It’s midnight in Dallas when the weather sirens shriek to life. The city’s 156 air horns rip apart the quiet night, jolting terrified residents out of their slumber. 911 call centers are flooded with confusion and anger. The cacophony lasts over an hour and a half before city officials finally unplug individual sirens from the network manually.  

Peace returned to the city, but what caused the awful racket? Who was to blame? The answer was unnerving. Local leaders reported hackers had broken into the vulnerable network.

Cyberattacks on local governments are increasing in frequency and severity, but few are equipped to stave off the threats. And while the Dallas attack was an inconvenience, there are far more sinister exploits to worry about. Recently, San Marcos, Texas, was the victim of a sophisticated spear-fishing campaign – where hackers convince an individual to give them access to the network by posing as a trusted source – which resulted in the loss of the tax information of approximately 800 city employees. This exposed sensitive banking details and personal data. 

With so much at stake, what are local governments doing to protect themselves from cyber threats? Unfortunately, the answer is not enough.

The scope of the problem

In a word, cybersecurity in local government is “deficient.” That’s according to Don Norris, a professor and director of the School of Public Policy at the University of Maryland, Baltimore County. The university recently partnered with the International City/County Management Association (ICMA) to conduct a cybersecurity survey of local government CIOs and CSOs to better understand their cybersecurity practices, and the results were sobering.

The first problem was the extremely low response rate – about 12 percent. For reference, these types of surveys generally get response rates around 30 percent, Norris says.

“We think that was because [potential respondents] were afraid to answer honestly about their experiences,” Norris explains. “We think that’s the case, because we had graduate students make a large number of phone calls to those who hadn’t responded – we were either unable to get through to the chief information officer or when we did get through, they were very reluctant to respond… that surprised us.” 

Those that did respond, however, did not engender confidence. According to the survey, most local governments didn’t even understand the scope of their problems. “When we asked them about breaches, attacks and incidents on their systems, large numbers said they didn’t know,” Norris says. “It’s unbelievable. These are the people who should know.”

“You have to know what it is you’re trying to secure,” Karen Jackson, the Secretary of Technology for the Commonwealth of Virginia, says. “You have to know where your personally identifiable information is located, if it’s encrypted and who has access to it. There’s a lot of homework that has to be done.” 

It’s hard to solve a problem if you don’t know what the problem is. And the problem is only getting worse. “Cybersecurity is an issue that is not going away,” says Jackson. “It’s an issue that is becoming more complex almost on a daily basis, and action is going to need to be taken.”

How did we get here?

The root of the problem – as is often the case in government – is funding. Municipalities simply do not have the resources to offer competitive salaries to cybersecurity professionals, and often don’t have the funding to adequately train staff members on best practices. This leaves local government and associated agencies woefully understaffed. 

Jackson explains that in Virginia’s public and private sector, there are 36,000 open cybersecurity positions. Two years ago, it was 17,000. Part of this is driven by the awareness of the growing threat of cyberattack, and the small number of qualified individuals in the talent pool. This is particularly troublesome for the public sector, which, due to lack of resources, can’t compete effectively in the cybersecurity labor market. 

“We typically can’t pay as much as the private sector,” Jackson says, “and few of us [in government] have campuses that rival Google or Facebook. The workforce challenge is big, and it gets even bigger when you get into the smaller localities and municipalities.”  

Not only is lack of funding an issue, but the structure of government itself can be a roadblock to cyber hiring. Government can’t move as quickly as a private company, Jackson says. “If we get behind, it takes us longer to catch up,” she says, “because we have to deal with funding cycles and multiple levels of stakeholders and decision-makers.” 

Because of this, government can’t stay ahead of malicious innovation in the cyber threat landscape. Government is not a nimble entity, and it’s a major challenge to respond quickly enough to stay ahead of cyberattacks. “In Virginia, we’re a part-time legislature,” Jackson says. “Our legislatures aren’t back here until January, so if there’s something that we want to change, we only get one bite at that once a year.”

