https://www.americancityandcounty.com/wp-content/themes/acc_child/assets/images/logo/footer-logo.png
  • Home
  • Co-op Solutions
  • Hybrid Work
  • Commentaries
  • News
  • In-Depth
  • Multimedia
    • Back
    • Podcast
    • Latest videos
    • Product Guides
  • Resources & Events
    • Back
    • Resources
    • Webinars
    • White Papers
    • IWCE 2022
    • How to Contribute
    • Municipal Cost Index – Archive
    • Equipment Watch Page
    • American City & County Awards
  • About Us
    • Back
    • About Us
    • Contact Us
    • Advertise
    • Cookie Policy
    • Privacy Statement
    • Terms of Service
American City and County
  • NEWSLETTER
  • Home
  • Co-op Solutions
  • Hybrid Work
  • Commentaries
  • News
  • In-Depth
  • Multimedia
    • Back
    • Podcasts
    • Latest videos
    • Product Guides
  • Resources/Events
    • Back
    • Webinars
    • White Papers/eBooks
    • IWCE Expo
    • Calendar of Events
    • How to Contribute
    • American City & County Awards
    • Municipal Cost Index
    • Equipment Watch Page
  • About Us
    • Back
    • About Us
    • Contact Us
    • Advertise
    • Cookie Policy
    • Privacy Stament
    • Terms of Service
  • newsletter
  • Administration
  • Economy & Finance
  • Procurement
  • Public Safety
  • Public Works & Utilities
  • Smart Cities & Technology
  • Magazine
acc.com

Smart Cities & Technology


Article

The weakest link in your cybersecurity chain

The weakest link in your cybersecurity chain

Cyberattacks are increasing in sophistication and severity, but the best defense may not be technological at all.
  • Written by Derek Prall
  • 30th May 2017

It’s midnight in Dallas when the weather sirens shriek to life. The city’s 156 air horns rip apart the quiet night, jolting terrified residents out of their slumber. 911 call centers are flooded with confusion and anger. The cacophony lasts over an hour and a half before city officials finally unplug individual sirens from the network manually.  

Peace returned to the city, but what caused the awful racket? Who was to blame? The answer was unnerving. Local leaders reported hackers had broken into the vulnerable network.

Cyberattacks on local governments are increasing in frequency and severity, but few are equipped to stave off the threats. And while the Dallas attack was an inconvenience, there are far more sinister exploits to worry about. Recently, San Marcos, Texas, was the victim of a sophisticated spear-fishing campaign – where hackers convince an individual to give them access to the network by posing as a trusted source – which resulted in the loss of the tax information of approximately 800 city employees. This exposed sensitive banking details and personal data. 

With so much at stake, what are local governments doing to protect themselves from cyber threats? Unfortunately, the answer is not enough.

The scope of the problem

In a word, cybersecurity in local government is “deficient.” That’s according to Don Norris, a professor and director of the School of Public Policy at the University of Maryland, Baltimore County. The university recently partnered with the International City/County Management Association (ICMA) to conduct a cybersecurity survey of local government CIOs and CSOs to better understand their cybersecurity practices, and the results were sobering.

The first problem was the extremely low response rate – about 12 percent. For reference, these types of surveys generally get response rates around 30 percent, Norris says.

“We think that was because [potential respondents] were afraid to answer honestly about their experiences,” Norris explains. “We think that’s the case, because we had graduate students make a large number of phone calls to those who hadn’t responded – we were either unable to get through to the chief information officer or when we did get through, they were very reluctant to respond… that surprised us.” 

Those that did respond, however, did not engender confidence. According to the survey, most local governments didn’t even understand the scope of their problems. “When we asked them about breaches, attacks and incidents on their systems, large numbers said they didn’t know,” Norris says. “It’s unbelievable. These are the people who should know.”

“You have to know what it is you’re trying to secure,” Karen Jackson, the Secretary of Technology for the Commonwealth of Virginia, says. “You have to know where your personally identifiable information is located, if it’s encrypted and who has access to it. There’s a lot of homework that has to be done.” 

