Cybersecurity and Municipal Governments
The information contained in this article is not intended as legal advice and may no longer be accurate due to changes in the law. Consult NHMA's legal services or your municipal attorney.
Municipal governments are placing more and more services and information online, making it easier for their residents, businesses and visitors to interact with them. Whatever the reason for creating a robust on-line presence, there are substantial financial, data-based, and liability risks that present significant benefits and challenges to municipalities. There are increasingly sophisticated groups and individuals who are constantly working to take advantage of such municipal systems and information for a profit, or in support of other nefarious goals. As a result, police and court records, financial and payment systems, and personnel records for municipal water and electrical plants are among the common municipal targets of cyber-attacks.
Distributed Denial of Service (DDoS)
A distributed denial-of-service (DDoS) attack occurs when multiple systems flood the bandwith or resources of a targeted system making online service unavailable to its users. Why would a municipality be subjected to a DDoS attack by cyber criminals? This might originate with criminal activity by gangs, political protests, revenge, or a disgruntled employee. The cyber attacker need not have sophisticated technical skills to initiate a DDoS attack, but only needs to purchase the service on the Dark Web, the virtual equivalent of a black market. Like Silk Road that sold illegal drugs through the Dark Web, entities or individuals who want to operate illegally seek refuge in the Dark Web.
A few examples illustrate the range of this kind of DDoS attack. The Maine.gov website was disabled by such an attack three times in March 2015 along with the Bangor, Maine municipal website and other websites. As a result of a DDoS attack in November 2015, the San Jose Police Department was offline for several days.
While the on-line risks are significant, there are defenses for protection. Among cybersecurity considerations for municipal officials are the following:
1.Vulnerability to attacks: address known vulnerabilities and implement a system to monitor and update it.
2.Understand why hackers exploit local government websites and networks: whether a malicious attack by a disgruntled employee or an opportunistic attack by a third party, strengthen the local government entity’s resilience through constant assessment and enforcement of best practices.
3.Greatest vulnerabilities and need for protection: consider whether cyber insurance, which may require the insured entity to undertake certain predefined tasks during a security breach.
4.Best cybersecurity practices: realize that it is not a matter of whether, but when, a cyber-attack or security breach will occur; be prepared through training, an effective response process, periodic testing, and adequate recordkeeping for central and secure storage during a cyber incident; and maintain a strong communication link with law enforcement.
5.Hacking vulnerabilities of vehicles and mandatory security standards: Understand the “Internet of Things” – the linking of many previously non-Internet connected devices such as video cameras – to computer systems and the web. This makes it more important to segment networks and eliminate the “weakest link in the chain” so that a compromise of one device or sector will not translate into exploitation of the entire system.
6.Feasible means of preventing local governments from becoming gateways to federal and state hacking: make sure that the governmental entity creates network boundaries and segments that enable it to enforce detective and protective controls within its infrastructure.
One of the most common ways hackers use to gain authorized access to municipal systems is by way of “phishing” or “spearphishing” attaches. Typically using an email under false pretenses, the hacker will try to get the recipient to expose private information that can then be used to compromise identity, privacy or security.
Phishing and Spearphishing
Phishing is the fraudulent act of sending emails purporting to be from a reputable individual or legitimate entity in order to induce the recipient to reveal personal information, such as passwords, bank account numbers and credit card numbers.
Another cyber threat is is spearphishing, similarly delivered by e-mail and designed to exploit human vulnerabilities. Spearphishing exploits a weakness in the e-mail system technology: the sender address is assumed legitimate, hence, the recipient routinely opens e-mails that purport to have originated with colleagues, business associates, acquaintances, and friends. If the hackers can spoof a credible sender’s address information; the recipient will be more likely to open the message. The attack delivery would be disrupted and the attack would fail if spurious e-mails were not delivered by the e-mail system, as when the e-mail recipient has an easily available means to verify the origin of the message.