Additionally, internal practices and policies with existing personnel create tremendous gaps in local government’s cyber responses. Another set of questions asked in the ICMA survey had to do with how often certain actions to improve cybersecurity are taken. “The numbers there were a little bit scary as well,” Norris says. According to the report, 13 percent of local governments don’t perform any sort of risk assessment, 12 percent don’t perform a security review, 42 percent don’t perform cybersecurity exercises, 21 percent don’t provide training for their IT staff and 30 percent don’t provide training for their end-users. That last figure is extremely problematic, Norris says. He feels that training is “absolutely essential,” yet it’s being overwhelmingly neglected. And if this neglect continues, the consequences will be severe.

What’s at stake?

The stakes are high, and they’re going to get higher, according to Jerry Hutcheson, owner of Cybercreed Consulting and author of “One False Click: How to Protect Yourself from the Hidden Cyber War.” Right now, the average breach in America takes around five months to discover and costs approximately $4.5 million dollars to the organization. Citing Forbes magazine, Hutcheson says that in 2015, $550 million was lost nationwide. The publication estimates that by 2019, that figure will grow to $2.2 trillion.

As cities become more comfortable with the Internet of Things, and more enamored with the concept of becoming “smart,” Hutcheson says we can expect more attacks should cybersecurity measures not stay ahead of the curve. “Pretty much everything that doesn’t already have a computer in it will soon have a computer in it,” he says. “An issue with this is that most IoT systems are not designed with security in mind.”

He gives the example of a modern-day vehicle. Even without automation, the average car or truck has around 30 different computer systems in it. “Here’s the problem: these systems, designed by the engineers, aren’t designed for security,” he says. “They are designed for ease of use and function. Security is an afterthought… they’re actually very easy to break into.” If left unsecured, you get what happened in Washington,D.C.

Hutcheson says recently there was a case of a government building that was under cyberattack. The IT department knew there was information being transferred out of the building to an unauthorized third party, but tracing the source was proving difficult. “Eventually they performed an outside scan,” he says, “and found the 802.11 radio waves were coming from a Samsung refrigerator.” 

And while it’s important to protect data, protecting people is far more important. With the advent of smart transportation and autonomous vehicles, the potential for extremely dangerous hacks is becoming more prevalent. Hutcheson says it’s not outside the realm of possibility for hackers to take control of a city’s traffic signals or even its vehicles, creating mayhem with a tremendous potential for loss of life.

This is why it’s of utmost importance for governments to take cybersecurity seriously, and ensure their personnel are prepared to deal with the threats they’ll face, he says.

Training is Key

Most of the gaps in any organization’s cybersecurity posture exist on the human side, Hutcheson says. The first problem is that most organizations do not have a cohesive, codified set of cybersecurity policies and procedures. The second gap, he says, is training. 

“Training is absolutely critical,” he says. “A lot of employees – especially in city and county government – aren’t exactly technology people. You have a lot of long-term employees, people who have been there for 40 and 50 years, that have to try and keep up.”

These individuals need effective training, and the most critical concept in ensuring training’s efficacy is frequency. “Take 15 minutes once a month to sit down with everyone and discuss new threats, policies or practices,” Hutcheson says. The threat landscape isn’t static, so neither can be an organization’s response – it has to be viewed as a continuous process over time. 

Jackson agrees. “You can’t just do cybersecurity training once and figure that it’s done,” she says. “It has to be a repetitive awareness type of activity that doesn’t ever really go away… We hope to build enough of an awareness that when something doesn’t look right, they’ll send it to the security officer or at least not click on it.”

As far as training delivery methods go, this is a best practice, Hutcheson says. Different people learn different ways, and education on different subjects should be handled differently. However, when it comes to cybersecurity training, a three-hour, mandatory seminar once every six months simply won’t be effective. 

Testing end-users in a non-classroom setting can also be an effective educational tool. Battle Creek, Mich., whose training program and subsequent cultural shift resulted in a significant decline in cyber-related incidents, actually attacked their own employees with an internal spear-phishing campaign. Emails were sent out to every user which mimicked an email from social media site LinkedIn prompting the recipient to change their password, thereby entering their personal login credentials.

