On March 19, 2026, Foster City, California officials responded to a ransomware attack impacting nearly all municipal services. City officials declared a state of emergency to secure additional resources while they recover from the attack.

“The declaration of a state of emergency in Foster City following a ransomware attack is a sobering situation. In 2026, a cyberattack is as catastrophic to local governance as a flood or an earthquake. By taking nearly all municipal systems offline to contain the breach, Foster City has successfully protected its 911 services but has essentially "evacuated" its digital town hall. This incident highlights the extreme vulnerability of smaller municipalities that manage massive amounts of resident PII but lack the enterprise-grade defense budgets to stop modern ransomware gangs. 

To protect users, we must stop treating municipal IT as a backend utility and start funding it as critical infrastructure. Until "security by design" is mandated for the software that runs our cities, we will continue to see local governments forced into emergency declarations just to keep the lights on. When a city manager has to declare a state of emergency because of a line of ransomware code, your 'digital transformation' hasn't made you more efficient. It’s just made you more fragile," says Damon Small, Board of Directors at Xcape, Inc.

"Declaring a state of emergency during a ransomware incident tells you this has moved beyond a routine IT outage. For a city of 33,000 residents, that declaration reflects an operational reality. Once core systems are disrupted, recovery depends on quickly bringing in outside incident response, forensic, and restoration support that the organization cannot resource on its own. What matters for local governments is whether their backups can survive an active attack and restore services fast enough to keep essential functions running.

Backup resilience is what determines whether a ransomware incident remains a temporary disruption or becomes a prolonged public emergency. Ransomware operators routinely target backup and recovery systems because recovery is what breaks their leverage. 

If backups are resilient, isolated, and actually restorable under adversarial conditions, the organization has a path to recovery without being cornered. If they are not, the result is extended service disruption and public loss of confidence. Every municipality of comparable size that has not tested its backup infrastructure against adversarial conditions is carrying the same risk. The only variable is timing," says Jacob Krell, Senior Director of Secure AI Solutions & Cybersecurity at Suzu Labs.