Winchester, Mass., On Guard After Local Gov Cyberattacks

According to a 2019 report from the International City Management Association, approximately one in three local governments do not know how frequently their information system is subject to attacks.

by Mariya Manzhos and Matthew Reid, Wicked Local Metro / August 29, 2019
Shutterstock/Timofeev Vladimir

(TNS) — Cities of all sizes have been hit with massive cyberattacks in recent years, including Baltimore and Atlanta, and most recently several communities in Texas. Smaller municipalities like Winchester, Mass., could also be at risk of losing data or having their systems hacked under a cyberattack, experts say.

According to a 2019 report from the International City Management Association, approximately one in three local governments do not know how frequently their information system is subject to attacks, incidents and breaches. Of those that do, 60 percent report they are subject to daily cyberattacks, often hourly or more.

Tiffany Schoenike, chief operating officer for the National Cyber Security Alliance, warns smaller municipalities are just as likely as larger cities to be the target of an attack. This could include anything from sensitive data being lost or stolen to systems being locked with the only recourse paying the hacker to regain access.

"Sometimes funding levels make things worse," Schoenike said. "This could be from not being able to afford the right kinds of technology, or not being able to hire the best people for the job."

But ultimately, hackers won't discriminate based on the type of government or system they target. "They go where the money is," she said. "Just like some criminals rob banks and others rob convenience stores, every hacker is different. That's why every community, large or small, needs to be protected."

According to Winchester Town Manager Lisa Wong, Winchester has not been targeted by cyber or ransom attacks.

"The Town IT and Public Safety Departments are continuously working on access and security issues such as following best practices at multiple levels from the network to the end users," she commented in an email. Wong noted that she could not discuss the town's security measures. The IT department holds periodic trainings and professional development for end users, Wong explained, and sends out notices if there is something the town staff and the community need to be aware of such as the latest phishing emails.

'Think before you click'

Phishing, Schoenike said, remains one of the most effective methods for hackers to gain access to a city or town's data. The act, which involves a cyber-criminal posing as a legitimate person or company as a way to obtain private information, is nothing new. But the methods used are constantly being refined.

A Melrose, Mass., police detective's laptop was infected in 2016 through a phishing attack, after an officer opened an attachment that set off a virus and encrypted all of the data on the computer. The attack compelled the department to pay nearly $500 for a Bitcoin ransom to regain control of its network. The city's technology director transferred the digital currency to the hackers via a mobile app, following instructions the hackers had left on the laptop.

Officials in Leominster, Mass., paid $10,000 in Bitcoin last year when a similar incident occurred involving the school district's computer systems, which affected every school in the district.

Issues such as these are causing many municipal officials to act, before something similar happens in their community.

In May, voters in Burlington, Mass., approved a Town Meeting article to request a report by year's end from the Board of Selectman on the current status of the town's cyber security, including a risk assessment and recommendations moving forward. The town has reactivated its Information Systems Advisory Committee to assist.

Education is key

Schoenike said the education of municipal employees, regardless of their comfort and familiarity with technology, is crucial.

"You can have the best tech in place, but if one person clicks on a link they shouldn't, or opens the wrong attachment, that's all some people need to gain access," she said. "And these criminals are getting very good at disguising themselves, so people think they're dealing with something that is safe and secure."

The city of Newton, Mass., has been training municipal employees on the dangers of phishing, and has seen positive results so far.

"We're about seven months in, and it's been a total success," said Newton Chief Information Officer Joseph Mulvey.

As part of the training, fake phishing emails have been sent to city employees in an attempt to lure them into interacting with what's in the message. The emails are catered to specific departments, such as messages related to banking being sent to staff in the Finance Department.

Mulvey said the city expected 20 to 30 percent of staff to fall for the bait and click on the emails when they first rolled out last December, but it ended up being less than 20 percent. Subsequent attempts have yielded even lower numbers.

"We've also been doing live presentations for staff," Mulvey said. "And we have training movies, about eight and a half minutes long, that we put online for anyone to watch."

The city has done cyber security vulnerability assessments multiple times since 2015, with another coming in the fall.

Mulvey said stealing information used to be the biggest concern for cyber security officials, but safeguards have been put in place to make that much harder for criminals. For example, Newton now has a third party oversee financial transactions with residents, and credit card information is not tied to the city's central online infrastructure.

Now, he said, the bigger concern is having city data held hostage.

"The ransomware really is the thing we're seeing everywhere," Mulvey said. "The last thing we ever want to do is be in a position where we have to pay someone to get access restored to our own systems."

©2019 Wicked Local Metro, Needham, Mass. Distributed by Tribune Content Agency, LLC.

Platforms & Programs