as islands of insecurity, our novel empirical approach holistically estimates potential county vulnerability to common attack vectors upon service misconfiguration and aggregates CVEs, their severity, and probability of exploitation across county infrastructures, shedding light on the integrated and aggregated attack surface exposed across US county governments.<\/jats:p>","DOI":"10.1093\/cybsec\/tyae032","type":"journal-article","created":{"date-parts":[[2025,1,17]],"date-time":"2025-01-17T13:06:29Z","timestamp":1737119189000},"source":"Crossref","is-referenced-by-count":6,"title":["Measuring the size and severity of the integrated cyber attack surface across US county governments"],"prefix":"10.1093","volume":"11","author":[{"given":"Charles","family":"Harry","sequence":"first","affiliation":[{"name":"School of Public Policy, University of Maryland , College Park, MD 20740 ,","place":["United States"]}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-2194-5006","authenticated-orcid":false,"given":"Ido","family":"Sivan-Sevilla","sequence":"additional","affiliation":[{"name":"College of Information, University of Maryland , College Park, MD 20740 ,","place":["United States"]}]},{"given":"Mark","family":"McDermott","sequence":"additional","affiliation":[{"name":"Center for the Governance of Technology and Systems, University of Maryland , College Park, MD 20740 ,","place":["United States"]}]}],"member":"286","published-online":{"date-parts":[[2025,1,17]]},"reference":[{"key":"2025021914452970000_bib1","volume-title":"Cyberspace Solarium Commission Report","author":"King","year":"2020"},{"key":"2025021914452970000_bib2","doi-asserted-by":"crossref","first-page":"895","DOI":"10.1111\/puar.13028","article-title":"Cyberattacks at the grass roots: American local governments and the need for high levels of cybersecurity","volume":"79","author":"Norris","year":"2019","journal-title":"Public Adm Rev"},{"key":"2025021914452970000_bib3","doi-asserted-by":"crossref","first-page":"451","DOI":"10.1111\/j.1467-9906.2012.00640.x","article-title":"Cybersecurity at the local government level: balancing demands for transparency and privacy rights","volume":"35","author":"Macmanus","year":"2013","journal-title":"J Urban Aff"},{"key":"2025021914452970000_bib4","volume-title":"State of Cybersecurity in Local, State & Federal Government.","author":"Ponemon Institute","year":"2015"},{"key":"2025021914452970000_bib5","doi-asserted-by":"crossref","first-page":"302","DOI":"10.1080\/23738871.2020.1792956","article-title":"The cybersecurity of municipalities in the United States: an exploratory survey of policies and practices","volume":"5","author":"Hatcher","year":"2020","journal-title":"J Cyber Pol"},{"key":"2025021914452970000_bib6","doi-asserted-by":"crossref","first-page":"294","DOI":"10.1080\/23738871.2023.2178319","article-title":"Cyberattacks on local governments 2020: findings from a key informant survey","volume":"7","author":"Norris","year":"2022","journal-title":"J Cyber Pol"},{"key":"2025021914452970000_bib7","doi-asserted-by":"publisher","DOI":"10.1515\/jhsem-2012-0003","article-title":"Cybersecurity policy-making at the local government level: an analysis of threats, preparedness, and bureaucratic roadblocks to success","volume":"9","author":"Caruson","year":"2012","journal-title":"J Homeland Secur Emer Manag"},{"key":"2025021914452970000_bib8","article-title":"The state of ransomware in government 2021","author":"Sophos","year":"2021"},{"key":"2025021914452970000_bib9","doi-asserted-by":"crossref","first-page":"614","DOI":"10.1177\/1078087420973760","article-title":"Municipal cybersecurity: more work needs to be done","volume":"58","author":"Preis","year":"2022","journal-title":"Urban Aff Rev"},{"key":"2025021914452970000_bib10","article-title":"Cyberattack on records vendor affects scores of US counties","author":"Bagwe","year":"2023"},{"key":"2025021914452970000_bib11","article-title":"A 2020 ransomware attack is still harming Baltimore teachers","volume-title":"Washington