It’s hard to solve a problem if you don’t know what the problem is. And the problem is only getting worse. “Cybersecurity is an issue that is not going away,” says Jackson. “It’s an issue that is becoming more complex almost on a daily basis, and action is going to need to be taken.”

How did we get here?

The root of the problem – as is often the case in government – is funding. Municipalities simply do not have the resources to offer competitive salaries to cybersecurity professionals, and often don’t have the funding to adequately train staff members on best practices. This leaves local government and associated agencies woefully understaffed. 

Jackson explains that in Virginia’s public and private sector, there are 36,000 open cybersecurity positions. Two years ago, it was 17,000. Part of this is driven by the awareness of the growing threat of cyberattack, and the small number of qualified individuals in the talent pool. This is particularly troublesome for the public sector, which, due to lack of resources, can’t compete effectively in the cybersecurity labor market. 

“We typically can’t pay as much as the private sector,” Jackson says, “and few of us [in government] have campuses that rival Google or Facebook. The workforce challenge is big, and it gets even bigger when you get into the smaller localities and municipalities.”  

Not only is lack of funding an issue, but the structure of government itself can be a roadblock to cyber hiring. Government can’t move as quickly as a private company, Jackson says. “If we get behind, it takes us longer to catch up,” she says, “because we have to deal with funding cycles and multiple levels of stakeholders and decision-makers.” 

Because of this, government can’t stay ahead of malicious innovation in the cyber threat landscape. Government is not a nimble entity, and it’s a major challenge to respond quickly enough to stay ahead of cyberattacks. “In Virginia, we’re a part-time legislature,” Jackson says. “Our legislatures aren’t back here until January, so if there’s something that we want to change, we only get one bite at that once a year.”

Additionally, internal practices and policies with existing personnel create tremendous gaps in local government’s cyber responses. Another set of questions asked in the ICMA survey had to do with how often certain actions to improve cybersecurity are taken. “The numbers there were a little bit scary as well,” Norris says. According to the report, 13 percent of local governments don’t perform any sort of risk assessment, 12 percent don’t perform a security review, 42 percent don’t perform cybersecurity exercises, 21 percent don’t provide training for their IT staff and 30 percent don’t provide training for their end-users. That last figure is extremely problematic, Norris says. He feels that training is “absolutely essential,” yet it’s being overwhelmingly neglected. And if this neglect continues, the consequences will be severe.

What’s at stake?

The stakes are high, and they’re going to get higher, according to Jerry Hutcheson, owner of Cybercreed Consulting and author of “One False Click: How to Protect Yourself from the Hidden Cyber War.” Right now, the average breach in America takes around five months to discover and costs approximately $4.5 million dollars to the organization. Citing Forbes magazine, Hutcheson says that in 2015, $550 million was lost nationwide. The publication estimates that by 2019, that figure will grow to $2.2 trillion.

As cities become more comfortable with the Internet of Things, and more enamored with the concept of becoming “smart,” Hutcheson says we can expect more attacks should cybersecurity measures not stay ahead of the curve. “Pretty much everything that doesn’t already have a computer in it will soon have a computer in it,” he says. “An issue with this is that most IoT systems are not designed with security in mind.”

He gives the example of a modern-day vehicle. Even without automation, the average car or truck has around 30 different computer systems in it. “Here’s the problem: these systems, designed by the engineers, aren’t designed for security,” he says. “They are designed for ease of use and function. Security is an afterthought… they’re actually very easy to break into.” If left unsecured, you get what happened in Washington,D.C.

Hutcheson says recently there was a case of a government building that was under cyberattack. The IT department knew there was information being transferred out of the building to an unauthorized third party, but tracing the source was proving difficult. “Eventually they performed an outside scan,” he says, “and found the 802.11 radio waves were coming from a Samsung refrigerator.” 

And while it’s important to protect data, protecting people is far more important. With the advent of smart transportation and autonomous vehicles, the potential for extremely dangerous hacks is becoming more prevalent. Hutcheson says it’s not outside the realm of possibility for hackers to take control of a city’s traffic signals or even its vehicles, creating mayhem with a tremendous potential for loss of life.

