
Rapid City SD – A week after a cybersecurity incident forced Pennington County to shutter most public-facing offices, the systems that run daily life in Rapid City and the county remain in a state of quiet reconstruction.
Officials have said little about what happened. But the public record — statutes, certificate logs, and the county and city’s own statements — offers a way to trace how a modern local government actually claws its way back online after something like what Pennington County may has experienced.
What Is Confirmed
The outage began July 6, when Pennington County closed most public-facing offices “to allow staff to assess the situation and safely restore affected systems.”
Essential services — 911 dispatch, the jail, the Juvenile Services Center, the Care Campus — stayed open. Early voting and court operations continued on schedule.
By the next day, the ripple effects had reached Rapid City. In a statement posted to rcgov.org, City IT Director Jim Gilbert explained why: “Because the City and County share infrastructure and collaborate on a limited number of systems, this review is a necessary step to confirm the security of City systems and the network.”
Online utility payments went dark. The Rapid City Fire Department noted on their X account that the application process was not available online. Building permit processing slowed. City Finance Officer Daniel Ainslie told KOTA Radio that residents could still pay utility bills by mail or in person, where staff issued manual receipts.
Statewide systems, by contrast, never blinked. South Dakota’s vehicle registration portal, my605drive.sd.gov, and its self-service kiosks stayed fully operational throughout — confirming the disruption was contained to county and city infrastructure, not a broader state network failure.
County officials said they’re working with the South Dakota National Guard Cyber Incident Response Team, the South Dakota Fusion Center, and the federal Cybersecurity and Infrastructure Security Agency (CISA). Beyond that, they have said almost nothing about what happened, who’s responsible, or when it will be fixed.
Watching a Rebuild in Real Time
Even without an official account, pieces of the recovery are visible in public records.
Certificate Records: Every time a government website spins up new infrastructure, it typically requires a new SSL certificate — and those are logged publicly, in real time, through certificate transparency tools like crt.sh. As of this writing, the most recent certificate for rcgov.com was logged June 10, before the outage began. Pennington County does have recent activity as of 7/6/2026, however it does appear to be a mass licence renewal for several municipal systems nationwide.
The Absence of a Ransom Demand –Close to a week in, neither Pennington County nor Rapid City has appeared on any of the public leak sites ransomware gangs use to pressure victims, and no group has claimed responsibility.
That silence is itself notable: a standard ransomware attack typically comes with a loud, fast demand. Its absence here raises the question of what kind of incident this actually was.
It’s worth being precise about what this absence does and doesn’t tell us: a clean leak-site search rules out a public ransom claim, not a private one.
Ransom negotiations, when they happen, are typically conducted quietly between the victim, an insurer, and a specialized negotiator, and wouldn’t necessarily surface publicly unless or until talks broke down.
The silence is a real data point. It is not proof that nothing is being negotiated behind closed doors.
It may not be ransomware at all –The public conversation around outages like this tends to jump straight to “ransomware,” but that’s one of several plausible explanations, not the default.
A compromised employee or vendor credential, a phishing email that gave an intruder a foothold, an unpatched system or expired certificate, or even a vendor-side breach at a third-party software provider the city and county rely on could each produce the same outward symptoms: a sudden, total shutdown while officials figure out what they’re dealing with.
Some of these possibilities are mundane compared to a headline-grabbing ransomware attack, and that’s exactly why they’re easy to overlook. Until officials say more, all of them remain on the table.
The Clock That’s Already Running
Whatever caused the incident, South Dakota law now governs how it must be handled.
Under SDCL 22-40-19 through 22-40-26, any entity that suffers a “breach of system security” involving residents’ personal information — Social Security numbers, driver’s license numbers, financial account data — has 60 days from discovery to notify affected individuals.
If more than 250 South Dakota residents are affected, the state Attorney General must also be notified.
There is an exception: if, after investigation and AG notice, officials determine in writing that the breach is unlikely to cause harm, they can skip individual notification entirely — but that determination must be documented and kept on file for at least three years. Failure to disclose is treated as a deceptive act under the state’s consumer protection law, punishable by fines up to $10,000 per day.
None of this tells us whether personal data was compromised. But it does mean a clock is running, and a paper trail — either a notification or a written “no harm” determination — is legally required to exist somewhere.
The Money Question
However this is resolved, someone will pay for it — and how that happens says a lot about how local governments manage crises out of public view.
Local governments with cyber insurance typically operate under panels of pre-approved incident-response contractors; if the insurer is footing the bill up to policy limits, no new tax appropriation is required, and no public vote or budget hearing is triggered.
Separately, a declared state of emergency — issued by a mayor, county commission chair, or sheriff — allows officials to bypass standard public bidding requirements and draw on reserve funds directly, typically justified by the need to protect “life and safety operations.”
Both mechanisms allow real, immediate secrecy. Neither is permanent. Emergency spending eventually surfaces in a jurisdiction’s annual financial report or in future budget amendment hearings.
Insurance premiums that spike after a claim show up as a line item at the next renewal.
And local governments rarely absorb the full cost of a major cyber rebuild themselves — they typically seek reimbursement through state or federal grant programs, and those applications and awards become public record once filed.
A coalition of state and local government groups recently asked the U.S. Senate for $300 million to fund the State and Local Cybersecurity Grant Program nationally.
South Dakota Gov. Larry Rhoden has separately announced a $5 million state investment to establish the South Dakota Defense Institute, aimed at strengthening the state’s cybersecurity and defense industries.
If Pennington County or Rapid City taps either funding stream, the paperwork will eventually be public.
What Happens Next, Hypothetically
The rebuilding of a modern local government’s digital infrastructure rarely happens all at once, and rarely happens loudly. It shows up in certificate logs, statutory deadlines, budget line items filed months later, and, eventually, in the audited financial reports that every local government is required to produce.
Certificate and leak-site data in this report reflect what was independently verifiable as of publication; both are subject to change and will be revisited as this story develops.
Leave a Reply