Post","author":"Marks","year":"2022"},{"key":"2025021914452970000_bib12","doi-asserted-by":"crossref","first-page":"101703","DOI":"10.1016\/j.giq.2022.101703","article-title":"Determinants of cyber-incidents among small and medium US cities","volume":"39","author":"Caldarulo","year":"2022","journal-title":"Govt Inf Quart"},{"key":"2025021914452970000_bib13","volume-title":"Critical Infrastructure: Long-Term Trends and Drivers and Their Implications for Emergency Management","author":"DHS","year":"2011"},{"key":"2025021914452970000_bib14","volume-title":"Cyber Risk Economics Capability Gaps Research Strategy","author":"DHS","year":"2018"},{"key":"2025021914452970000_bib15","volume-title":"Internet Crime Report","author":"Federal Bureau of Investigation","year":"2022"},{"key":"2025021914452970000_bib16","article-title":"Measuring policy effectiveness of cyber defensibility and deterrence","author":"Healey","year":"2024"},{"key":"2025021914452970000_bib17","first-page":"0103","article-title":"Detecting security vulnerabilities on internet-connected devices","volume-title":"DAAAM Proceedings","author":"Lovric","year":"2023","edition":"1st edn."},{"key":"2025021914452970000_bib18","article-title":"Cyber attack surface mapping for offensive security testing","author":"Everson","year":"2023"},{"key":"2025021914452970000_bib19","doi-asserted-by":"crossref","first-page":"73","DOI":"10.23919\/CyCon51939.2021.9468304","article-title":"Epidemic? The attack surface of German hospitals during the COVID-19 Pandemic","volume-title":"Proceedings of the 2021 13th International Conference on Cyber Conflict (CyCon)","author":"Klick","year":"2021"},{"key":"2025021914452970000_bib20","article-title":"Mapping the attack surface of telecommunication networks from the public internet","author":"Rathi","year":"2023"},{"key":"2025021914452970000_bib21","doi-asserted-by":"publisher","DOI":"10.22541\/au.172114508.86122493\/v1","article-title":"Risk assessment for critical infrastructure: a novel approach using OSINT Framework","author":"Pervez","year":"2024","journal-title":"Authorea"},{"key":"2025021914452970000_bib22","article-title":"Resilience to cyber-attacks in critical infrastructures of Portugal","author":"Pereira","year":"2021"},{"key":"2025021914452970000_bib23","doi-asserted-by":"crossref","first-page":"102939","DOI":"10.1016\/j.cose.2022.102939","article-title":"Aggregate attack surface management for network discovery of operational technology","volume":"123","author":"Ashley","year":"2022","journal-title":"Comput Secur"},{"key":"2025021914452970000_bib51","doi-asserted-by":"crossref","first-page":"109","DOI":"10.1007\/0-387-24006-3_8","article-title":"Measuring relative attack surfaces","volume-title":"Computer Security in the 21st Century","author":"Howard","year":"2005"},{"key":"2025021914452970000_bib24","doi-asserted-by":"crossref","first-page":"94","DOI":"10.1016\/j.infsof.2018.07.008","article-title":"Attack surface definitions: a systematic literature review","volume":"104","author":"Theisen","year":"2018","journal-title":"Inf Softw Technol"},{"key":"2025021914452970000_bib25","volume-title":"Security and Privacy Controls for Information Systems and Organizations","author":"NIST","year":"2020"},{"key":"2025021914452970000_bib26","article-title":"Hundreds of devices found violating new CISA federal agency directive","author":"Gatlan","year":"2023"},{"key":"2025021914452970000_bib27","article-title":"Counties and Statistically Equivalent Areas of the United States, Puerto Rico, and the Island Areas (2020). Census.gov","author":"US Census Bureau","year":"2020"},{"key":"2025021914452970000_bib28","article-title":"A complete list of .gov domains","author":"GSA","year":"2014"},{"key":"2025021914452970000_bib29","article-title":"Exposure Management and Threat Hunting Solutions","author":"Censys","year":"2023"},{"key":"2025021914452970000_bib30","volume-title":"State and Local Government","author":"The White House"},{"key":"2025021914452970000_bib31","volume-title":"Counties as Service Delivery Agents: Changing Expectations and Roles","author":"Benton","year":"2002","edition":"1st edn."