https://www.americancityandcounty.com/wp-content/themes/acc_child/assets/images/logo/footer-logo.png
  • Home
  • Co-op Solutions
  • Hybrid Work
  • Commentaries
  • News
  • In-Depth
  • Multimedia
    • Back
    • Podcast
    • Latest videos
    • Product Guides
  • Resources & Events
    • Back
    • Resources
    • Webinars
    • White Papers
    • IWCE 2022
    • How to Contribute
    • Municipal Cost Index – Archive
    • Equipment Watch Page
    • American City & County Awards
  • About Us
    • Back
    • About Us
    • Contact Us
    • Advertise
    • Cookie Policy
    • Privacy Statement
    • Terms of Service
American City and County
  • NEWSLETTER
  • Home
  • Co-op Solutions
  • Hybrid Work
  • Commentaries
  • News
  • In-Depth
  • Multimedia
    • Back
    • Podcasts
    • Latest videos
    • Product Guides
  • Resources/Events
    • Back
    • Webinars
    • White Papers/eBooks
    • IWCE Expo
    • Calendar of Events
    • How to Contribute
    • American City & County Awards
    • Municipal Cost Index
    • Equipment Watch Page
  • About Us
    • Back
    • About Us
    • Contact Us
    • Advertise
    • Cookie Policy
    • Privacy Stament
    • Terms of Service
  • newsletter
  • Administration
  • Economy & Finance
  • Procurement
  • Public Safety
  • Public Works & Utilities
  • Smart Cities & Technology
  • Magazine
acc.com

Commentaries


Commentary

Surviving ransomware: Advice for governmental lawyers

Surviving ransomware: Advice for governmental lawyers

  • Written by Roy Hadley, Jr.
  • 13th November 2019

Realizing that governments serve many purposes for their citizens, it is often difficult to fully understand the scope of the possible vectors that are vulnerable to cyberattack. Governments must place cybersecurity on their lists of priorities for funding, often competing for attention with schools, police and public safety, sanitation, parks, roads, and water delivery. It is against this list of fundamental priorities that governments have often placed cybersecurity on the back burner.

That said, given the destructive nature of current attacks, governments across the country are re-prioritizing and devoting more resources to cybersecurity. Recent attacks in Texas, Baltimore, Florida, Colorado, Georgia and many other jurisdictions, both large and small, across the country underscore the necessity for governments to take a proactive stance toward cybersecurity awareness, training, infrastructure and funding.

Lawyers often touch all aspects of the daily operation of governments and are well positioned to be at the vanguard of cybersecurity. It is important to understand our roles as lawyers in responding to incidents as well as our role in helping our respective governments become more resilient in the face of these attacks.

 

Policies and procedures

As a best practice, governmental entities should have a cyber-preparedness assessment performed. This assessment will look at the entity’s current state of preparedness and identify potential vulnerabilities. A good assessment will also review the entity’s current policies and procedures, and cyber incident response plan. Because of the complexity of most governments, this assessment might be very involved. As lawyers, you should be familiar with this assessment and its outcome. Also, your direct involvement might add a layer of privilege to the process.

Needless to say, all governmental entities should have an incident response plan in place. This dictates step-by-step instructions to employees in the event of a cyberattack. All response plans should not only be thoroughly reviewed by the legal department, but the legal department should have a large role in creating the plan.

 

Personnel

Despite all of the external threats that occur against your government’s network and IT infrastructure, employees are still the most used vector to attack an entity and are the biggest vulnerability.

Whether it is an employee clicking on a link to a malicious website, putting an infected thumb drive into a computer or becoming a victim of more advanced phishing techniques, employees provide the quickest and most expedient route to your network.

As such, you must make certain that employees only have access to the information and network areas that are needed to perform their job functions. Also, as part of the legal function, you should ensure that ongoing training for employees around cybersecurity and cyber awareness is occurring. You should strive to help create a “culture of security.”

