In the spirit of Cyber Security Awareness Month, my first blog post for October featured tips on cybersecurity basics for government employees. For my last post of the month, I’m returning to the topic with an interview with Shannon LeColst, the new Cybersecurity Liaison for the Metro Boston Homeland Security Region. Shannon’s position is funded by FEMA’s Urban Areas Security Initiatives (UASI) Program and supports nine municipalities in Metro Boston, including Boston, Brookline, Cambridge, Chelsea, Quincy, Winthrop, Revere, Everett and Somerville. I sat down with her to discuss her role in homeland security for the region and some of the cybersecurity threats facing municipalities today.
This is a one-year grant-funded position. What are your objectives for the year and how do you see your role as a liaison for nine municipalities?
Overall, I have a responsibility to develop a mature information security posture for the region. This requires information sharing, assessment, training and related projects that will help to establish a baseline level of security, based on industry standards, that all towns and cities in the region can attain. My plan is to spend one day a week in Boston and one day every other week in each of the other eight towns and cities. By working with all nine municipalities, I can share resources and best practices between them and make sure that no city gets left behind.
That sounds ambitious! Where do you begin?
Assessments are usually a good starting point! I am currently coordinating each municipality’s participation in the Nationwide Cyber Security Review, an online self-assessment of gaps and opportunities in a state, local, tribal or territorial government’s cybersecurity program. There are 124 questions that span thematic areas such as identity and access, asset management, emergency response planning, and more. It compares your answers against best practices according to the National Institute of Standards in Technology (NIST) framework for information systems security (this is comparable to something like HIPAA’s security standards, but for technology products and services). Once you have a baseline assessment that is comparable to municipalities across the country, the tool provides you with a report that includes recommendations on how you can focus your efforts to improve cybersecurity and reduce risks.
How does your work tie into broader homeland security efforts for the region?
I hosted my first quarterly cybersecurity roundtable meeting recently, which includes a briefing from homeland security officials on broad projects and priorities. An urgent priority for the Metro Boston Homeland Security Region at the moment, especially with the midterms coming up, is election security, which is very relevant to me and my role. It’s unlikely for voting machines themselves to be hacked, even less so at a scale required to meaningfully influence an election, but there are other ways to tamper with an election. As we learned from the presidential election, bad actors can attempt to influence how a person will vote through misinformation and propaganda campaigns or cause disruption and chaos on election day as a way of suppressing voter turnout. Public safety employees of the Metro Boston region recently participated in an exercise at a hacking event where we split into a team of hackers and a team of law enforcement and simulated election day scenarios to prepare for the upcoming election.
That sounds kinda fun. Fun in theory, scary in practice I guess.
So what are some other cybersecurity threats faced by municipalities?
Some internet activity that requires a lot of processing power or web traffic will prey on insecure servers for extra processing power. If your city’s network is vulnerable, there are automated tools out there scanning for unused resources that will steal yours. If this happens to you it could overload your servers, crash critical applications, etc.
That sounds less malicious, but really rude.
The effect can be disastrous, regardless of intent. But speaking of malicious intent, of course, one of the biggest threats is human error and the vulnerability of staff to phishing and vishing–
Vishing? What is vishing?
Voice phishing. Someone might call you impersonating someone from your City’s tech support and ask if your computer has a certain version of software that they know they can hack. They’ve done their recon work and know about you and have names of your coworkers, can spoof a recognizable caller ID, etc.
So how does someone protect themselves from vishing?
Staff should follow set procedures for identity verification and receive annual awareness training. One rule to go by is: if someone is plying you for information via email, pick up the phone to call your IT support; if someone is requesting info via the phone, send an email. Staff need to follow procedures in which they’ve been trained by HR staff upon being onboarded. But the thing is, a lot of towns and municipalities don’t have set policies and procedures for these things. One of my goals in this role is to work with the municipalities to develop a Written Information Security Program (WISP) which should include acceptable use policies and standards around IT resources, social media, mobile devices, criteria for when information needs to be encrypted, disaster recovery protocols, incident response, etc. These policies and standards need to be “owned” by HR and should be included in every employee’s onboarding process.
It sounds like you have a busy year ahead of you. Thanks for sharing your work with us and GovLoop!
I’m interested to know whether other GovLoop contributors and readers participate in regional cybersecurity initiatives, participate in the Nationwide Cyber Security Review assessment, or share best practices with surrounding state and local governments. Let us know in the comments!
Susanna Ronalds-Hannon is part of the GovLoop Featured Contributor program, where we feature articles by government voices from all across the country (and world!). To see more Featured Contributor posts, click here.