This is why it’s of utmost importance for governments to take cybersecurity seriously, and ensure their personnel are prepared to deal with the threats they’ll face, he says.

Training is Key

Most of the gaps in any organization’s cybersecurity posture exist on the human side, Hutcheson says. The first problem is that most organizations do not have a cohesive, codified set of cybersecurity policies and procedures. The second gap, he says, is training. 

“Training is absolutely critical,” he says. “A lot of employees – especially in city and county government – aren’t exactly technology people. You have a lot of long-term employees, people who have been there for 40 and 50 years, that have to try and keep up.”

These individuals need effective training, and the most critical concept in ensuring training’s efficacy is frequency. “Take 15 minutes once a month to sit down with everyone and discuss new threats, policies or practices,” Hutcheson says. The threat landscape isn’t static, so neither can be an organization’s response – it has to be viewed as a continuous process over time. 

Jackson agrees. “You can’t just do cybersecurity training once and figure that it’s done,” she says. “It has to be a repetitive awareness type of activity that doesn’t ever really go away… We hope to build enough of an awareness that when something doesn’t look right, they’ll send it to the security officer or at least not click on it.”

As far as training delivery methods go, this is a best practice, Hutcheson says. Different people learn different ways, and education on different subjects should be handled differently. However, when it comes to cybersecurity training, a three-hour, mandatory seminar once every six months simply won’t be effective. 

Testing end-users in a non-classroom setting can also be an effective educational tool. Battle Creek, Mich., whose training program and subsequent cultural shift resulted in a significant decline in cyber-related incidents, actually attacked their own employees with an internal spear-phishing campaign. Emails were sent out to every user which mimicked an email from social media site LinkedIn prompting the recipient to change their password, thereby entering their personal login credentials.

Charles Norton, IT Director for the city, says that out of the 425 users who received the email, 355 ignored it completely. An encouraging 35 sent the email to the help desk, while another 35, unfortunately, clicked on the link. Of those 35, 7 entered their credentials and 2 did it on multiple occasions on multiple days.

Although some failed the test, Norton says the false attack was an important benchmarking tool for the effectiveness of their educational efforts, and helped the IT department identify users who might require additional training.

To better understand the role training plays in changing the cybersecurity culture of an organization, Battle Creek should be explored in detail.

 

The battle of Battle Creek

Battle Creek was under attack. From May to October in 2014, Norton counted 214 instances of infection on the network. Something clearly needed to be done, so by January 2015, the city’s cybersecurity awareness initiative was launched. 

The initiative focused on Battle Creek’s vulnerable personnel, Norton says. Attackers know that the easiest way to gain access to a network is through the employees, and launch the majority of attacks with this in mind. But why is this?

Norton says it comes down to human nature. “Generally speaking, everyone wants to be helpful and do what they’re asked,” he says. “Hackers exploit the innate nature of people to want to do the right thing.” That’s why it was critical, he says, for Battle Creek’s initiative to instill an element of “digital skepticism” in employees. 

By this, Norton means employees were trained to not be so trusting of everything that came across their inbox, or so willing to connect to the network with unsecured devices. 

In order to make this skepticism take hold, however, Norton says two things were necessary. First, he had to make sure employees were trained on the potential risks of certain behaviors and the best practices for mitigating those risks, and he had to make sure there were consequences for infecting the network and disrupting business continuity. 

“We knew it wasn’t fair to throw the book at someone if they didn’t know what the behavioral risks are,” Norton says, but employees needed repercussions for not applying the lessons they learned.

To train employees on important behavioral risks, Battle Creek utilized a free, open-source learning management system available online in conjunction with their own security awareness materials to make a user-friendly training regimen that informed employees about potential threats, and how to avoid them.

But in order to be effective, the lessons needed weight. “Before the initiative, when someone would infect their computer and grind themselves to a halt, we as IT would go out, fix the problem and say, ‘Don’t do that again.’” Norton says. “In at least one case, the very same day we were back.” 

To address this, Battle Creek had to undergo a major culture shift, which Norton admits was not well received. IT began isolating an individual’s computers immediately upon notification that the machine was infected. They would then gather the computer, bring it back to their office, scan it and clean it. Before the user could get their computer back, they had to undergo a coaching and counseling session from their department head. “It went from an IT issue to being a management issue,” Norton says.

