A recent cybertheft of $4.2 million from the Oklahoma Law Enforcement Retirement System and resulting FBI probe has the attention of Rhode Island and other states.
In the Oklahoma case, the target was the pension fund for highway state troopers, state agents and park rangers. Access was gained through a municipal worker’s email account. Some money from the fund was recovered. But this kind of breach could have broader financial impact in the form of bond ratings, one analyst told Bloomberg.com.
“Your ability to pay debt is based on trust,” said Geoffrey Buswick, an analyst for S&P Global Ratings. “If you have your head in the sand when it comes to cybersecurity, we’re going to look at that for our rating.”
Before the Oklahoma pension fund, there have been many similar hacks.
New Bedford was hit with a municipal computer ransomware attack in July. The city’s Management Information Systems team shut down the attack when detected. The virus affected 4% of the city’s computers, or 158 workstations. Essential services were said not to be impacted.
New Bedford did not pay the hacker’s fee and rebuilt the city’s server network.
Rhode Island cities and towns were also hit by hackers this past summer, according to WPRI-TV CBS 12, with Coventry, Pawtucket and Newport all ramping up cybersecurity efforts after their attacks.
The R.I. Office of the General Treasurer declined to discuss its practices but said via email that it keeps track of such breaches.
“Maintaining the security of the state’s funds and transactions is a top priority and we are continuously updating our practices,” said Evan England, spokesman for General Treasurer Seth Magaziner.
‘If we give them ransom, they keep victimizing.’
LINN FREEDMAN, Robinson + Cole chair of data privacy and cybersecurity
Linn F. Freedman, chair of data privacy and cybersecurity with Connecticut-based law firm Robinson + Cole, acknowledges municipalities are in an especially vulnerable space.
“They’ve not traditionally had resources needed to implement a widespread education and training program,” she said. “They just don’t have the appropriate resources,” using money instead on technology that will provide defensive measures in hopes hackers will be caught before they get to employees.
“What we are finding,” she said, “is that even with the most-sophisticated spamware filters, hackers can buy domain names to get through that software.”
The U.S. Conference of Mayors cited 170 county, city or state government ransomware attacks since 2013.
This past summer, the group adopted a resolution not to pay ransom demands to hackers after ransomware infections, on the principle it encourages further attacks.
“If we give them ransom, they keep victimizing,” noted Freedman.
So far in 2019, U.S. municipalities have reported 73 ransomware attacks, up from 54 in 2018, according to data collected by a researcher at Recorded Future, a cybersecurity firm in Somerville, Mass., that specializes in threat intelligence.
Knowing these statistics and the pervasiveness of such threats to municipalities doesn’t make the situation feel less dire, however.
New hacking sophistication almost makes the days of the Nigerian Lottery phishing attacks seem quaint.
“Now they are literally cutting and pasting signature lines from real people and putting in their email address in with one letter transposed and you think you know that person,” Freedman said.
Both Freedman and Brenna McCabe – director of public affairs at the R.I. Department of Administration – say the state has strong resources in government cybersecurity.
McCabe points to Gov. Gina M. Raimondo’s commitment to cybersecurity and close collaborations, with much accomplished in the past five years, “including but not limited to rolling out comprehensive cybersecurity training to our employees, completing a statewide cybersecurity assessment and making big investments in expertise and technology.”
With a multiyear strategic plan, the governor in July eliminated the position of cybersecurity officer, created in 2017. The position’s responsibilities were taken on by Bijay Kumar, the state’s chief information officer and chief digital officer.
Freedman says the state’s small size makes for easier information sharing and collaboration against online attacks.
But she and McCabe both acknowledge that municipal cybersecurity is a balancing act of employee training, technological investments and cultural vigilance.
It’s no easy feat with already-strapped municipal budgets, notes Freedman, with a risk that other programs may suffer.
“Then as taxpayers, we don’t want our towns paying criminals ransom money,” she said. “I don’t. I don’t want my towns paying criminals.” She works to encourage companies to think of employees as stewards of the data and an organization’s “data militia.”