},{"key":"2025021914452970000_bib32","volume-title":"Regions, States and Territories","author":"FEMA.gov","year":"2022"},{"key":"2025021914452970000_bib33","article-title":"Service name and transport protocol port number registry","author":"IANA","year":"2023"},{"key":"2025021914452970000_bib34","volume-title":"CISA Analysis: Fiscal Year 2023 Risk and Vulnerability Assessments","author":"CISA","year":"2024"},{"key":"2025021914452970000_bib35","article-title":"Buzzing on Christmas Eve: trigona Ransomware in 3 hours","volume-title":"The DFIR Report","author":"DFIR","year":"2024"},{"key":"2025021914452970000_bib36","article-title":"Apache OpenMeetings web conferencing tool exposed to critical vulnerabilities","author":"Lakshmanan","year":"2023"},{"key":"2025021914452970000_bib37","article-title":"Veeam patches critical vulnerabilities in enterprise products","author":"Arghire","year":"2024"},{"key":"2025021914452970000_bib38","article-title":"What is a DNS flood? | DNS flood DDoS attack","author":"CloudFlare","year":"2023"},{"key":"2025021914452970000_bib39","article-title":"Healthcare websites flooded by fake requests in ongoing DDoS attacks","author":"Davis","year":"2023"},{"key":"2025021914452970000_bib40","article-title":"Progress Software releases security advisory for MOVEit transfer","author":"CISA","year":"2023"},{"key":"2025021914452970000_bib41","article-title":"New Mirai malware variant infects linux devices to build DDoS botnet","author":"Toulas","year":"2023"},{"key":"2025021914452970000_bib42","volume-title":"#StopRansomware: BianLian Ransomware Group","author":"CISA","year":"2023"},{"key":"2025021914452970000_bib43","volume-title":"Remote Access: Open Ports Create Targets of Opportunity, Undue Risk","author":"NJCCIC","year":"2017"},{"key":"2025021914452970000_bib44","article-title":"U.S. Says North Korea \u201cdirectly responsible\u201d for WannaCry ransomware attack","author":"Chappell","year":"2017"},{"key":"2025021914452970000_bib45","article-title":"WannaCry explained: a perfect ransomware storm","author":"Fruhlinger","year":"2022"},{"key":"2025021914452970000_bib46","article-title":"Vulnerability CVE-2017-0144 in SMB exploited by WannaCryptor ransomware to spread over LAN","author":"Eset.com","year":"2017"},{"key":"2025021914452970000_bib47","article-title":"Secure SMB Traffic in Windows Server","author":"Microsoft.com","year":"2023"},{"key":"2025021914452970000_bib48","doi-asserted-by":"publisher","DOI":"10.1093\/cybsec\/tyaa015","article-title":"Improving vulnerability remediation through better exploit prediction","volume":"6","author":"Jacobs","year":"2020","journal-title":"J Cybersecur"},{"key":"2025021914452970000_bib49","article-title":"Legislation\u2014SB0754","author":"State of Maryland","year":"2022"},{"key":"2025021914452970000_bib50","article-title":"Volt Typhoon targets US critical infrastructure with living-off-the-land techniques","author":"Microsoft Threat Intelligence","year":"2023"}],"container-title":["Journal of Cybersecurity"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/academic.oup.com\/cybersecurity\/article-pdf\/11\/1\/tyae032\/61484215\/tyae032.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/academic.oup.com\/cybersecurity\/article-pdf\/11\/1\/tyae032\/61484215\/tyae032.pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,2,19]],"date-time":"2025-02-19T14:46:04Z","timestamp":1739976364000},"score":1,"resource":{"primary":{"URL":"https:\/\/academic.oup.com\/cybersecurity\/article\/doi\/10.1093\/cybsec\/tyae032\/7959399"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025]]},"references-count":51,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2025,1,17]]}},"URL":"https:\/\/doi.org\/10.1093\/cybsec\/tyae032","relation":{},"ISSN":["2057-2085","2057-2093"],"issn-type":[{"value":"2057-2085","type":"print"},{"value":"2057-2093","type":"electronic"}],"subject":[],"published-other":{"date-parts":[[2025]]},"published":{"date-parts":[[2025]]},"article-number":"tyae032"}}