Local governmental agencies prepare for cyber attacks
OSCEOLA COUNTY -- In light of a recent Associated Press story about a ransomware attack on a small town in Georgia that shut down a 911 dispatcher, county jail electronic systems and sheriff's deputies' laptops, local officials were asked what security measures they had in place to protect their systems from a ransomware or other cyber attack.
Officials in Osceola, Lake and Mecosta counties said they have procedures and safeguards in place to prevent a cyber attack, and are as prepared as it is possible to be to protect their systems, and any personal data they contain, should such an event occur.
Osceola County prepared, sheriff says
Osceola County Sheriff Ed Williams said the department evaluates the likelihood of something happening based on the frequency that it is happening around them. Since they don't hear about it happening very often, they are of the opinion that, although it is possible, it is not likely to happen. But they are prepared just the same.
"We constantly evaluate the functionality of our systems in the event of fire, electric loss, and domestic terrorism, which includes computer systems," he said.
Williams said should such an attack take place, they would be able to operate the jail as normal because they have dual systems which can be accessed with a hard key whether or not the computer system works, and the patrol units can function with or without their mobile data terminal (MDT).
"I can't get into the specifics about all of our security procedures because we don't want to share certain information publicly, but we do have procedures in place," he said. "Police work was done long before all of these amenities came along, and we will continue to protect those in our community even when those things fail."
Osceola County Emergency Management Director Mark Watkins explained most of the emergency management response operations are mobile in nature so the data has multiple avenues of access and back-up, and the critical systems are hardwired or web-based, not software-controlled, which offers a degree of protection.
"The bulk of our activities are done 'off-grid' as the primary way of doing business," Watkins said. "Having access to our data anytime and anywhere naturally lends itself to resilience from cyber attacks, and we've specifically taken measures to keep it that way."
The department frequently operates off of isolated backups for days at a time during server upgrades and conferences. That is another measure that enables the department to continue to function during a crisis, he added.
Lake County employs safeguards
Lake County Administrator Tobi Lake said, after consulting with the county's information technology director and emergency management director, he determined they are prepared to deal with a ransomware attack should one occur.
"We have put multiple systems in place to deal with this that include defending the entire network, defending each computer, and back-up solutions should an attack reach our systems," Lake said. "Additionally, we are continually working on updating our policies and training our staff on best practices as all too often a system's weakness is in the human element."
Employees are continually advised and reminded to be aware of the potential for viruses and phishing emails that can potentially create problems, he added.
Lake said the safeguards they have in place include firewalls, remote monitoring and management of systems, endpoint protection software, spam filtration for email and web filtration.
"Should an attack reach one of our systems, we have safeguards that will prevent it from spreading," Lake said. "Additionally, we have back-up systems in place that will allow us to quickly recover from an attack and minimize the risk of lost data."
The county currently is in the process of updating the disaster recovery policy for general operations and information technology, he said.
Mecosta County utilizes caution
Mecosta County Director of Technology Tim Moslener said the county follows a certain set of rules when administering its computer systems, including personal computers, that include, keeping virus protection up to date, making sure they are using the latest operating system and making sure the latest updates to patch security are installed and being vigilant when surfing the web or responding to emails.
"We ask our staff to open email with caution," Moslener said. "If someone sends an invoice, always ask if you are expecting one from that person and if you know that person -- if not, delete the email. It is better to accidentally delete a legitimate email than to open an infected one."
Moslener said the county has protections in place to scan for viruses in emails and have implemented an add-on to the email system which scans for bad attachments and can prevent "URL spoofing," which is when an email looks legitimate, but asks the user to visit a site that is corrupted.
"While we have a lot of safeguards in place to help prevent these attacks, some of it also relies on the employees to remain vigilant about what they surf and what content they open on their machines," he said. "No matter how hard you try to stave off these attacks, where there is a will, there is a way, and no matter how much you prepare, remind and update, there is always a chance something can happen."
Issue is national, too
U.S. Senators Gary Peters (D-MI) and Ron Johnson (R-WI), Ranking Member and Chairman of the Senate Homeland Security and Governmental Affairs Committee, Amy Klobuchar (D-MN) and James Lankford (R-OK) recently introduced a bipartisan bill to strengthen local government cybersecurity defenses by switching to the .gov domain for websites and email addresses.
The DOTGOV Online Trust in Governance Act of 2019 directs the Department of Homeland Security to provide resources and assistance to local governments wanting to adopt .gov web addresses. Currently not widely used at the local level, the .gov domain increases resilience to cyber crimes that frequently target local government systems.
"Local governments are responsible for safeguarding citizens' personal data, from social security numbers and credit card information to detailed medical records," Senator Peters said in a press release. "This important legislation will help protect the personal information of people in Michigan and across the country from hackers looking to take advantage of gaps in our cybersecurity defenses."
State of Michigan Chief Security Officer Chris DeRusha stated it is great that additional emphasis is being placed on expanding use of the .gov domain to non-federal agencies. In the era of increased cyber attacks, .gov can provide an extra layer of certainty for both websites and email.
Websites and emails ending in .gov are easily recognizable as official and difficult to impersonate, which can help safeguard against malicious attacks. The bill directs the Cybersecurity and Infrastructure Security Agency (CISA) to work with local governments to help them transition to .gov domains and makes the transition more affordable for local governments.
"When Michiganders see a .gov website or email, they know they can trust that it is legitimate," Michigan Secretary of State Jocelyn Benson said. "Expanding the availability of this trusted domain to local governments could help boost public confidence and strengthen the security of government systems."