Local Government on the Attack Surface
How grand juries across 21 counties documented ransomware threats, training gaps, and the structural vulnerabilities of local government IT — before and after the attacks arrived
Generated 2026-07-05 from grand jury data through that date.
Key Findings at a Glance
Cybersecurity has emerged as one of the fastest-growing themes in California grand jury history. From near-zero before 2016, the topic has grown to 648 findings and 848 recommendations across 21 counties. No other grand jury topic has shown this rate of acceleration — and the investigations are still intensifying.
Grand juries are documenting the same structural vulnerabilities in county after county: decentralized IT, inadequate training, no incident response plans, and a wave of ransomware attacks exposing the gap between preparation and threat. The pattern is consistent enough to constitute a statewide finding, even though each jury investigated independently.
The Hockey Stick: Cybersecurity Enters the Grand Jury Spotlight
Cybersecurity was virtually absent from grand jury reports before 2016. By 2022, grand juries were producing hundreds of cybersecurity-related findings per year. The trajectory is unlike anything else in grand jury oversight history.
Rates based on digitized reports; coverage incomplete before 2005.
The inflection point was 2017–2018, when high-profile ransomware attacks on public agencies — including a 2018 ransomware attack that shut down Atlanta’s city government for weeks — prompted grand juries across California to ask a simple question: could it happen here? The answer, almost universally, was yes.
The 60 ransomware-specific findings since 2019 signal that the threat has moved from theoretical to operational. Counties are being targeted, systems are being compromised, and grand juries are documenting the consequences.
Growth by Era
| Era | Findings | Rate/100 | Counties | Avg/Year |
|---|---|---|---|---|
| 2005–2015 | 20 | 0.2 | 8 | 2 |
| 2016–2019 | 127 | 3.3 | 9 | 32 |
| 2020–present | 501 | 9.2 | 16 | 84 |
The post-2020 surge reflects both the increasing frequency of attacks and a growing grand jury awareness that cybersecurity preparedness is a legitimate subject of citizen oversight — not just a technical matter for IT departments.
What Grand Juries Are Finding
Across 21 counties, grand juries identify a consistent pattern of structural vulnerabilities. The findings cluster around six themes that appear repeatedly, in different counties, across different years:
- Decentralized IT without security standards: County departments, special districts, and cities operate independent IT systems with no centralized security oversight. Each unit makes its own decisions about software, backups, and access controls — creating an inconsistent patchwork that attackers can probe for the weakest link.
- Inadequate training: 55 findings cite insufficient cybersecurity awareness training. Employees receive little instruction on recognizing phishing emails, social engineering, or password hygiene. Simulated phishing tests routinely reveal click rates that would alarm any security professional.
- No incident response plans: Many agencies lack formal procedures for responding to a breach or ransomware attack. When something goes wrong, they are forced to improvise under crisis conditions.
- Outdated vendor contracts and legacy systems: Contracts with third-party IT providers often contain no security requirements, business continuity clauses, or breach notification provisions. End-of-life hardware and software remain in service long after vendor support ends.
- No dedicated cybersecurity leadership: Small cities and districts often have no one with explicit responsibility for cybersecurity. When incidents occur, there is no clear chain of command.
- Phishing as the primary vector: 33 findings specifically mention phishing. Employees regularly fall for simulated phishing tests, and real phishing campaigns have compromised county systems.
The Ransomware Threat
All 60 ransomware-specific findings appeared after 2019. In that span, grand juries across California documented a threat that has shifted from abstract to operational — with consequences measured in days of service disruption, six- and seven-figure recovery costs, and exposed resident data.
Three gaps appear in nearly every ransomware-related finding:
- No payment policy: Agencies lack guidance on whether and when to pay ransoms. Without a pre-established policy, decision-makers face an impossible choice under crisis conditions, often with attackers imposing payment deadlines measured in hours.
- No immutable backups: Standard backups connected to the same network are encrypted alongside production data. Immutable (write-once, offline) backups are the primary technical defense against ransomware, yet many agencies lack them.
- No incident response plan: Without a tested playbook, agencies improvise — delaying notification to residents, miscommunicating with law enforcement, and making recovery decisions under maximum pressure.
The View from Different Californias
The distribution of cybersecurity findings reveals a sharp geographic divide that mirrors the broader disparity in local government capacity across the state.
Bay Area and SoCal dominate. Roughly 90% of all cybersecurity findings come from Bay Area (approximately 229 findings) and Southern California (approximately 203 findings) counties. These are precisely the jurisdictions with the largest IT budgets, most sophisticated grand juries, and highest-profile government agencies — all of which attract more sophisticated attack attempts and more capable investigative capacity.
Central Valley and rural counties are nearly absent. Central Valley counties account for only about 15 cybersecurity findings combined; rural and foothill counties, similarly. This absence is almost certainly not because those counties have better cybersecurity — small, budget-constrained agencies with limited IT staff are among the most vulnerable targets in the country. It reflects the scarcity of investigative capacity: smaller grand juries with fewer technical resources are less likely to undertake multi-month cybersecurity investigations.
Water infrastructure is a recurring target. Multiple juries have investigated cybersecurity at public water utilities, which operate both standard IT networks and industrial control (SCADA) systems that manage physical infrastructure. A successful attack on water-treatment SCADA systems could affect public health, not just government operations. Ventura County's 2021 jury found inconsistent protections across investigated water providers; the implications extend well beyond the agencies named.
School districts are under-investigated. San Diego County is the notable exception, with multiple years of focused investigation into K–12 cybersecurity. The pattern of inadequate training, outdated systems, and missing incident response plans that juries find in county government appears in schools as well — with the added risk that student data is involved.