Charles Norton, IT Director for the city, says that out of the 425 users who received the email, 355 ignored it completely. An encouraging 35 sent the email to the help desk, while another 35, unfortunately, clicked on the link. Of those 35, 7 entered their credentials and 2 did it on multiple occasions on multiple days.

Although some failed the test, Norton says the false attack was an important benchmarking tool for the effectiveness of their educational efforts, and helped the IT department identify users who might require additional training.

To better understand the role training plays in changing the cybersecurity culture of an organization, Battle Creek should be explored in detail.

 

The battle of Battle Creek

Battle Creek was under attack. From May to October in 2014, Norton counted 214 instances of infection on the network. Something clearly needed to be done, so by January 2015, the city’s cybersecurity awareness initiative was launched. 

The initiative focused on Battle Creek’s vulnerable personnel, Norton says. Attackers know that the easiest way to gain access to a network is through the employees, and launch the majority of attacks with this in mind. But why is this?

Norton says it comes down to human nature. “Generally speaking, everyone wants to be helpful and do what they’re asked,” he says. “Hackers exploit the innate nature of people to want to do the right thing.” That’s why it was critical, he says, for Battle Creek’s initiative to instill an element of “digital skepticism” in employees. 

By this, Norton means employees were trained to not be so trusting of everything that came across their inbox, or so willing to connect to the network with unsecured devices. 

In order to make this skepticism take hold, however, Norton says two things were necessary. First, he had to make sure employees were trained on the potential risks of certain behaviors and the best practices for mitigating those risks, and he had to make sure there were consequences for infecting the network and disrupting business continuity. 

“We knew it wasn’t fair to throw the book at someone if they didn’t know what the behavioral risks are,” Norton says, but employees needed repercussions for not applying the lessons they learned.

To train employees on important behavioral risks, Battle Creek utilized a free, open-source learning management system available online in conjunction with their own security awareness materials to make a user-friendly training regimen that informed employees about potential threats, and how to avoid them.

But in order to be effective, the lessons needed weight. “Before the initiative, when someone would infect their computer and grind themselves to a halt, we as IT would go out, fix the problem and say, ‘Don’t do that again.’” Norton says. “In at least one case, the very same day we were back.” 

To address this, Battle Creek had to undergo a major culture shift, which Norton admits was not well received. IT began isolating an individual’s computers immediately upon notification that the machine was infected. They would then gather the computer, bring it back to their office, scan it and clean it. Before the user could get their computer back, they had to undergo a coaching and counseling session from their department head. “It went from an IT issue to being a management issue,” Norton says.

However, in order for this element of the initiative to be effective, Norton said it was important to make sure employees weren’t viewing IT as their enemy. “The goal of this isn’t to get people in trouble, it’s to get them to change their behaviors,” Norton says. “It makes a lot more sense for the managers to be the catalyst of that behavioral change.”

And it worked. “In the year following the initiative’s conclusion, there were only 12 infections, and our current track record of days between infections is 250,” Norton reports.

Leadership buy-in

There’s a pervasive attitude that cybersecurity is strictly an IT problem, Hutcheson says. The traditional thought is that cybersecurity is handled by the “computer people,” and that management or regular employees have no hand in it. 

That couldn’t be further from the truth, though. Cybersecurity is an organizational problem that sometimes uses technology as a solution, and it’s a huge mistake to rely completely on the IT staff. “They can’t do it,” Hutcheson warns. “They don’t have the power or the capability.”

Management has to buy into the idea that cybersecurity is fundamentally important, Norris says. Then that leadership can insist that adequate funding is allocated, that adequate training is provided and that consequences are in place for those who continually violate policy.

This buy-in is precisely what made Battle Creek’s cybersecurity initiative so successful. Norton says the IT department partnered with the city’s human resourses department and the city manager’s office to make sure there was enough support and backing to make the initiative mandatory training. “It means a whole lot more to your average employee when they see something coming from the city manager’s office or the HR director’s office saying, ‘Listen, this is important. You need to see this and you need to participate in this.’” 

 

 

_____________

To get connected and stay up-to-date with similar content from American City & County:
Like us on Facebook

Follow us on Twitter
Watch us on YouTube