Baseline standards eyed to guard against cyber threats
BOSTON – To truly get a handle on cybersecurity, people and businesses around Massachusetts need to change their way of thinking and public officials at all levels of government need to be rowing in the same direction, the state’s top cybersecurity official told lawmakers Wednesday afternoon as they began to consider possible legislative action.
“We need to make sure that our executive leadership across the commonwealth, including at the state and the local level, our political leadership such as you all today are at the table. This is critical. We cannot solve this by thinking the IT guy is going to be able to buy a new server or upgrade the software and eradicate or stop these threats. It’s just not real,” Technology Services and Security Secretary Curt Wood said. He added, “We need to invest in our annualized security awareness training, we have to invest in our people, we have to invest in our systems. And the only way to do that is to make sure we keep a forum, such as this, around and that we continue the conversation.”
Sensing that the recent spate of cyberattacks that paralyzed some state services and have overwhelmed municipalities may only continue to get worse, the Legislature’s new Joint Committee on Advanced Information Technology, the Internet and Cybersecurity met for the first time Wednesday to begin plotting better defenses.
Cybersecurity has been growing in importance in recent years, but cyber protections have taken on new significance over the last year and a half as the pandemic forced many employees off of their office networks and shifted business activity to often less-protected personal computers and home internet networks.
This spring, a malware attack forced the state’s auto inspection system offline for nearly three weeks and a ransomware attack on the Steamship Authority caused delays for vacationers and residents trying to get to Martha’s Vineyard or Nantucket shortly after Memorial Day weekend.
Massachusetts municipalities also continue to be impacted by cyberattacks. NBC10 conducted a survey in 2019 that found that at least one out of six Massachusetts municipalities had been hit with a ransomware attack, in which cybercriminals hold information or the ability to provide services hostage until receiving payment.
The FBI has said that Massachusetts residents lost around $100 million from reported cybercrimes in 2020.
“Unfortunately, success builds on success and I don’t think this is going away anytime soon,” Senate co-chair Sen. Barry Finegold said. “Criminals are going to keep doing this and that’s why we have to find a new way to counteract these crimes online. We need to get smart and take proactive measures to ensure that online platforms are safe and secure.”
House co-chair Rep. Linda Dean Campbell said she thinks that public-private partnerships “are absolutely going to be critical to our goal of establishing any resiliency” and said the Bay State has an opportunity to bolster the cybersecurity workforce and industry here.
Both Finegold and Campbell are Merrimack Valley Legislators. Finegold, of Andover, also represents Dracut and Tewksbury, plus Lawrence. Campbell is from Methuen.
“If we’re very proactive — which we need to be — we really can encourage the development of an economic sector here in the commonwealth of Massachusetts. It certainly is a great opportunity which we must seize immediately, in my opinion,” she said.
There are an estimated 13,000 open cybersecurity positions in Massachusetts alone, former Sen. Vinny deMacedo said during Wednesday’s hearing. In his role as special adviser to the president for university initiatives at Bridgewater State University, deMacedo has been working over the last eight months to help develop cybersecurity training opportunities and a statewide cybersecurity consortium that could connect existing “cylinders of excellence” and serve as a resource for municipalities and businesses.
“Businesses would have a location, which they currently lack, to send their employees to receive affordable cybersecurity training. The consortium could convene regional hubs for business development where cybersecurity entrepreneurs can establish and grow startups,” deMacedo said. He added, “It is my belief that the commonwealth will be well served by the establishment of this consortium, with the goal of creating four to six regional institutions with cyber ranges and cyber security operations centers where municipalities, businesses and nonprofits can go and get their training and access a range of cybersecurity services.”
The Legislature provided $1.5 million in seed funding for the cybersecurity consortium in the fiscal 2022 budget.
Among the other possibilities up for discussion during the committee’s informational hearing were the ideas of creating a statewide cybersecurity strategy, requiring a baseline of “cyber standards” for the public and private sectors, and regulating the use of cryptocurrencies as payments to ransomware attackers.
“We don’t want to overburden businesses, but at the same time we need to make sure that they have tools in place to protect them and protect their customers,” Finegold said, pointing to the minimum cybersecurity standards that New York’s Department of Financial Services imposed a few years ago on banks, mortgage companies, insurance companies and other lenders.
He said the standards include things like assessing cyber vulnerabilities, appointing a chief information security officer and implementing an internal cybersecurity plan that mitigates threats.
“Should Massachusetts consider implementing similar requirements for financial services companies or private enterprises? That is going to be a question that we need to discuss,” Finegold said Wednesday.
Two people invited to testify pushed back a bit on Finegold’s idea of establishing a set of minimum standards. Massachusetts Municipal Association Executive Director Geoff Beckwith warned that requiring certain cybersecurity measures from municipalities could amount to an unfunded mandate. He said local officials with the MMA “really urge you not to consider a mandate or rigid requirement for baseline standards because it would be unenforceable and unaffordable and it would lead to all sorts of confusion at the local level.”
Backing Beckwith up on that point was Tewksbury selectman and security engineer James Mackey, who said it will be important that any cyber policy be flexible.
“I would caution against any framework/governance/legislation that is overly granular and prescriptive. We do need something but, having worked in both the federal government as a contractor, the military and in the private sector, and now at the municipal level, I can confidently say that too often governance is pushed on entities too soon without proper funding and resourcing, without a sufficient grace period to get it right, and without exceptions,” he said. “One of the biggest things in IT and cybersecurity is an exception to policy. There is no one-size-fits-all solution. There’s no magic wand. We’re going to need alternate paths.”
Gloss