Cybersecurity and Infrastructure Security Agency Director Jen Easterly told a roomful of city officials from around the United States on Thursday that while the din of ransomware and other cyberthreats has become inescapable in every sector, she’d like to make discussions of cyber hygiene and risk-mitigation strategies just as familiar.
“We saw ransomware attacks on businesses large and small, on cities, on schools. It’s really been a scourge,” Easterly said at the winter meeting of the U.S. Conference of Mayors, rattling off a few of 2021’s higher-profile incidents, like the attacks on Colonial Pipeline and the meat supplier JBS.
She said cybersecurity can daunting for organizational leaders to contemplate because threats like ransomware are considered “pretty scary.” Rather, she encouraged the mayors to focus on steps they can take to prevent incidents.
“Cyberthreats, ransomware, have become a kitchen-table issue for all of us,” she said. “People don’t necessarily like to think about it, because nobody wants to get attacked. My hope with all of you is to make cybersecurity a kitchen-table issue.”
Financially motivated actors remain the biggest threat to local governments and are coming off another “banner year,” Easterly said. She reminded the mayors gathered in a Washington hotel conference room to ask their chief information officers and information security officers to implement familiar — but still not universal — procedures that can cut down on the risk of an attack.
“These are cybercriminals looking for the most vulnerable points,” she said. “Software that hasn’t been updated. Someone who isn’t using multi-factor authentication. It’s the lack of really effective cyber hygiene that causes these.”
Easterly said CISA offers cities four key resources. One is StopRansomware.gov, a website the agency created last year to house all its alerts and guidance about extortion malware, including lists of known vulnerabilities that malicious actors might try to exploit, like the recently discovered flaws in the Log4j open-source logging tool. Another is the suite of risk-assessment and vulnerability-scanning services the agency offers at no cost.
Then there are two newer features: The cybersecurity advisers CISA’s hired for every state — some of whom are former state CISOs — and the $1 billion grant program created in last November’s infrastructure spending plan.
While state and local officials had long pushed for the grants, details of the program, which is scheduled to distribute its first $200 million this year, are still being hammered out, which groups like the National Association of State Chief Information Officers are eagerly awaiting.
Easterly said she’s now working with the Federal Emergency Management Agency, the Department of Homeland Security unit responsible for distributing the money, on guidance, which she’s “looking to get out in the next few months.” CISA will be responsible for setting goals, requirements and funding priorities of the program and approving states’ applications for funding, according to DHS.
Beyond the cyber hygiene reminders and updates on grants, Easterly also urged the city leaders to migrate their cities’ systems to the cloud if they haven’t done so already.
“We are in a space where we must modernize our technology,” she said. “We can’t win with legacy systems and legacy technology and just hoping having all our data on-prem is going to save us. To be honest, this is not easy. You need resources to make changes. But that is where you will be safe and secure for your city.”