 

Disaster recovery and business continuity

In many cyber events, outside resources will need to be quickly called upon and put into play. If these resources have not been identified prior to an incident, you will find yourself trying to locate the necessary resources instead of responding to the attack. Like most things, the quicker you can address the problem, the better the outcome will usually be.

To this end, governments should retain the necessary guidance and experience in order to make certain that their disaster recovery and business continuity plans take cyber-preparedness into account. Also, as a lawyer, you should be aware of and know these resources. An annual call with your external resources to discuss incident response will go a long way to having a smooth response should something actually happen. You should also consider inviting them to your table-top exercises.

In my experience, many municipalities don’t realize the scope and breadth of their systems. Whether it is call centers to assist constituents, the judicial system, delivery of water services, sanitation, public works or police and other public safety services, almost all services provided by governments are connected through IT systems. An attack on these systems has shown the ability to shut down these essential services.

 

Back-up, back-up, back-up

Perhaps the greatest resilience tool for a government is an adequate, safe and secure backup of its data. In the event of a major cyber or ransomware attack, the ability to quickly and safely restore data will be the difference between being down for a few hours or down for weeks (or longer). Backups should generally be housed off-site in a secure and segregated facility, either physically or virtually. As a lawyer, you should understand your entities’ back-up strategy in general terms and be aware of any contractual obligations on the vendor. As to vendors in general, you should also make sure that the procurement process as well as all contracts contemplate adequate vendor cyber security.

Lastly, we have seen backups that have been infected in attacks as well as backup plans that are not comprehensive. In the event of an attack, both will severely limit your ability to provide essential services to your constituents without interruption.

 

Bonding and financing public-private partnerships

Many governmental projects are financed through some type of bonding or other public finance structure. Increasingly, bondholders and rating agencies are asking about the cyber security posture of governments that are floating bonds or financing infrastructure or economic development projects. Rating agencies are well aware of the potential severe impact that a cyberattack or incident can have on the ability of a borrowing entity to repay sums owed. This increased scrutiny often shows up in the due diligence process and will only get more involved and detailed, thereby making your government’s cybersecurity posture even more important.

 

The role of the lawyer in response and recovery efforts

In the event of a crisis, as a lawyer you will also be at the forefront of the recovery and response efforts. Some of the tasks that you might be called upon to assist with are:

  • Coordinating crisis communications, which is critically important in getting the correct messaging out internally and externally.
  • Working with the various departments to ensure that constituent services are either uninterrupted or back online as soon as possible.
  • Working with IT and the various departments on business continuity and response efforts.
  • Daily coordination with elected officials to ensure that they are always up to speed and knowledgeable about where things stand.
  • Coordinating open records and FOIA requests.
  • Overseeing the standing up of manual processes across the various departments until systems can be safely brought back up.
  • Coordinating efforts with the FBI, Homeland Security and the Justice Department.
  • Overseeing the selection of vendors.
  • Coordinating the procurement process to bring the vendors on board, which includes compliance and emergency procurements.
  • Coordinating the payment of vendors and the billing process.
  • Coordinating with outside counsel.
  • Overseeing compliance efforts.
  • Notifications to insurers and other relevant entities.
  • Assisting with the coordination of the insurers to ensure that your municipality is in the best posture to be reimbursed under its cyber policies.

In the event of a breach or attack, a lawyer’s role will be multi-dimensional and critical to the response and recovery efforts.

As lawyers, we often find ourselves on the front lines in dealing with cyber-related issues and it is incumbent upon us to understand all of the issues so that we can ensure that our governments are well prepared. As it is often stated, the issue is not if something will occur but when.

 

Roy E. Hadley, Jr. is an attorney with Adams and Reese who serves as independent counsel on cybersecurity matters helps governmental officials and corporate boards understand and mitigate legal and operational risks and exposures to protect themselves and the companies/governments they serve. He also helps clients to respond to and recover from attacks should an event happen. He may be reached at [email protected].

