A dubious constituency is demonstrating great knowledge of how county governments work: Hackers.
When reviewing email attacks against Berks County, Pa., Chief Information Officer Justin Loose saw a pattern.
“We were struck by how much the attackers really knew about county government,” he said. “We could see some of the terms they were searching for in a compromised email account — they were searching for words like ‘treasurer’ and ‘commissioner.’ They understood how county government is structured and who might have the type of information they are looking for and who might have it. The attackers have done their homework.”
While they might not be learning by playing “Counties Work,” bad actors have identified county governments as valuable targets for financial attack. Loose and three other county information technology professionals shared their experiences with attacks on their information systems Oct. 29, during NACo’s Virtual Cyber Security Symposium.
Their experiences show the escalating threat of cyber-attacks on county systems, stress the need for planning and relationship-building in the event, or the almost inevitable event, of a cyberattack. And they point the finger at the weak link in all circumstances: Humans.
“You can put the best piece of hardware or the best piece of software in place to try to hold against an attack, but it comes down to the user,” said Erie County, N.Y. CIO Mike Breeden.
Collin County, Texas had its own personnel to blame for a cyberattack.
“A human made us most vulnerable; embarrassingly enough, a human in the IT department,” said Collin County Deputy CIO Steven Ganey. “It doesn’t matter where you work, it doesn’t matter how smart you think you are — think, think, think, think, think before you click on something or download something. You could spend millions of dollars on monitoring, but if someone’s going to open the front door and let the hacker in, then all that security (is worthless).”
Erie County requires all employees to complete cybersecurity training, which is now integrated with other mandatory training. And all participants hammered home that administrative access to systems should be limited to only the necessary personnel.
Breeden implored counties to do cybersecurity assessments of their information systems, and to be brutally honest about their operating procedures. Erie County sounded the alarm after the un-affiliated Erie County Medical Center spent nearly $10 million restoring its system in 2017 after balking at a $30,000 ransom.
“A lot of times it’s overwhelming and you feel like there’s no way possible with your staff or even outside staff that you can accomplish all the stuff that needs to be remediated,” Breeden said. “You won’t be able to do it all at one time but make a plan… and work at it.”
Some attackers didn’t do their homework.
“I guess they weren’t really privy to how much money we had because they only asked for $52,000, or one bitcoin,” Ganey said of Collin County’s April 2018 attack, which cost $60,000 in staff time and equipment. “Of course, we weren’t going to pay it.”
Ganey wasn’t even sure how much preparation, on the front end, would have helped Collin County. And Morgan County, Ala. trigged ransomware that had been in its backup for a month. The key these days is protecting backup systems.
“Backups are critical, that’s the new target,” he said. “If you can restore from a backup — they’ll target that. Why would you pay a ransom (for the main system?).”
Computer backups should be connected to the internet and should be physically isolated. And they should be tested regularly.
When Morgan County was hit by a ransom demand during summer 2019, the county staff was caught on its heels.
“We didn’t even have an incident response plan on paper,” said IT Director George Hill. “Now we have everyone’s phone number printed on paper. We have a printed list of resources, all the stuff I had to come up with on the fly during the event. That’s something that cost us time.”
Hill encouraged counties to develop relationships among departments when thing are going well, so when they need each other, they know who they’re talking to.
“You need to build a relationship with someone, departments, vendors, you need people you have a relationship with, you don’t need to be reaching out to someone for the first time to come in and help” rebuild the system, he said. “When you’re as small as our county is, staff-wise, you need boots on the ground. You need people to respond. You’re going to have to do a lot of public relations during the incident and you need people in the background working the problem to get it fixed while you’re talking to your elected officials, talking to your county administrators, talking to your department heads… the people the outage is affecting.”
To that end, simulations, or table-top exercises, are critical in preparing county staff and officials for how a cyberattack will affect a county and what needs to be done.
Counties addressed their cybersecurity insurance policies, and none had claimed their costs following their incidents. Ganey encouraged counties to read the fine print on their policies.
“With our policy, you have to prove that we didn’t cause (the incident) ourselves, and that can be hard to do,” he said. “I could see that turning into a dog chasing its tail trying to find out whose fault it was before they pay.”
NACo Chief Technology Officer Rita Reynolds chimed in with a wider perspective of cyber insurance.
A lot of times, she said, “it would be cheaper to pay the ransom. It’s not the right thing to do in the long run because the problem is that when you pay the ransom, you’re just encouraging and rewarding the bad behavior and the bad behavior becomes even more prolific.”
But she said as insurance companies weigh the costs of system rebuilds, their recommendations are changing.
“We’ve heard instances in which the insurance company is encouraging the local government to pay the ransom,” she said, because it would be cheaper.
“Once you pay the ransom, your name goes on a list and they know you’re susceptible,” she said, and willing to pay.