However, in order for this element of the initiative to be effective, Norton said it was important to make sure employees weren’t viewing IT as their enemy. “The goal of this isn’t to get people in trouble, it’s to get them to change their behaviors,” Norton says. “It makes a lot more sense for the managers to be the catalyst of that behavioral change.”

And it worked. “In the year following the initiative’s conclusion, there were only 12 infections, and our current track record of days between infections is 250,” Norton reports.

Leadership buy-in

There’s a pervasive attitude that cybersecurity is strictly an IT problem, Hutcheson says. The traditional thought is that cybersecurity is handled by the “computer people,” and that management or regular employees have no hand in it. 

That couldn’t be further from the truth, though. Cybersecurity is an organizational problem that sometimes uses technology as a solution, and it’s a huge mistake to rely completely on the IT staff. “They can’t do it,” Hutcheson warns. “They don’t have the power or the capability.”

Management has to buy into the idea that cybersecurity is fundamentally important, Norris says. Then that leadership can insist that adequate funding is allocated, that adequate training is provided and that consequences are in place for those who continually violate policy.

This buy-in is precisely what made Battle Creek’s cybersecurity initiative so successful. Norton says the IT department partnered with the city’s human resourses department and the city manager’s office to make sure there was enough support and backing to make the initiative mandatory training. “It means a whole lot more to your average employee when they see something coming from the city manager’s office or the HR director’s office saying, ‘Listen, this is important. You need to see this and you need to participate in this.’” 

 

p.p1 {margin: 0.0px 0.0px 15.0px 0.0px; line-height: 22.2px; font: 15.0px Georgia; color: #323333}
p.p2 {margin: 0.0px 0.0px 15.0px 0.0px; line-height: 22.2px; font: 12.0px Georgia; color: #323333}
span.s1 {font-kerning: none}
span.s2 {font: 12.0px Georgia; text-decoration: underline ; font-kerning: none; color: #0e5f8b}
span.s3 {font: 15.0px Georgia; font-kerning: none}

 

_____________

To get connected and stay up-to-date with similar content from American City & County:
Like us on Facebook

Follow us on Twitter
Watch us on YouTube

Tags: In-Depth Public Safety Smart Cities & Technology Article

Most Recent


  • crisis
    Navigating crises with confidence: Five ways strategic plans support crisis response
    Some crises are short-lived, barging through our lives and routines, and before we can get a sense of what’s happened, we’re left dealing with the aftermath. But many crises build slowly, with many early warning signs, and once they’vehit their breaking point, panic and uncertainty overwhelm the ability of leaders to think clearly and mitigate […]
  • digital
    How to leverage digital tools to drive innovation in government
    The rapid evolution of digital technologies transformed the way governments function, making them more efficient, transparent and citizen-friendly. Rather than relying on crystal trophies, governments can leverage digital tools to drive innovation and streamline processes, benefiting the population they serve. Open data and crowdsourcing Open data refers to making government data available to the public, […]
  • Broadband
    Oversight committee addresses NTIA reauthorization, FCC broadband map ahead of BEAD Program funding allocations
    As technological advancements continue to roll out at a breakneck pace, from artificial intelligence to high speed broadband connectivity, investment in digital infrastructure has become a defining theme of the modern era. Rep. Cathy McMorris Rodgers, (R-Wash.), chair of the House Energy and Commerce Committee, stressed the importance of this charge in opening remarks at […]
  • Electric scooter
    Research highlights safety tradeoffs of electric scooter speed limiters
    Since the first shared electric scooter program was launched in the United States five years ago, they’ve swarmed cities across the country due to their inexpensive cost, clean energy output and versatility as a last-mile transportation option. As their popularity has grown, regulating their usage on public roadways and streets has arisen as a complex […]

One comment

  1. Avatar David Bessen 5th June 2017 @ 8:00 pm
    Reply

    Since few local jurisdictions
    Since few local jurisdictions can afford to hire good cyber talent to assist in maintaining meaningful security postures, as the article points out, this is a perfect opportunity for multiple agencies to pool their technical resources for information sharing, as well as in order to coordinate their efforts and share costs on monitoring technology, e.g., incident and event monitoring. When resources (fiscal and human) are scarce, pooling is often an excellent way to stretch both and to provide a viable solution. And, who knows, by collaborating with brethren agencies, we all might learn a thing or two.