A well-designed trojan horse virus writing like Cryptolocker can generate for its cyber criminals millions of dollars by encrypting the target’s data and holding it for ransom until the target pays a fee. According to one cybersecurity expert, top coding talent is being recruited to write some Trojan horse viruses that lie undetected until a future date and contain malicious code that can carry out a specific action when the hacker signals the software.
Implementing Security Protections
Risk management is about understanding how security events would impact assets and the organization as a whole. Risk management is also about evaluating assets and comparing the cost of loss or replacements to the cost of protecting those assets. One way municipal governments can implement or bolster security efforts is in the form of security audits and penetration tests. These measures call for paying ethical hackers to try to breach the local government’s system and reporting their findings. The government officials can then use this information to take pre-emptive action. Officials, from the highest to the lowest levels, must understand the long-term cost of a data security breach, and they must understand, in context, the great expense of a security audit or audits. They must count the cost not only in monetary terms, but officials must also count it in terms of the loss of trust that citizens and customers have in their governments. Further, officials must decide whether an annual or biennial security audit is sufficient in the present and future cyber landscape. Attention should be given to such emerging trends as hiring 24/7 managed professional security service providers. These professionals can operate from remote security operations centers with fully dedicated certified security teams. The teams watch the local government’s network, inside and out, and can identify real time security threats and help develop preventive counter measures. It is not cheap, but its cost in relative terms may make it a bargain.
Cybersecurity Awareness Training
Cyber criminals usually hit the easiest targets first, much like thieves operating in a neighborhood during the holidays. A common breach can occur after a user clicks on a link in a spam or phishing email, and whether such an attack is financially motivated, or an attempt to cause mayhem in the city or town, or an act of revenge by a terminated employee, it must be confronted and effectively mitigated.
Among the simplest ways to mitigate such an attack is a good security awareness-training program. Prevention of internal breaches can be much more effective through utilization of low cost end-user security awareness programs that are available through private-sector security organizations. Preparation measures can combine with good awareness training, a cybersecurity policy in place that deals with unknown media, and suspicious calls or online messages that try to get employees to visit a website, e-mails with suspicious attachments.
Since employees do not always know which links they should not click on, which links are safe to open, what devices they should not connect to their office computer, or how to use a mobile device in the most secure way, a strong training policy and program can keep the environment secure.
A good start would be to form a local Cyber-Security Governance Committee consisting of the following individuals:
- Cyber-Security Expert: Recruit a volunteer through the New England Chapter of the Information Systems Audit and Control Association (ISACA) https://www.isaca.org/membership/localchapterinformation/pages/chapteroverview.aspx?chapterid=018. Service on such a board can count as continuing education credits to maintain good standing as a Certified Information Systems Auditor (CISA).
- Head Law Enforcement Official: Assists in creating mechanisms for reporting cyber-crime.
- Member of Governing Body (Select Board, School Board, Village Commissioners): Assures that planning aligns with local strategic vision and facilitates the approval of resolutions to support the effort.
- Municipal Information Technology Professional: Knowledge of systems, data and access levels are necessary for risk assessments, implementation, and monitoring.
- Municipal Manager or Administrator: Brings strong knowledge of functional processes in the local government that aid with both risk assessments and implementation and monitoring.
- School Board Representative: Assists with improving the school district’s cyber-security posture and provides insight into developing a cyber-security curriculum.
The risk landscape regarding technology is complex and fast changing. Thus, municipal officials need to evaluate existing policy and governance for managing these risks as effectively as possible. It is crucial to have strong support for security policies and measures. Local government leaders need to be behind these policies if they are to be enforced throughout the municipal organization. Moreover, policy and governance documents need to be constantly reviewed and refreshed as new technology is adopted.
* This is a condensed and edited version of a paper entitled Open Data, Government Transparency, Cybertheft & Individual Privacy delivered at the International Municipal Lawyers Association 2017 Mid-Year Seminar by Benjamin E. Griffith, Griffith Law Firm, Oxford, MS, www.glawms.com and by Sven Kohlmeier, Kohlmeier Law Firm, Berlin, Germany, www.kanzlei-kohlmeier.de.