Abstract
Limited methodologies to measure, enumerate, aggregate, and evaluate the cyber attack surface of US county governments prevent the full estimation of the importance of local government cybersecurity to national resilience. Our study aims to address this gap. We further develop existing OSINT-based methodologies to measure the attack surface and assess the size and vulnerability of publicly accessible county infrastructures. By collecting data on 42,735 Internet-facing devices across 3095 US county governments (98% of all counties), we show, for the first time, variations in size, diversity, and vulnerability of exposed county government attack surfaces. We develop and compare service- and Common Vulnerability Exposure (CVE)-based measures for attack surface diversity and severity, each showing different correlation trends with county population. We also highlight the lack of correlation between density of CVEs and likelihood of exploitation and develop measures to quantify the risk, revealing the impact of county government vulnerability on national cyber resilience. Previously studied as islands of insecurity, our novel empirical approach holistically estimates potential county vulnerability to common attack vectors upon service misconfiguration and aggregates CVEs, their severity, and probability of exploitation across county infrastructures, shedding light on the integrated and aggregated attack surface exposed across US county governments.