Millis didn't have any full-time information technology personnel, so Peter Jurmain, now a selectman in town, offered to volunteer his time to get the system up to snuff. Jurmain, who owns a technology company, is semi-retired, so the project offered a challenge he had time for.
When Jurmain started poking around Millis' information technology systems, he said he wanted to throw up. The last-minute preparations needed at the police station were the least of the town's information technology problems.
"They were operating on old servers, old PCs, old operating systems, a firewall that had not been kept up to date, some backup, a very old email system," Jurmain said in a recent interview. "Basically, things were in shambles. We were very fortunate that we had not been attacked."
Four years later, Jurmain still volunteers as the town's information technology (IT) czar. He's spent at least 20 hours most weeks overhauling Millis' information technology systems, bringing the town of less than 9,000 people into the 21st century when it comes to cybersecurity.
Now town employees are regularly trained on cyberthreats, such as phishing - a strategy in which hackers send out infected emails hoping an unsuspecting employee will open the door to the municipality's computer network. Instead of personal computers, Millis employees now use hardware called thin clients, which are less vulnerable to hackers. More of the town's business is being conducted in the cloud, where data is easier to restore after an attack. Servers are being replaced, software is being updated.
"We are at least covering ourselves realistically for the probabilities that we're going to get attacked," Jurmain said in a recent interview. "But right now, there isn't a community that isn't vulnerable."
Like Millis, many communities in MetroWest and the Milford area are readying their information technology systems for evolving cyberattacks that put taxpayer money and information at risk.
The Daily News wanted to know what cities and towns in MetroWest and the Milford area are doing to prepare for cyberattacks. For our investigation, we sent public records requests to 19 cities and towns in the MetroWest and Milford area related to cybersecurity efforts and interviewed local IT directors and cybersecurity experts.
We found that some municipalities are more prepared than others to fight off cyberattacks.
But awareness of the devastating potential of cyberthreats like ransomware is growing at the municipal level, in part because of horror stories of ransomware attacks in other municipalities.
The threats are real
Last June, Lake City, Florida, officials agreed to pay hackers almost $470,000 to release computer files after the community of just over 12,000 people was hit by a ransomware attack.During the attack, digital records could not be accessed so the city switched to paper receipts and paper building permits. The city couldn't accept credit card payments for utility bills.
That same month, the city council of a nearby community called Riviera Beach, which has a population of roughly 35,000, voted to pay a ransom of $600,000 to hackers after a ransomware attack affected the town's email system and 911 dispatch.
Municipalities are now beginning to remake their information technology departments, which are structured differently in almost every town, largely because of cyberthreats like these. Across MetroWest and the Milford area, IT directors are pushing to add staff, combine town and school IT operations, and even collaborate with other towns to address security needs.
"We have a whole new way of doing things," Jurmain said, "and the reason was for this, for security."
Records requests and interviews show that while some municipalities in the region have made strides in preparing for cyberthreats, others lag behind, partly because awareness of what's needed to combat those threats still hasn't permeated all of local government and partly because cybersecurity is an expense that cash-strapped municipalities are reluctant to take on.
"You have to pay people to protect your networks, you have to be able to buy the software, update software, have people be monitoring your systems 24/7 in order to have a strong cyber-hygiene posture," said FBI Assistant Special Agent in Charge Dave Farrell, who works on cyberthreats in the Bureau's Boston office. "Some municipalities just don't have it and don't budget for it. They haven't changed their posture yet."
Costs hard to gauge
Because towns and cities have different populations and different organizational structures and therefore different IT needs, experts are wary of estimating the dollar figure needed to run a competent IT department.One IT contractor working for a town that doesn't have its own IT staff charged roughly $100 to $150 per hour of work, but that contractor is now switching to a rough rate of $40 per device per month for remote support. That per device rate doesn't include work on a municipal server, for example, and most towns have hundreds of devices, which range from desktop computers to Chromebooks for public school students.
IT budgets don't even provide the full picture of what towns are currently spending, as technology is now embedded in nearly every department's budget to some degree, and cybersecurity is not a separate line item in municipal budgets.
While they are a flawed metric, IT budgets do show that most towns are spending more and more money on their IT systems each year, and many municipal IT professionals say still higher budgets are needed.
Millis, for example, likely wouldn't have been able to overhaul its information technology systems or keep them running without the volunteer work provided by Jurmain and Richard Harlow, another Millis resident.
"You can't afford me in this town. It's that simple," Jurmain said. "However, to get us to where we are, you needed me. So there's the problem."
Finding 'frequent flyers'
Richard Boucher is director of information services in Medway, a town of roughly 13,000 people. One day, he got the call that every IT professional dreads."We got the blue screen of death saying, 'Call this number now to get your data back,'" Boucher remembered.
