Members of Tewksbury’s local delegation, including State Senator Barry Finegold and Selectman James Mackey, participated in the Joint Committee on Advanced Information Technology, the Internet, and Cybersecurity’s inaugural hearing on Sept. 8, 2021.
State and local officials, technology company leaders and cyber policy experts from academia gathered virtually to share experience and advice for moving the cities and towns of the Commonwealth forward in the fight to stay ahead of cybercriminals.
Several significant cyberattacks have occurred in municipalities in Massachusetts and across the country recently. The hearing focused on garnering legislative support to strengthen cyber preparedness and resilience at the local, state and regional level.
Finegold said, “Massachusetts has to get ahead of the curve and become a leader on cybersecurity. Over the past year, dangerous cyberattacks have disrupted critical infrastructure, healthcare organizations, municipal governments, school districts, and local businesses. Unfortunately, this problem is not going to go away: criminals are having success and finding new ways to commit crimes online.”
Finegold referenced the most recent attack of the state’s auto inspection system, which was shut down for three weeks due to a malware attack. Cybercrime accounts for hundreds of millions of dollars in loss to consumers, businesses, and municipalities each year.
Finegold co-chairs the committee with Rep. Linda Dean Campbell of Methuen. The three hour public hearing covered numerous topics, highlighting agencies already in place that have been working steadily to create plans for municipalities, schools and public safety organizations to implement and standards to follow.
Stephanie Helm, Director of the MassCyberCenter, discussed a toolkit for municipalities which includes state and federal resources for funding of training and implementation of a baseline of cybersecurity measures. Additional efforts include working with local colleges and universities to develop talent in the area of cybersecurity.
Geoff Beckwith of the Massachusetts Municipal Association discussed ransomware attacks focused on cities and towns; nearly 45 percent of all attacks nationwide target medium and small sized communities. Beckwith said the disruption that can be metered on a city or town and the services it provides by a ransomware attack renders communities vulnerable.
Tewksbury selectman James Mackey spoke at the hearing. Mackey is a principal security engineer and cyber expert. As an Army veteran, Mackey has helped lead cyber operations activities for the National Guard for the last three years in both regional and FEMA-level exercises.
With regard to the cybercriminals, Mackey said, “It’s not that they are building a better mousetrap; they are throwing everything against the wall and trying to see what sticks,” suggesting that cybercriminals go after known vulnerabilities and exploit them.
Mackey cited Tewksbury’s plan of a proactive, triage-first process. Evaluating the town’s “low hanging fruit” for changes that can be made with little or no cost, including encryption policies, acceptable use policies, password policies, patching, was a first step.
Mackey said the town is working on the MassCyberCenter’s four point minimum baseline plan, with an eye toward the Department of Homeland Security’s voluntary Critical Infrastructure Cyber Community (C3) program, and the ultimate goal of being a NIST-certified community.
The National Institute of Standards and Technology (NIST) Cybersecurity Framework is an industry-developed voluntary framework to help organizations address and improve their cybersecurity risk management. Mackey said issues come in to play on the detection front, an expensive process.
Mackey thought the resources of the Mass Cyber Consortium, whom he referred to as “watchers,” was very exciting.
“You can have the most expensive firewall or endpoint protection, but if no one is looking at your logs, it doesn’t matter,” Mackey said.
He urged legislators to be flexible and not too granular in developing plans and policies.
“One size does not fit all, and we need alternate paths.”
Beckwith highlighted the fact that some communities in Massachusetts still do not have broadband. Beckwith also raised the issue of developing preparedness, yet working to protect this information through the public records act, and creating exceptions to protect municipalities as they work through policies, best practices. and frameworks so as not to expose any information that might create an opening for criminals as a community seeks to “catch up” and reinforce its security infrastructure.
Executives from Google, Microsoft, VM Ware, and Comcast discussed industry perspectives and the steps that these organizations use to identify “bad actors” and “contain threats.” Principals shared their appreciation for being part of the discussion and all agreed that in addition to technological improvements on the local level, training and workforce development are going to be key factors in combatting cyber threats in the future.
Safe guarding the physical systems that support cyber networks in a city or town, including protection for climate resilience, was also discussed. “Hardening” of infrastructure and protecting it from flood, heat, loss of power, etc. is as necessary as the software that is employed.
Tom Kellerman of VM Ware said, “The end goal [of these attacks] is to use the infrastructure to attack the constituency. Don’t limit the optics to just a vendor problem or a supply chain problem.”
Experts from Tufts University, Harvard University, MIT’s Lincoln Labs, and Boston University, discussed the importance of the Commonwealth tracking the data of cyber attacks in a more formal and organized manner.
“We need to know how many ransomware attacks there were, who paid the ransom, what cryptocurrency wallet address was it paid to, and so forth,” said Dr. Josephine Wolff, Associate Professor of Cybersecurity Policy at Tufts University’s Fletcher School of Law and Diplomacy and Tufts University’s School of Engineering.
Data loss prevention technology was suggested by Jeff Gottshalk, Assistant Head of the Cybersecurity and Information Services Division at MIT’s Lincoln Laboratory.
“You don’t want data that the Commonwealth holds in the public trust to become weaponized,” Gottshalk said.
The committee will circle back and review the expert information presented and determine its next steps.
Gloss