← All Analysis May 2026
California — all 58 counties

Local Government on the Attack Surface

How grand juries across 21 counties documented ransomware threats, training gaps, and the structural vulnerabilities of local government IT — before and after the attacks arrived

May 2026 · 648 findings across 21 counties, 2005–2026 · View source reports

Generated 2026-07-05 from grand jury data through that date.

Key Findings at a Glance

648Findings
848Recommendations
21Counties
60Ransomware Findings

Cybersecurity has emerged as one of the fastest-growing themes in California grand jury history. From near-zero before 2016, the topic has grown to 648 findings and 848 recommendations across 21 counties. No other grand jury topic has shown this rate of acceleration — and the investigations are still intensifying.

Grand juries are documenting the same structural vulnerabilities in county after county: decentralized IT, inadequate training, no incident response plans, and a wave of ransomware attacks exposing the gap between preparation and threat. The pattern is consistent enough to constitute a statewide finding, even though each jury investigated independently.

The Hockey Stick: Cybersecurity Enters the Grand Jury Spotlight

Cybersecurity was virtually absent from grand jury reports before 2016. By 2022, grand juries were producing hundreds of cybersecurity-related findings per year. The trajectory is unlike anything else in grand jury oversight history.

200520112015201820212024 per 100 reports

Rates based on digitized reports; coverage incomplete before 2005.

The inflection point was 2017–2018, when high-profile ransomware attacks on public agencies — including a 2018 ransomware attack that shut down Atlanta’s city government for weeks — prompted grand juries across California to ask a simple question: could it happen here? The answer, almost universally, was yes.

The 60 ransomware-specific findings since 2019 signal that the threat has moved from theoretical to operational. Counties are being targeted, systems are being compromised, and grand juries are documenting the consequences.

Growth by Era

EraFindingsRate/100CountiesAvg/Year
2005–2015200.282
2016–20191273.3932
2020–present5019.21684

The post-2020 surge reflects both the increasing frequency of attacks and a growing grand jury awareness that cybersecurity preparedness is a legitimate subject of citizen oversight — not just a technical matter for IT departments.

What Grand Juries Are Finding

Across 21 counties, grand juries identify a consistent pattern of structural vulnerabilities. The findings cluster around six themes that appear repeatedly, in different counties, across different years:

  • Decentralized IT without security standards: County departments, special districts, and cities operate independent IT systems with no centralized security oversight. Each unit makes its own decisions about software, backups, and access controls — creating an inconsistent patchwork that attackers can probe for the weakest link.
  • Inadequate training: 55 findings cite insufficient cybersecurity awareness training. Employees receive little instruction on recognizing phishing emails, social engineering, or password hygiene. Simulated phishing tests routinely reveal click rates that would alarm any security professional.
  • No incident response plans: Many agencies lack formal procedures for responding to a breach or ransomware attack. When something goes wrong, they are forced to improvise under crisis conditions.
  • Outdated vendor contracts and legacy systems: Contracts with third-party IT providers often contain no security requirements, business continuity clauses, or breach notification provisions. End-of-life hardware and software remain in service long after vendor support ends.
  • No dedicated cybersecurity leadership: Small cities and districts often have no one with explicit responsibility for cybersecurity. When incidents occur, there is no clear chain of command.
  • Phishing as the primary vector: 33 findings specifically mention phishing. Employees regularly fall for simulated phishing tests, and real phishing campaigns have compromised county systems.
Marin County municipalities should have current, written contracts with third-party providers of Information Technology, Information Systems, and Cybersecurity services, and should not continue to use those providers' services without a current contract.
Preventable human behavior is the main cause of successful cyberattacks.
Scotts Valley does not have a current Cybersecurity Plan that defines security policies, procedures, and controls required to protect its networks and devices, potentially increasing the risks of vulnerabilities.
Quarterly cyber security training is taking place with noteworthy results. However, there’s a lack of visibility to compliance measurements among County executives.
The City of Manteca has an Information Technology Security Policy which has not been updated since 2010, leaving the City relatively unprepared for a cyber event.
The Grand Jury finds inconsistent levels of cybersecurity for IT systems among the investigated water providers.
That some Santa Barbara County school districts are not adequately insured for losses arising from cybersecurity incidents, not insured for cybersecurity or lack sufficient coverage limits.
Some County departments with small IT staffs do not have specialized cyber security personnel.

The Ransomware Threat

All 60 ransomware-specific findings appeared after 2019. In that span, grand juries across California documented a threat that has shifted from abstract to operational — with consequences measured in days of service disruption, six- and seven-figure recovery costs, and exposed resident data.