It was ransomware, an increasingly common type of cyberattack in which hackers gain access to a digital network and hold it hostage until a ransom is paid. Often, hackers launch the attacks using a strategy called phishing, in which cybercriminals send out infected emails or links hoping unsuspecting employees will click on them, thereby opening the door to the town's computer networks.
According to an analysis published last May by Recorded Future, hackers have launched 169 ransomware attacks on state and local governments since 2013, though many ransomware attacks go unreported because they are viewed as a negative reflection on the municipality and more have occurred since the study was published.
Farrell, the FBI agent, said ransomware asks have gone up as hackers spend more time crafting specifically targeted, rather than blanket, attacks. In New Bedford, which was hit by an attack in July, hackers wanted $5.3 million in the cryptocurrency Bitcoin to restore the systems they had ransomed.
Boucher doesn't know what the cybercriminals wanted from Medway. He immediately told the employee who had called him to pull the plug on the infected machine. Because of cybersecurity protections and backup systems Boucher has put in place over his 12 years working for Medway, the town's only loss was the cost of desktop computer.
A successful attack in which the town is forced to pay a ransom would be devastating, Boucher said.
"Every dollar is allocated for a purpose," he said of the municipal budgets hackers hope to ransom. "It's not like a corporation where they're making a profit and that's sitting in an account that they can pull from. You're talking about positions being cut."
Boucher is working towards preventing another attack by arming what cybersecurity experts say is one of the most vulnerable parts of a network: its people.
"Educating your people on it is the first and foremost best defense," said Farrell, the FBI agent.
In 2019, the FBI's Internet Crime Complaint Center saw the highest number of complaints and the highest dollar losses reported since the center was established in 2000. The most frequently reported complaints were related to phishing-style tactics, which depend on people within an organization falling into increasingly sophisticated traps.
Medway is now strongly encouraging, though not requiring, employees to complete two different cybersecurity awareness programs.
Medway has paid roughly $1,300 annually for 100 town employees to access one of the programs. The second program is being offered to municipalities across the state through a cybersecurity awareness grant from Gov. Charlie Baker's Executive Office of Technology Services and Security. In Medway, that program will train 500 public town and school department employees.
As part of the programs, Medway's staff are tested on how easily they're fooled by fake emails and links that could be malicious. The programs are good for identifying what Boucher called "frequent flyers."
"The person that always fails those tests, we're going to those people and saying, 'You need to be a lot more careful than you are,'" Boucher said. "They automatically get re-enrolled back into training when they fail, which is nice."
Sudbury employees have used one of the same training programs being used in Medway.
When the simulated attacks began in Sudbury, 11% of town employees fell into the traps. In 2017, the failure rate had dropped to 3.5%, according to records provided by the town through a public records request.
But some municipalities haven't yet started this kind of training, according to our investigation. Others are conducting the training in-house.
In Southborough, a town of a little more than 10,000 people, Tom Laflamme is the sole employee working on information technology, and he was only hired about three years ago.
Laflamme launched his own simulated phishing attacks on town staff, but Southborough doesn't yet have a contract with third-party training programs like the ones being used in Medway and Sudbury.
"I'd like to be a little further along, but we are working with limited resources," Laflamme said.
IT directors are often only one of few municipal employees who fully understand the scope of the threats facing their towns, and how much money is needed to protect against those threats.
Boucher, for example, hopes to one day install technology that would allow Medway to know what information, including residents' Social Security numbers and other personal information, hackers have downloaded after an attack.
"Budget is the key on that," Boucher said. "Those types of systems tend to be extremely expensive and because of our low rate of exposure at this point – that we know of – we haven't been able to justify the expense."
Even less expensive IT upgrades can be a tough sell in municipalities, which are weighing those upgrades against funding requests for more tangible needs, like new firetrucks or buildings.
"Some of the people that are in IT feel challenged to get the rest of the town to understand why this is a problem and why you need to get resources to fix it," said Stephanie Helm, director of the MassCyberCenter at the Massachusetts Technology Collaborative.
Shallow talent pool
Another cost IT professionals are struggling to fund is staff.Medway, Millis and Southborough are among the municipalities looking to beef up information technology staffing levels, partly because of cybersecurity concerns.
Towns vary widely in the number of IT personnel they employ, according to information obtained through public records requests.
In Medway, Boucher requested $90,000 in funding for another position that will be specifically dedicated to cybersecurity. His initial funding request was lowered to $55,000, and that amount still isn't guaranteed.
"The budget isn't finalized yet, so until it is, we're curious if that's going to get cut," Boucher said, adding that town leaders in Medway are more understanding of cybersecurity needs than in other towns.