Top Counties by Finding Volume
A handful of counties account for a disproportionate share of all cybersecurity findings, reflecting sustained multi-year investigation programs:
| County | Findings | |
|---|---|---|
| Marin | 153 | |
| Santa Cruz | 131 | |
| Santa Barbara | 121 | |
| Ventura | 58 | |
| Contra Costa | 46 | |
| San Joaquin | 32 | |
| San Mateo | 27 | |
| Orange | 23 | |
| Mono | 15 | |
| San Diego | 7 |
The concentration of findings in certain counties reflects two different phenomena. Some counties — like Marin and San Diego — have conducted repeated, in-depth investigations over multiple jury terms, building institutional knowledge about what to investigate and how. Others appear because an actual incident prompted a jury to investigate in depth. The distinction matters: the former catches problems before they become crises; the latter is reactive.
What Grand Juries Recommend
The 848 cybersecurity recommendations form a clear consensus across counties and years. Six themes account for the vast majority:
- Centralize oversight: Establish county-wide cybersecurity standards, a central IT security officer with cross-department authority, and enforceable baseline requirements for all agencies
- Mandatory training: Require annual cybersecurity awareness training for all employees and contractors, with mandatory phishing simulations and clear consequences for repeated failures
- Penetration testing: Commission regular third-party penetration tests and vulnerability assessments — not one-time reviews but scheduled, recurring evaluations
- Incident response planning: Develop, test, and annually update formal incident response plans covering breach notification, ransomware payment policy, and recovery procedures
- Accountability to governing boards: Require regular reporting to boards of supervisors and city councils on cybersecurity posture, so elected officials can see the risk they are being asked to accept
- Align to federal standards: Adopt CISA, NIST, and EPA cybersecurity frameworks as the baseline for local government — rather than each agency developing its own ad-hoc approach
The Governance Gap
State-level oversight of cybersecurity focuses on statewide policy frameworks, CDT (California Department of Technology) governance, and large state-agency compliance — not county-by-county preparedness. CDT’s jurisdiction covers state agencies, not counties or special districts.
The result is a governance gap: state policy sets the standard at the top, grand juries document the reality at the bottom, and no one is accountable for closing the distance between them. The 648 grand jury findings examined here suggest that distance is substantial. The specific state oversight reports that apply to cybersecurity appear in the State Oversight Context section below.
Then and Now: How Findings Have Changed
The shift in how grand juries write about cybersecurity is as revealing as the growth in volume. Early findings warned about preparedness gaps in the abstract; recent findings describe specific systems compromised, specific agencies caught unprepared, and specific structural failures that made attacks possible.
Early Warnings (2016–2017)
The first wave of cybersecurity findings read as prospective risk assessments. Juries named vulnerabilities and warned of consequences, but the attacks were still largely hypothetical. Orange County’s 2016 investigation was among the earliest and most comprehensive — a detailed map of exposure that, in retrospect, described problems that would materialize throughout the state over the following decade.
Post-Incident Forensics (2022–2024)
By the early 2020s, the tone had changed. Juries were no longer only warning about what could happen — they were documenting what had happened and asking why agencies were still unprepared years after the warnings. The language shifted from “should consider” to “does not have,” “has not implemented,” and “was unable to respond.”
The structural diagnosis has not changed much between then and now — decentralization, training gaps, missing plans. What has changed is the stakes: the vulnerabilities that were theoretical in 2016 are now regularly exploited.
Counties Reporting
Cybersecurity findings have appeared in grand jury reports from 21 counties:
The 21 counties that have produced cybersecurity findings are disproportionately coastal, urban, and larger by population. The absence of Central Valley and rural counties from this list almost certainly reflects investigative capacity constraints rather than better preparedness. The counties with the fewest resources to investigate are often the same counties with the fewest resources to defend.
State Oversight Context
California's state-level oversight bodies — catalogued at caoversight.org — have also examined this topic. The 1 report below, from Legislative Analyst's Office, provides the broader policy context within which county grand juries operate.
Legislative Analyst's Office (1 report)
- Nonreporting Entities' Information Security Compliance (2023) — 2023-24 BUDGET Nonreporting Entities’ Information Security Compliance GABRIEL PETEK | LEGISLATIVE ANALYST MARCH 2023 www.lao.ca.gov 1 AN LAO REPORT 2 LEGISLATIVE ANALYST’S OFFICE AN LAO REPORT Executive Summary Report Satisfies Supplemental Report Requirement.
These state oversight reports examine many of the same issues from a statewide policy perspective, complementing the county-level ground truth documented by civil grand juries.
Methodology
This report analyzes 648 findings and 848 recommendations extracted from 141 grand jury reports across 21 California counties, spanning jury terms from 2005–2006 through 2025–2026. Findings were identified by keyword matching on “cyber” in extracted text; ransomware findings (60) by matching on “ransomware;” phishing findings (33) by matching on “phishing.” Continuity and compliance reports were excluded. All data is sourced from publicly available grand jury final reports.
Regional estimates (Bay Area, SoCal, Central Valley, Rural) are based on county-level aggregations and should be understood as approximate. Finding counts may include findings where cybersecurity is one of several topics addressed; the analysis captures breadth of coverage, not topical depth.
Quotes were editorially curated to illustrate each section’s argument, selected from a candidate pool ranked by specificity, relevance, and county diversity.
View source reports behind this analysis
This report was generated during our development preview. For a copy of a completed report, contact [email protected].