Leave a comment Cancel reply

-or-

Log in with your American City and County account

Alternatively, post a comment by completing the form below:

Your email address will not be published. Required fields are marked *

Related Content

  • North Texas alliance partners with Marketplace.city on smart government solutions
  • Harris County deploys next-generation security in 150 public buildings
  • Prioritizing rapid restore leads to stronger ransomware attack recovery
  • Today’s infrastructure needs greater than roads and bridges - It’s time to face our digital connectiveness

White papers


5 reasons why Plan Examiners need Objective Trapeze

30th May 2023

7 Permitting & Licensing Fails Slowing Community Growth

24th May 2023

The Secret Ingredient to Local Government Employee Retention

23rd May 2023
view all

Webinars


How to Centralize and Build a Grants Management Process at your Organization

24th May 2023

Making Permitting Easier: What We’ve Learned Helping America’s Largest Cities Improve Their Permitting Process

16th May 2023

Digital Property Tax Collection: Tales from the Trenches of Modernization

16th May 2023
view all

PODCAST


Young Leaders Episode 4 – Cyril Jefferson – City Councilman, High Point, North Carolina

13th October 2020

Young Leaders Episode 3 – Shannon Hardin – City Council President, Columbus, Ohio

27th July 2020

Young Leaders Episode 2 – Christian Williams – Development Services Planner, Goodyear, Ariz.

1st July 2020
view all

GALLERIES


Gallery: Annual index ranks America’s top performing cities; most are in the West

30th May 2023

Gallery: Top 10 American cities for seasonal and summer jobs

25th May 2023

Gallery: 10 of America’s most affordable cities

9th May 2023
view all

Twitter


AmerCityCounty

Digital government comes with massive benefits — and new considerations, from accessibility to security to customer… twitter.com/i/web/status/1…

31st May 2023
AmerCityCounty

5 reasons why Plan Examiners need Objective Trapeze dlvr.it/Sptl5z

30th May 2023
AmerCityCounty

Navigating crises with confidence: Five ways strategic plans support crisis response dlvr.it/SptVKN

30th May 2023
AmerCityCounty

Gallery: Annual index ranks America’s top performing cities; most are in the West dlvr.it/SpszdK

30th May 2023
AmerCityCounty

2022 Crown Communities Award winner: Miami-Dade County Clerk of Courts’ jury selection system dlvr.it/SphCBk

26th May 2023
AmerCityCounty

Gallery: Top 10 American cities for seasonal and summer jobs dlvr.it/SpdFWy

25th May 2023
AmerCityCounty

How to leverage digital tools to drive innovation in government dlvr.it/Spcktb

25th May 2023
AmerCityCounty

With many cities facing a fiscal cliff as ARPA funding ends, debt ceiling debate continues on Capitol Hill dlvr.it/SpZLph

24th May 2023

Newsletters

Sign up for American City & County’s newsletters to receive regular news and information updates about local governments.

Resale Insights Dashboard

The Resale Insights Dashboard provides model-level data for the entire used equipment market to help you save time and money.

Municipal Cost Index

Updated monthly since 1978, our exclusive Municipal Cost Index shows the effects of inflation on the cost of providing municipal services

Media Kit and Advertising

Want to reach our digital audience? Learn more here.

DISCOVER MORE FROM INFORMA TECH

  • IWCE’s Urgent Communications
  • IWCE Expo

WORKING WITH US

  • About Us
  • Contact Us

FOLLOW American City and County ON SOCIAL

  • Privacy
  • CCPA: “Do Not Sell My Data”
  • Cookie Policy
  • Terms
Copyright © 2023 Informa PLC. Informa PLC is registered in England and Wales with company number 8860726 whose registered and Head office is 5 Howick Place, London, SW1P 1WG.