Local Governments: Attractive Targets for Cybercriminals?

Cities and counties are attractive targets in part because they’re connected to state systems or other large networks.

by Andy Matarrese, The Columbian, Vancouver, Wash. / May 4, 2016

(TNS) -- Michael Hamilton was the CIO for the city of Seattle when he noticed the city’s security systems had snagged a booby-trapped email. The threat was contained before it became a problem, he said, but the malicious program apparently targeted power marketers, the utility employees who negotiate with wholesalers for electricity. Power marketers tend to keep their dealings fairly close to the chest, Hamilton said, so how did one of them end up in the sights of cybercriminals?

Hackers in China, he said, breached Google in 2009. Google creates some of its own electricity and has its own power marketers — power marketers, Hamilton said, who have connections with people at much larger utility companies.

Small governments and local agencies generate troves of sensitive information in the course of doing business. But what may be more worrisome is that many towns and agencies are also connected to state networks or infrastructure systems — and local governments’ resources to protect their networks and stored data can vary widely.

Attractive targets

Hamilton, who worked for Seattle from 2006 to 2013 and is now the CEO at the cybersecurity consulting firm Critical Informatics Inc., said the errant message Seattle flagged was likely part of an effort to wrangle a much larger prize, probably something under the umbrella of a larger utility, such as a power grid.

“That’s local government getting in the sights of a nation-state for the purpose of, likely, disruption,” he said.

Word of a major credit card data breach always sucks the air out of the room for IT types, he said, but oftentimes most victims are going to get their money back, along with free identity theft protection and credit monitoring afterward, and banks catch a lot of the attempted fraud.

“I get another letter from a credit card company — or my toilet won’t flush for three days,” Hamilton said. “The lowest-hanging fruit is local government.”

It’s hard to say how plugged in and networked public systems, such as sewage or traffic lights, really are. If they are somehow networked, it was likely done in a duct-tape-and-baling-wire fashion, Hamilton said, and those kind of networks aren’t hard to find for someone who knows what they’re doing.

In March, the Justice Department filed charges against seven Iranian hackers, including one who allegedly accessed the control software for a 102-by-22-foot dam in a New York suburb.

The feds say the man who hacked into the dam systems could access information about water depth or temperature, but the actual equipment to operate the small dam’s gates had never been connected.

Plenty of breaches aren’t as brazen or spooky. In late February, someone broke into and defaced the website for East County Fire & Rescue.

A firefighter logged in at the station and found that searches for the site were being redirected toward pornography, according to a police report.

The fire district shut down the site and called the sheriff’s office. The case was suspended with no known suspects or leads.

The fire district is connected to county systems that have their own protections. Its website was built separately, and mainly to share information with residents, interim chief Al Gillespie said.

“It was more of a pain in the neck than a real problem for our organization,” he said. “It’s not something we used to have to worry about, but it certainly is the way of the world now,” he said.

Networking risks

Local governments are attractive targets, said Sam Kim, Clark County’s chief information officer, in part because they’re connected to state systems or other large networks.

“That could be a huge vulnerability. That’s why I say, regardless of how big or small you are, you need to be vigilant,” he said.

The State Auditor’s Office has been ramping up its efforts in examining information security practices in the past few years.

The office tested five state agencies and said in findings shared in 2014 that officials found hundreds of security flaws.

“It was a very specific, focused audit, where we looked at what state agencies were doing in terms of old equipment, and their procedures and policies,” said Aaron Munn, the chief information security officer for the state auditor.

Moving on from state agencies, Munn said, the office has recently started working with more local governments about cybersecurity, and a few audits were ongoing.

The auditor’s office released its report on the city of Mill Creek in Snohomish County, the first city to volunteer for a specific security audit.

Constant attacks

Kim said it’s hard to say how many attacks the county fields, because there are so many avenues that hackers try.

“We’re constantly under attack, constantly being probed,” he said.

He couldn’t say where all the attacks were coming from, either, but plenty didn’t originate from the United States.

Munn said attempts to crack a network can range from phishing emails to high-tech, nation-backed break-ins.

“It’s difficult to answer that question, but every organization is susceptible,” Munn said.