Three gaps appear in nearly every ransomware-related finding:

  • No payment policy: Agencies lack guidance on whether and when to pay ransoms. Without a pre-established policy, decision-makers face an impossible choice under crisis conditions, often with attackers imposing payment deadlines measured in hours.
  • No immutable backups: Standard backups connected to the same network are encrypted alongside production data. Immutable (write-once, offline) backups are the primary technical defense against ransomware, yet many agencies lack them.
  • No incident response plan: Without a tested playbook, agencies improvise — delaying notification to residents, miscommunicating with law enforcement, and making recovery decisions under maximum pressure.
The lack of immutable backups results in increased risk of disruption to important County operations due to a ransomware attack.
The City of Santa Cruz does not have an Incident Response Plan, and this absence indicates that the City will be challenged in responding to a cyber attack, especially a ransomware attack.
The City of Stockton does not have a formal internal policy concerning payments or procedures in ransomware attacks. This absence of policy could cause confusion, delay, and greater loss of security in the event of an attack.
Ransomware is a real and growing threat to public entities including those in San Mateo County.

The View from Different Californias

The distribution of cybersecurity findings reveals a sharp geographic divide that mirrors the broader disparity in local government capacity across the state.

Bay Area and SoCal dominate. Roughly 90% of all cybersecurity findings come from Bay Area (approximately 229 findings) and Southern California (approximately 203 findings) counties. These are precisely the jurisdictions with the largest IT budgets, most sophisticated grand juries, and highest-profile government agencies — all of which attract more sophisticated attack attempts and more capable investigative capacity.

Central Valley and rural counties are nearly absent. Central Valley counties account for only about 15 cybersecurity findings combined; rural and foothill counties, similarly. This absence is almost certainly not because those counties have better cybersecurity — small, budget-constrained agencies with limited IT staff are among the most vulnerable targets in the country. It reflects the scarcity of investigative capacity: smaller grand juries with fewer technical resources are less likely to undertake multi-month cybersecurity investigations.

Water infrastructure is a recurring target. Multiple juries have investigated cybersecurity at public water utilities, which operate both standard IT networks and industrial control (SCADA) systems that manage physical infrastructure. A successful attack on water-treatment SCADA systems could affect public health, not just government operations. Ventura County's 2021 jury found inconsistent protections across investigated water providers; the implications extend well beyond the agencies named.

School districts are under-investigated. San Diego County is the notable exception, with multiple years of focused investigation into K–12 cybersecurity. The pattern of inadequate training, outdated systems, and missing incident response plans that juries find in county government appears in schools as well — with the added risk that student data is involved.

Top Counties by Finding Volume

A handful of counties account for a disproportionate share of all cybersecurity findings, reflecting sustained multi-year investigation programs:

CountyFindings
Marin153
Santa Cruz131
Santa Barbara121
Ventura58
Contra Costa46
San Joaquin32
San Mateo27
Orange23
Mono15
San Diego7

The concentration of findings in certain counties reflects two different phenomena. Some counties — like Marin and San Diego — have conducted repeated, in-depth investigations over multiple jury terms, building institutional knowledge about what to investigate and how. Others appear because an actual incident prompted a jury to investigate in depth. The distinction matters: the former catches problems before they become crises; the latter is reactive.

What Grand Juries Recommend

The 848 cybersecurity recommendations form a clear consensus across counties and years. Six themes account for the vast majority:

  • Centralize oversight: Establish county-wide cybersecurity standards, a central IT security officer with cross-department authority, and enforceable baseline requirements for all agencies
  • Mandatory training: Require annual cybersecurity awareness training for all employees and contractors, with mandatory phishing simulations and clear consequences for repeated failures
  • Penetration testing: Commission regular third-party penetration tests and vulnerability assessments — not one-time reviews but scheduled, recurring evaluations
  • Incident response planning: Develop, test, and annually update formal incident response plans covering breach notification, ransomware payment policy, and recovery procedures
  • Accountability to governing boards: Require regular reporting to boards of supervisors and city councils on cybersecurity posture, so elected officials can see the risk they are being asked to accept
  • Align to federal standards: Adopt CISA, NIST, and EPA cybersecurity frameworks as the baseline for local government — rather than each agency developing its own ad-hoc approach
The grand jury recommends the Board of Supervisors instruct the Director of IT to implement a process for providing the Board of Supervisors a quarterly report on employee compliance to cybersecurity training. Recommendation to be completed by 10/01/2025.
School districts provide cybersecurity training to all students, at least annually, by the beginning of the 2026-2027 school year.
By October 1, 2024, the Placer County Chief Information Officer will engage with a contractor to perform a penetration testing of the cyber and physical security of Placer County Elections Office in Rocklin, California.
The Grand Jury recommends that the investigated public water providers regularly assess their cybersecurity, addressing both IT and SCADA, consistent with EPA and CISA recommended best practices.
OCIT should establish standardized procedures for conducting periodic cybersecurity vulnerability and penetration testing by 12/31/19. County Response from Sept 2017: This recommendation has been implemented. This process is implemented and is currently being realized through the countywide cyber security audits and assessments. Additionally, OCIT oversees the conduct of a penetration test of t...

