Counties need cyber disaster plans, too
State governments have steadily revised their disaster response plans to include contingencies for cyberattacks, a policy shift that’s helped places like Colorado, Louisiana and Texas work through ransomware incidents. But as attacks like ransomware continue to hone in on local governments — with more than 120 known cases last year — it’s incumbent upon county governments to add cyberattacks to their own disaster playbooks, speakers said Monday at National Association of Counties conference in Washington.
Addressing a roomful of county officials about another year in which hundreds of local governments and school districts fell prey to ransomware attacks, Teri Takai and Phil Bertolini, the directors of the Center for Digital Government think tank, said county governments have more IT assets to protect from online threats than ever before.
“Every device the county uses creates a hole for what I would call a cyberattack,” said Takai, a former chief information officer for the states of Michigan and California. “There’s really no way to say you’re going to be 100 percent secure on any particular day. This goes from computers to tablets to phones and now [internet-of-things] devices like cameras that sit on a light pole.”
But when an attack does hit, Bertolini — the longtime CIO of Oakland County, Michigan — invoked a theme that’s become familiar in states responding to cyberattacks: bringing in a host of agencies seasoned in responding to physical disasters.
“A cyber disaster is just like a physical disaster,” he said. “Over the 20 years I was on the IT team for Oakland County, I was on the emergency management team and I would be activated when we had an emergency. The same planning steps that go into a physical emergency have to go into your digital emergency. If you get ransomed, you probably activated your emergency response, you probably talked to your state police, you probably talked to a whole bunch of folks to get things going.”
Bertolini gave his audience of county leaders another familiar instruction: that interest in improving government cybersecurity needs to start from the top down.
“From the executive, all the way through the organization, you have to have buy-in that you’re going to protect your data,” he said.
But Bertolini also said he’s heard a few horror stories about attempts to protect data, including one small county, which he wouldn’t name, where an IT official kept DVDs containing the local government’s file backups at home.
“First of all, I said, how is your home more secure?” he recalled reacting. “And second, don’t you have a bank in your community? Why don’t you just put the DVDs in a safe deposit?”
Some officials, he said, “are just not thinking about what they need to do.”
Bertolini and Takai acknowledged that many counties have to grapple with tight finances that don’t afford for more robust cybersecurity spending or replacing older technologies.
“It’s a good thing because when you replace those technologies you’re going to have more security,” Bertolini said. “The bad thing? Money.”
But Takai nodded to some initiatives by state governments aimed at improving cybersecurity in their local communities, several of which were recently featured in a report by the National Governors Association and National Association of State Chief Information Officers.
“The states are trying to put in place programs that help cities and counties, because there’s a recognition there’s not enough resources in any single places,” she said.
But most crucial, she said, is for counties to realize they are on the hook for protecting sensitive information.
“Please, please, please look at cybersecurity under the umbrella of what’s at risk,” she said. “It requires the attention of your executive branch to bring all departments together. It means departments have to be a part of defining their data and what their continuity of operations are. For all of you, it means you’ll need to think about cybersecurity as part of your budget process.”