Cyber City, Cyber Secure?

Is City-Cyber-Armageddon just around the corner? Today City governments depend upon technology - more than ever - to operate.   But, gee, how secure ...

by / January 27, 2009

Loose Laptops Sink Cybersecurity Is City-Cyber-Armageddon just around the corner?

Today City governments depend upon technology - more than ever - to operate.   But, gee, how secure and reliable are these systems, these networks and these communications?    Constituents depend upon the Internet, web, e-mail , cell phones to communicate with their government for information and services.

I recently had a non-classified meeting with some fedgov Department of Homeland Security cyber folks, and DHS contractors about potential cyber security tools.   I'm a "geek", so I love tools and software.   I'm a senior public official, so I also like charts and graphs and statistics  . My meeting had plenty of both tools and statistics.   But, after hearing about the Internet's vulenerabilities and potential threats, I walked away from the meeting ready to move to a mountain cabin "off the grid" and isolated from the world.

Is cybersecurity really a major issue?   What can a municipal government do to improve HomeCity Security?

Is it an issue? I offer the following observations:
o   A laptop computer with records of 26.5 million veterans was stolen from the home of a Veteran's Administration employee in May 2006 (later recovered)  . But these veterans (including me - I'm a retired Army Officer) received letters notifying us of the problem.   The VA also lost records of 1.8 million veterans in February 2007 and covered up other data breaches.   They (that's "we" for those of us who pay fedgov income tax) paid for a lot of clean-up and credit monitoring.
o   The day after his inauguration, President Obama published a cybersecurity plan and intends - as a top priority - to appoint a national cybersecurity advisor.
o   Within the last few months, Heartland Computer Systems may have lost over 45 million consumer credit card numbers
o   The nation's electrical grid is allegedly vulnerable to cyberattack (and my City operates the nation's ninth largest municipal electric utility with 300,000 customers)
o   Conficker worm may be infecting one million new computers a day

What scares me?

1.   Injury to the people who trust the government of the City of Seattle.   The people of Seattle entrust their credit card numbers, their phone numbers, their personal information to my government.   When they call 911, they expect help.   We've had some breaches, for example web-based SQL databases compromised by SQL injection attacks, so any constituent visiting those websites receives computer viruses... from us!  

If someone is hurt physically or financially or emotionally because we've failed to keep the telephone network or their personal information cybersecure, I've failed as CTO, and I've failed big-time.   I never want to be sending letters like the one I received from the VA.

2. Damage to the City of Seattle's reputation.   One reason my government works so well is that the people of Seattle trust us.   When they call, we respond.  We provide relaible, on-time, services.  One clear demonstration of this trust - last November, despite a looming recession, the people of Seattle passed levies to fund more parks, a Pike Place Market renovation, and a $17 billion transit system.   A cyber-incident will damage thisspecial relationship of trust.

3.   Outage of the City's technology systems.   Constituents use technology to report problems and request service from the City.   They call 911 or 684-3000 (utility customer service).   They send e-mail.   They pay bills on the web. And City employees use technology to coordinate our response - radio systems for public safety, telephone and data networks, electronic mail systems, Windows servers and a 24x7 data center.  I'm proud of 99%+ uptime on those systems to "make technology work for the City. Cyber incidents endanger those systems.

How can we improve HomeCity Cybersecurity?   Here's what I'm doing:

1. Hired a damn fine CISO.   My Chief Information Security Officer, Mike Hamilton, is the best.   Worked for a long time in private industry, came to Seattle ready to give his expertise in public service.   Like all CISO's, he sees bad guys everywhere.   (To some extent, I pay him to do that!)  Unlike many CISO's, he knows that technology and the Internet are here to stay and we need to take practical measures to make them as secure as possible.

2.   Assemble and train a team of cyber-techies and professional cyber-sleuths.   We have dedicated, skilled IT security professionals scattered throughout City government.   Their departments and agencies spent money to train them, and CISO Hamilton matrix-manages them to patch and secure systems.   We use them as a cyber-incident-management team under Hamilton's Deputy - David Matthews - to investigate and get to root cause of any potential cybersecurity incident. They are our best cyber-defense.

3.   Test every doggone Internet-facing application.   Do penetration testing on our Internet connection.   Watch firewall logs.   Apply every hi-impact Microsoft or Cisco or (fill-in-the-blank technology company) security patch as soon as you can. No more than five days max from patch release to deployment.

4.   Selectively outsource.   For example, we've outsourced management of credit card payments to skilled third parties, rather than "storing and managing our own".   We can't outsource accountability, but we can share risk.

5.   Buy some basic tools.   Anti-virus for every computer.   Patch distribution software.   Vulnerability scanning software.   System logging and aggregation software. Web site blocking software.   Then use it.

6.   Educate, train, harangue and educate again.   The weakest link in every cybersecurity defense is employees.   Employees who transport data from work to home on thumbdrives, potentially losing the data or introducing a new virus or worm.   "Loose lips sink ships" and "Loose laptops sink cyber-security".   Employees who surf the Internet and hit questionable websites.   We train employees on good security practices, harangue management to enforcement them, and then train again.

I'm not quite as concerned about cyber attacks crippling public safety radio systems or the SCADA systems which control the electrical grid and water supply or traffic signal control.   These systems are vulnerable, but we have in-depth layers of defense and employees dedicated to protecting them.

I'm concerned about that single lost portable hard drive with social security numbers.   Or that one SQL server database which should be "read only" but is "read-write" and compromised.   Or that employee who goes to a web gambling site and downloads a day-zero cyber virus.

Technology is here to stay.   Internet use by government and our constituents will only increase.   But we're working hard to mitigate the vulnerabilities.

And I still don't sleep very well at night.

Bill Schrier Bill Schrier is the director of the Digital Communities program and deputy director of the Center for Digital Government at e.Republic.

Bill Schrier is senior policy advisor in the Office of the Chief Information Officer (OCIO) at the State of Washington.  In this capacity he chairs the State Interoperability Executive Committee (SIEC), serves as the primary point of contact for the FirstNet effort in the state and advises the CIO on other matters.

In the past he served as the Deputy Director of the Center for Digital Government.   He also retired in May, 2012, after over 8 years serving as Chief Technology Officer (CTO) for the City of Seattle and director of the city's Department of Information Technology (DoIT).  In this capacity he managed over 200 employees and budgets up to $59 million to support city government technology, and reported directly to Mayor Michael McGinn. 

Schrier was named one of Government Technology’s 25 Doers, Dreamers and Drivers in 2008, and a Computerworld Premier 100 Leader for 2010.  He writes a blog about the intersection of information technology and government, how they sometimes collide but often influence and change each other.   He tweets at www.twitter.com/billschrier

Schrier is a retired officer with the U.S. Army Corps of Engineers. He holds a Masters in Public Administration from the University of Washington.

E-mail:       bill@schrier.org
Phone:      206-255-2156