Could Tightening Public Information Rules Slow Cyberattacks?

Transparency advocates in Portsmouth, Va., are alarmed by a proposal to change public records law to help defend against phishing attacks. Officials say access to information is helping scammers identify targets.

by Ana Ley, The Virginian-Pilot / August 6, 2019
Shutterstock/smolaw

(TNS) — City officials say they’re being attacked regularly by internet fraudsters, and to guard their workplace, they want to make it harder for potential offenders to access public information.

But government watchdogs, alarmed by Portsmouth’s efforts, say doing so would only make it harder for Virginians to hold public agencies accountable.

On Tuesday night, the city’s chief information officer issued an alert saying someone pretending to be Economic Development Director Robert D. Moore was sending people a link and asking them to review a document.

“We take information security very seriously and ask that you also be vigilant in order to prevent fraud and to help protect our common interests,” Daniel Jones wrote in the notice, which officials say followed a similar attempt last year from a scammer pretending to be Fire Chief Jim Hoffler.

Such emails — known as “phishing” because scammers are fishing for sensitive information — typically appear to be from a trusted person such as a bank, your boss or a government agency. They usually either ask people to respond with sensitive details like account numbers or passwords, or they include a link or attachment that contains malicious code that can take over the recipient’s computer.

Del. Steve Heretick, D-Portsmouth, took the problem to lawmakers in Richmond during this year’s legislative session and convinced them to task a state agency to “study the threat of phishing attacks on citizens and public employees whose contact and private information is legally obtained” through record requests. The Virginia Freedom of Information Advisory Council has also been instructed to come up with ways to clamp down on the risk of such attacks.

Since then, the city has come up with a loose set of proposals to change the rules that regulate public access to government records. The changes would require people to provide a state ID when asking for data on more than five employees, allow government bodies to require written requests and allow citizens who write to government to opt out of having their “personal identifiable information” released through public-records requests.

Megan Rhyne, executive director of the Virginia Coalition for Open Government — a nonprofit whose aim is to promote access to government — said the city should tackle the problem by simply bolstering its network security and training staff to better deflect phishing attempts.

“While I’m sympathetic and know that this is really difficult for them, I would caution against reacting in a way that (would) shut down access to public information,” Rhyne said. “It’s not going to stop it."

But as scamming practices evolve, it gets harder to keep attacks at bay, said City Attorney Solomon Ashby. Officials say the city employs roughly 2,200 workers and gets about 100 attacks per week.

“Not that we don’t train folks, not that we don’t have devices and mechanisms to stop them, but they’re changing techniques,” Ashby said. “We’re trying to stay up with them, but there’s got to be a comprehensive view in terms of doing that.”

Phishing attacks have hurt other cities. In Washington, for instance, someone pretending to be a city vendor had staff wire $700,000 to their bank account last summer. Around the same time in Baltimore, scammers shut down city computer systems and cost taxpayers an estimated $18.2 million. Members of Maryland’s congressional delegation told The Baltimore Sun after a briefing by the National Security Agency that the city was infected via a phishing email.

Asked about concerns over access to public records, Portsmouth’s Ashby said he expects the FOIA Council to balance interests and ensure that transparency isn’t compromised.

The FOIA Council is a state agency that issues opinions to resolve disputes over access to public records by clarifying what the law requires government agencies to release. Its opinions are not binding. Its membership includes lawmakers, bureaucrats and attorneys, while the nonprofit Virginia Coalition for Open Government is overseen by a board of directors that includes mostly scholars and journalism professionals.

Ashby and Heretick stressed that Portsmouth’s proposals — which also include sparing government bodies from legal liability if they give information about requesters to law enforcement agencies — are only early ideas.

The FOIA Council could decide not to pursue any changes in law.

“No legislation will take place unless and until FOIA Council has a full and fair opportunity to examine the process and to request public comment,” Heretick said. “This is still very, very preliminary, but I think the bottom line is we’re simply trying to protect the public.”

A FOIA Council subcommittee that is studying the issue will meet at 10 a.m. on Aug. 21 inside Room 400A at Richmond’s Pocahontas Building, 900 East Main Street.

©2019 The Virginian-Pilot (Norfolk, Va.). Distributed by Tribune Content Agency, LLC.

Platforms & Programs