Public agencies often lack money or resources for security, he said, and many governments looked toward their IT departments as a place to cut back during the recession.

Early last year, the Municipal Research and Services Center, a nonprofit organization that provides research and data for local governments in Washington, surveyed and interviewed officials from states, cities and counties about information security. (Hamilton’s consulting company, then called M.K. Hamilton & Associates, did the study.)

About 80 percent of survey respondents worked for communities of fewer than 25,000 people, and 60 percent served fewer than 10,000.

Many of those organizations said they had zero staff members working in IT, and more than half said they outsourced that work. Perhaps commensurate with the size of their organizations, a majority of respondents reported they had minimal or zero funding.

“There’s a workforce issue, as to training,” Munn said. “These are complex issues we’re dealing with that require maintenance, but there’s also availability challenges.”

One of the biggest problems facing the public sector is the lack of security professionals, Hamilton said.

“Cities, counties, public utilities cannot afford these people,” he said.

Experts in demand

Demand in general for cybersecurity experts is high, according to the Bureau of Labor Statistics. The number of people employed as information security analysts, the bureau’s title for IT professionals who specialize in cybersecurity, is expected to climb 18 percent by 2024, much faster than the average for other occupations.

The median pay for cybercrime experts in the public sector was about $74,000 per year in 2014, according to the Bureau of Labor Statistics, and it was $89,000 across all industries.

In a 2015 report, the National Association of State Chief Information Officers surveyed IT chiefs from 48 states, and about 92 percent of respondents said pay prevented them from attracting and keeping talent, and that was for state governments.

Voters should talk to their local agencies or governments if they’re concerned about their town’s information infrastructure, Kim said, but one of the best things a person can do to bolster security at the government level is to watch out for their own: Use good password practices, keep browsers and operating systems updated and use two-factor authentication systems where possible.

“Just like everybody else, the No. 1 vulnerability is not our systems, it’s people,” Kim said. “It’s the inside job, and it could be no malevolence involved.”

Most people who sit down at computers connected in a roundabout way to some sensitive data somewhere are just trying to do their jobs — and they aren’t hired to stave off computer criminals.

They make mistakes: Kim said one test IT programs will do is leave nice USB thumb drives lying in the parking lot to see who takes the bait and plugs in a strange drive into a secure network.

“Let’s face it, cybersecurity, information security is not on the foremost of anybody’s mind,” Kim said. “They want to complete their task.”

A large piece of dealing with that is a matter of training to meet new threats, he said, and that ought to be for everyone in an organization.

Getting buy-in from agency executives and elected officials can be another hurdle, he said.

“When do burglar alarms get installed? After the break-in.”

Little official concern

Public information technology workers told the Municipal Research and Services Center that they generally agreed agency heads and elected officials need additional education to understand the extent of the problems.

Respondents said 75 percent of government executives had little or no interest in addressing information security risks.

On a scale of 1 to 5, 75 percent of respondents gave government executives scores less than 3 for their awareness of information security threats.

“In the focus groups, it was widely acknowledged that the level of threat is increasing, especially to smaller organizations without the means to defend themselves,” the center said.

One advantage that governments and public agencies do have, Kim said, is they can work together.

You probably won’t see Lockheed Martin and Northrop Grumman working together on security, he said, since they have trade secrets to protect and an interest in looking like a more secure bet to customers.

Public agencies, on the other hand, all face the same problems, work in the same space and can share resources and expertise. They don’t have competition, he said.

Kim said he’s working on a plan to centralize information security and network services for public agencies with the county.

The idea is that the county’s towns and agencies could all share the same standards and systems for storing their data and operating their networks, all operating using the county’s architecture.

The county’s always playing interference and patching up weak spots, he said. No system — especially one that needs to be open and usable, like a government’s — can be completely secure.

Most hackers tend to go for the path of least resistance, so a large part of being secure is making sure you don’t look like an easy target, Kim said.

“We just need to not be alarmist, but make sure we’re all vigilant,” he said. “I think government in particular owes the residents of this county to assure them, ‘Hey, we’re doing everything in our power to make sure things are safe and secure.’?”

©2016 The Columbian (Vancouver, Wash.). Distributed by Tribune Content Agency, LLC.