Local governments need year-round cyber training, ransomware protocol

As we reported last week, cybersecurity continues to rank as the No. 1 technology issue facing America’s local governments, according to the Public Technology Institute (PTI).

It’s why PTI and the Computing Technology Industry Association (CompTIA) hosted the National Symposium on Cybersecurity in Government last month in Washington, D.C. The symposium highlighted case studies and leading practices, and provided a forum for local governments and the cybersecurity industry to share how communities are balancing the need for security with the need for innovation.

We caught up with some of the local government attendees including Eileen Cazaropoul, the chief information officer for Worcester, Massachusetts, part of my old stomping grounds when I was the state’s CIO in the 1990s. Cazaropoul has worked for the city for three decades and has been the city’s IT leader for just over a year.

Eileen Cazarpoul, CIO, John Thomas Flynn
John Thomas Flynn and Eileen Cazaropoul, right, chief information officer for Worcester, Massachusetts.

She was quite impressed with the PTI symposium.

“The whole program has been very interesting with a lot folks, including myself, coming away shaking our heads about the challenges of cybersecurity, particularly when it comes to things like the talk of the day: Ransomware,” she said.

Cyber awareness front and center in Worcester

Her panel was named “Cybersecurity: more than a once a year event,” and to say that Cazaropoul takes cybersecurity awareness seriously is a gross understatement.

“We’ve had our official cybersecurity awareness program in place for over a year,” she said. Initially her agency delivered software training that lasted a few weeks, until she realized how massive the cybersecurity problems were. At that point she actually hired a full-time cybersecurity awareness trainer.

“The training is not a one and done thing. It’s continually ongoing. We started with a baseline, a mandatory employee awareness training session,” she said. It was one hour, in small groups of 15 to stimulate interaction. “Now we’re moving on to the next level and I’m having workshops and other training, and we keep moving along with mandatory training sessions in between.”

In addition, there are cyber newsletters, and other related information sent out through the help desk. Every October, which is Cybersecurity Awareness Month, by the way, they sponsor cyber events with prizes for those departments that have the best cybersecurity scorecard. Every time someone receives a phishing email, it is forwarded out to everyone stating that this is an example of what’s floating around. Employees are reminded never to give their log on credentials under any circumstances to anyone.

“So the best program is one that is ongoing. It’s just not a one-time thing or once a year,” she said.

Cazaropoul also acknowledges that the threat reaches beyond Worcester. Massachusetts towns have been compromised every day, especially the smaller municipalities, and the public schools are a prime target as well. Local cities and towns realize that the cyber criminals understand that they’re an easy target.

“They’re probably going to have to pay a ransom if they don’t have a sophisticated IT backup and recovery process in place,” she said.

Finally, on the always tricky issue of funding, Cazaropoul stated that Worcester was fortunate that the Commonwealth of Massachusetts under an initiative sponsored by my old boss Gov. Charlie Baker created a Massachusetts community compact grant. It recognizes and funds best cybersecurity practices. “We were fortunate to receive a grant for a cyber security risk assessment and internal risk assessment which we have just performed,” she said.

Ransomware issue du jour

We concluded our day with PTI Executive Director Alan Shark, host and co-sponsor of the symposium. Shark explained that the symposium now in its second year has become an annual event to educate and understand best practices having to do with local government and the challenges being fostered by cybersecurity.

Alan Shark, executive director, of the Public Technology Institute, joined Ask the CIO: SLED Edition this week.

“Every year the program kind of morphs and changes to reflect those kinds of things. Now there are some new things like ransomware that have really hit the radar,” he said.

His local government partners were used to worrying about hacks, and hacks are a significant problem involving breaches, disclosure of information, even defacement of a website. Ransomware is far different in the sense that it basically locks out the entire system of a city or county. It could even hit a state agency, a police department, or a school district. What that means is the bad guys have planted some kind of malware, maybe through a careless click of an employee, or by other means to exploit a weakness in the system, and now every file is encrypted.

The ransom part means that in order to unlock those files, one has to pay a fee. Now, maybe once upon a time, if you use a credit card or a check, you’d have a way to possibly identify the perpetrators.

“But these guys are pretty smart,” Shark said. “Two things are happening: One, they’re charging more and more money as they become emboldened because of their successes. And number two, they’re asking for this to be paid in bitcoin, which is essentially untraceable.”

This phenomenon is something never-before encountered and the decision to pay the ransom or not is a difficult and controversial one.

“It’s a very tough issue. So if you listen to the FBI and Department of Homeland Security, all the experts say, these are the things you do not pay,” Shark said. Why? Because it encourages bad behavior. It just emboldens the bad guys to do more. Number two, they say that just because you pay does not necessarily guarantee that your systems will remain unaffected. So there’s always that risk.

Complicating or assuaging the situation, depending on your viewpoint, is the arrival of ransomware insurance. “It’s a burgeoning and growing industry. It’s still in its infancy. There are a few companies that are offering it and more getting into the game because it is actually profitable for them based on the premiums that they’re charging,” Shark explained.

The premiums currently are relatively inexpensive. But here’s where it gets complicated. In the past, ransomware was so cheap that people would realize it’s better to pay than to spend all the time restoring a system. And so ransomware may be $500, maybe $1,000. However, recently Riviera Beach, Florida, a city of just over 30,000 people, paid $600,000

“And it’s like, how did this happen? Well, the insurance company sat down with the city council and said, we think you should pay and we’ll cover you from a business point of view,” said Shark.

The insurance company couldn’t care less about the FBI and DHS — they were protecting their bottom line. They fulfill their obligation and said it’s better to pay the ransom than to pay millions upon millions of dollars to restore a system. So this makes things even more complicated.

“And the fear is that as more of the bad guys learn who has cybersecurity insurance, it may make those very people more prone to attack,” Shark said.

It’s very easy for the feds to say, don’t pay, but if you’re in local governments’ shoes the situation is dire. If you are hacked with ransomware, all business stops.

“You cannot get married, you cannot get divorced, you cannot get land permits, all the lines of business — even the smallest government has 200 lines of business everyday. You cannot take money. There is a loss of business and a loss of confidence and a loss of trust,” Shark said.

Advertisement
Mandatory ransomware reporting required

In conclusion, Shark offered several recommendations. “Well, I think we have to first educate our cities and counties across the country. Most of what is happening is only being reported through the press,” he said. Unfortunately there is no legal requirement currently by any state or the federal government to report a ransomware attack, though the FBI does encourage ransomware victims to report it to them.

“We want to have a system that actually requires reporting it. We find out what’s going on, we can learn from the types of attacks, how they occurred so we can spread the information to others so that they can develop better defenses from that happening in their own jurisdictions,” he said. Secondly, Shark believes that local governments should band together and determine a way to perhaps petition the government. “We need to come up with a real strong plan with all the associations that we work with to say this should be banned. The federal government should probably step in and say it is illegal to pay ransom.”

Leave it to the laboratories of democracy to respond. Interestingly, as Shark reported, Texas, the recent target of some 20-plus local government ransomware attacks may pass a law which requires ransomware attacks to be reported. So that’s a start.

Copyright © 2019 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.