The Governance Gap

State-level oversight of cybersecurity focuses on statewide policy frameworks, CDT (California Department of Technology) governance, and large state-agency compliance — not county-by-county preparedness. CDT’s jurisdiction covers state agencies, not counties or special districts.

The result is a governance gap: state policy sets the standard at the top, grand juries document the reality at the bottom, and no one is accountable for closing the distance between them. The 648 grand jury findings examined here suggest that distance is substantial. The specific state oversight reports that apply to cybersecurity appear in the State Oversight Context section below.

Then and Now: How Findings Have Changed

The shift in how grand juries write about cybersecurity is as revealing as the growth in volume. Early findings warned about preparedness gaps in the abstract; recent findings describe specific systems compromised, specific agencies caught unprepared, and specific structural failures that made attacks possible.

Early Warnings (2016–2017)

The first wave of cybersecurity findings read as prospective risk assessments. Juries named vulnerabilities and warned of consequences, but the attacks were still largely hypothetical. Orange County’s 2016 investigation was among the earliest and most comprehensive — a detailed map of exposure that, in retrospect, described problems that would materialize throughout the state over the following decade.

Orange County government entities are prime cyber targets, under constant cyber attack, and both public and private information held by these entities are not adequately protected.
DoIT does not have the staff to extend security oversight from County level to the departmental level. Cybersecurity capabilities vary by department.
The County Terrorism Response And Recovery Contingency Plan was adopted in 2003. It does not include a realistic nor an up-to-date description of the risks associated with cyber-terrorism, such as an attack against computer systems, and methods to respond and recover.

Post-Incident Forensics (2022–2024)

By the early 2020s, the tone had changed. Juries were no longer only warning about what could happen — they were documenting what had happened and asking why agencies were still unprepared years after the warnings. The language shifted from “should consider” to “does not have,” “has not implemented,” and “was unable to respond.”

The lack of consistent periodic external penetration testing and vulnerability scans results in unknown potential exploits which increases the risk of cybersecurity incidents.
The City does not have an individual dedicated as the lead for cyber security, which could lead to inadequate preparation for and response to a cyber attack.
Various low-cost best practices exist that could, if implemented, significantly improve the cybersecurity posture of Marin's cities and towns.

The structural diagnosis has not changed much between then and now — decentralization, training gaps, missing plans. What has changed is the stakes: the vulnerabilities that were theoretical in 2016 are now regularly exploited.

Counties Reporting

Cybersecurity findings have appeared in grand jury reports from 21 counties:

Contra CostaEl DoradoGlennHumboldtKernLos AngelesMarinMonoMontereyOrangePlacerSan DiegoSan JoaquinSan MateoSanta BarbaraSanta ClaraSanta CruzSonomaTulareVenturaYolo

The 21 counties that have produced cybersecurity findings are disproportionately coastal, urban, and larger by population. The absence of Central Valley and rural counties from this list almost certainly reflects investigative capacity constraints rather than better preparedness. The counties with the fewest resources to investigate are often the same counties with the fewest resources to defend.

State Oversight Context

California's state-level oversight bodies — catalogued at caoversight.org — have also examined this topic. The 1 report below, from Legislative Analyst's Office, provides the broader policy context within which county grand juries operate.

Legislative Analyst's Office (1 report)

  • Nonreporting Entities' Information Security Compliance (2023) — 2023-24 BUDGET Nonreporting Entities’ Information Security Compliance GABRIEL PETEK | LEGISLATIVE ANALYST MARCH 2023 www.lao.ca.gov 1 AN LAO REPORT 2 LEGISLATIVE ANALYST’S OFFICE AN LAO REPORT Executive Summary Report Satisfies Supplemental Report Requirement.

These state oversight reports examine many of the same issues from a statewide policy perspective, complementing the county-level ground truth documented by civil grand juries.

Methodology

This report analyzes 648 findings and 848 recommendations extracted from 141 grand jury reports across 21 California counties, spanning jury terms from 2005–2006 through 2025–2026. Findings were identified by keyword matching on “cyber” in extracted text; ransomware findings (60) by matching on “ransomware;” phishing findings (33) by matching on “phishing.” Continuity and compliance reports were excluded. All data is sourced from publicly available grand jury final reports.

Regional estimates (Bay Area, SoCal, Central Valley, Rural) are based on county-level aggregations and should be understood as approximate. Finding counts may include findings where cybersecurity is one of several topics addressed; the analysis captures breadth of coverage, not topical depth.

Quotes were editorially curated to illustrate each section’s argument, selected from a candidate pool ranked by specificity, relevance, and county diversity.

View source reports behind this analysis

This report was generated during our development preview. For a copy of a completed report, contact [email protected].