 

Tags: Administration Commentaries Commentary

Most Recent


  • materials
    Public buyers have several options to keep problem materials out of the waste stream
    Cities and counties are taking multiple steps towards sustainability, says Curran Hughes, co-founder and president of Renegade Plastics, a fabric product manufacturer that offers an alternative to PVC (polyvinyl chloride)-coated fabrics. Its low carbon coated fabrics curtail plastic waste and reduce greenhouse gas emissions, according to the company. “Local governments are doing a nice job […]
  • environmental
    Seasons change: Addressing environmental issues takes many forms
    With extreme temperatures, increasing natural disasters and seasonal changes that are no longer predictable, environmental concerns are growing across the world. As a result, government and educational institutions, through their political bodies and leadership, are now mandating and prioritizing sustainability for their communities. The measures being taken, and goals being met, take many forms to […]
  • federal grants
    Best laid plans: Here are a few steps cities and counties should take when a federal grant comes their way
    Part 1 of this report on managing federal grants and funds appeared in the June 2023 issue of Government Procurement. In recent years, Congress has approved legislation giving local governments access to new sources of federal grants and funds. The laws include: American Rescue Plan Act (APRA), Coronavirus Aid, Relief, and Economic Security Act (CARES), […]
  • sustainability
    5 ways procurement can lead on government sustainability
    A seat at the table.” “No longer a back-office function.” “Purchasing is tactical, procurement is strategic.” You can’t spend a day diving into the world of public sector procurement without running headlong into this sentiment. Conference keynotes, webinars, certification curricula and more have been dedicated to advancing the premise that procurement is at its best […]

Leave a comment Cancel reply

-or-

Log in with your American City and County account

Alternatively, post a comment by completing the form below:

Your email address will not be published. Required fields are marked *

Related Content

  • Lessons from your friendly neighborhood public service employees
  • Harris County deploys next-generation security in 150 public buildings
  • How local governments can get ahead of the infrastructure wave: Strategies to mitigate risk
  • Prioritizing rapid restore leads to stronger ransomware attack recovery

WHITE PAPERS


7 Resources to Level-up Your Federal Grants Administration and Compliance

5th September 2023

Elevator Phone Line Replacement Strategy | A Guide to Reliable, Code-Compliant Solutions

29th August 2023

2023 State of Public Sourcing Report: The Bright Future of Public Procurement

23rd August 2023
view all

Webinars


Grant Preparedness: Unlocking Funding Opportunities for Your Success

10th August 2023

2023 State of Public Sourcing: Taking Local Governments into a Bright Future

1st August 2023

Stop Playing with Fire: How to Manage Infrastructure Asset Risk So You Know You’re Covered

20th June 2023
view all

Podcast


Young Leaders Episode 4 – Cyril Jefferson – City Councilman, High Point, North Carolina

13th October 2020

Young Leaders Episode 3 – Shannon Hardin – City Council President, Columbus, Ohio

27th July 2020

Young Leaders Episode 2 – Christian Williams – Development Services Planner, Goodyear, Ariz.

1st July 2020
view all

GALLERIES


Gallery: Hottest temperatures recorded in American cities during July

12th September 2023

The top 10 Asthma Capitals for 2023

7th September 2023

U.S. cities with the cleanest air from latest “State of the Air” report

5th September 2023
view all

Twitter


Newsletters

Sign up for American City & County’s newsletters to receive regular news and information updates about local governments.

Resale Insights Dashboard

The Resale Insights Dashboard provides model-level data for the entire used equipment market to help you save time and money.

Municipal Cost Index

Updated monthly since 1978, our exclusive Municipal Cost Index shows the effects of inflation on the cost of providing municipal services

Media Kit and Advertising

Want to reach our digital audience? Learn more here.

DISCOVER MORE FROM INFORMA TECH

  • IWCE’s Urgent Communications
  • IWCE Expo

WORKING WITH US

  • About Us
  • Contact Us

FOLLOW American City and County ON SOCIAL

  • Privacy
  • CCPA: “Do Not Sell My Data”
  • Cookie Policy
  • Terms
Copyright © 2023 Informa PLC. Informa PLC is registered in England and Wales with company number 8860726 whose registered and Head office is 5 Howick Place, London, SW1P 1WG.