In Southborough, Laflamme, the town's single IT employee, has been lobbying the Finance Committee and Select Board to fund a part-time staffer he hopes could clear his plate of daily tech problems, allowing him to focus on big picture issues, including cybersecurity. The decision of whether or not to fund the position is ultimately up to Town Meeting.
Municipalities say that even if funding is available, it can be difficult to attract the qualified individuals they want on their IT teams.
"I've had three staff members leave here and make a minimum of 20% more than what we're paying in corporate," Boucher said. "Finding staff has been extremely tough."
Because they cannot compete with corporations on salary, Boucher and other municipal employees work to attract IT talent by pitching quality of life benefits to potential applicants.
Corporate IT professionals often work more than 40 hours a week, Boucher said. That's not usually the case in cities and towns.
"When we need to put the extra time in, we put the extra time in, but it's not a high pressure environment," he said. "I think in a corporate environment you're going to see a lot more stress, a lot more hours."
Towns can also be good training grounds for fresh-faced IT hopefuls.
"We're hiring sort of less veteran employees, some of my staff are right out of college," Boucher said. "We give them enough room to advance their knowledge and actually advance their career here."
State grants fill void
The Baker administration has focused on filling the funding gap and the informational resource deficit for municipal cybersecurity since 2017, when the governor filed legislation to establish the Executive Office of Technology Services and Security.Then in April of last year, Baker filed a bond bill that dedicated $140 million to cybersecurity across the state.
Local IT professionals say the push is making a difference.
More than 72% of the roughly $89,000 Millis spent overhauling its information technology systems came from state grants.
"The state has made it possible for us to move as rapidly as we did," Jurmain said. "Charlie Baker's grants were critical. What he has offered us has made things possible. I applaud him for that, for even recognizing that the problems existed."
In late October, the Baker administration doled out $250,000 in grants to 94 cities and towns including Millis, Medway, Milford, Ashland and Framingham for cybersecurity awareness training.
That same month, the Baker administration announced a new $300,000 effort to help cities and towns develop plans to bolster "cyber resiliency."
Stephanie Helm, a retired Naval captain, is one of the people leading the state's cyber resiliency effort. Helm was named director of the MassCyberCenter at the Massachusetts Technology Collaborative, a quasi-governmental organization, in 2018.
Helm made emergency planning for cyberattacks on municipalities a priority since she became director.
She partnered with the Massachusetts Municipal Association to send out a survey asking all of the state's 351 cities and towns if they have a cyberattack incident response plan in place. Only 76 municipalities responded, and, of those, only eight reported having a plan in place.
"The fact that there is no formal plan seemed to me to be the opportunity for us, that would be the issue I would focus on," Helm told the Daily News in a recent interview.
She is careful to point out that cities and towns are taking other actions to prepare for cyberthreats, including training efforts like the simulated phishing attacks, but she stressed that planning for the worst is one of the best ways to diagnose problems within an IT system.
"The planning process really gets you pretty far down the line, in my mind, of contextualizing for each of these individual municipalities what they need to do," Helm said.
Records requests sent by the Daily News show that some municipalities have conducted cybersecurity audits, another method used by IT professionals to diagnose security weaknesses, but many have not.
To help cities and towns create emergency plans, Helm is organizing a two-part workshop that will be held in different Homeland Security regions across the state. In the first part of the workshop, employees of cities and towns will get information about how to create cyberattack response plans. In the second workshop, which will be held several weeks later, plans created by cities and towns will be critiqued. Helm said the workshops will likely happen this year.
In addition to coming out of the workshops with emergency plans, Helm hopes the municipal IT professionals who attend will have an opportunity to learn from and form relationships with each other, and state employees tasked with solving some of the same problems.
Jurmain, who along with Harlow, got an award at the Massachusetts Digital Government Summit for the work they did overhauling the town's IT systems, said collaboration both with the state and between towns is the best way for municipalities to solve the cybersecurity issues they face.
"The state needs to be more open to offer opportunities to the technical individuals in the towns to meet on a fairly frequent basis to come in, see what they're doing, to work with them in planning so that now you have an exchange of knowledge, much the way businesses operate," Jurmain said. "And the towns can offer something to the state."
Jurmain said that Millis is exploring whether nearby municipalities are interested in building cost-sharing partnerships to ease the burden of staffing a well-run IT department, and to create a more exciting environment for IT professionals considering municipal work.
In the meantime, Jurmain will continue volunteering as Millis' IT czar, a role he'll play until the town finds an alternative.
"You cannot have the town reliant on any one individual," Jurmain said. "Period."
©2020 Milford Daily News, Mass. Distributed by Tribune Content Agency, LLC.
