Public entities taking cybersecurity seriously amid rise in threat risk

An official with the U.S. Department of Homeland Security made headlines in February by citing increasing threats of hacking faced by local governments – threats that local cities and school districts have been defending against for years, their officials say.

Jen Easterly, who heads Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), said local governments around the nation have become increasingly vulnerable to ransomware and other digital threats. Water-treatment plants, hospitals, police departments and automated systems have been hit by hackers, with sometimes serious results, Easterly said.

Officials with the cities of Delaware and Powell, as well as the Delaware City Schools, Olentangy Schools and Delaware Area Career Center, say their cybersecurity efforts are well established and include training or awareness programs to reduce dangers.

Those efforts include a continuing focus on improving strategies against hacking, they said.

"Cybersecurity risks are an increasingly pressing problem,” said Delaware city spokesman Lee Yoakum. “Nobody is immune from these attacks, so the city of Delaware is focused on building our resilience. Some of those measures include 'cyber-hygiene' practices, such as using complex passwords, updating software and implementing multifactor authentication."

Delaware City Schools has been working intentionally to further increase its cybersecurity posture for over two years, according to Jen Fry, the district’s chief technology officer.

“The motivation to adopt and document a specific cybersecurity framework began when the DCS technology team attended a Cybersecurity Boot Camp at Delaware Area Career Center in early 2020,” she said. “The district follows the National Institute of Standards and Technology framework, which is a tool that helps organizations of all sizes better understand, manage and reduce their cybersecurity risk and protect their networks and data."

Powell Police Department Chief Stephen Hrytzik said education and prevention are keys.

"To date, we have not experienced a cybersecurity attack,” he said March 7. “However, we continue to educate our staff and community on ways to prevent this from happening in the future.”

Likewise, training as been key at the DACC.

"Our IT department does an excellent job of training our staff on how to look out for phishing attempts and how to report them,” said Alicia Mowry, DACC public-information officer. “They even implemented a system a few years ago that sends ‘fake phishing’ attempts to us every once in a while, so if we fall for it, there’s no harm done and they use it as a teaching moment.”

Olentangy Schools has worked with cybersecurity-related groups for several years, according to Amanda Beeman, the district’s assistant director of communications.

“These include private industry vendors, Department of Homeland Security, CISA, as well as the K-12 focused group with the MS-ISAC Center for Internet Security,” she said. “We continue to build our cybersecurity awareness and adjust our security posture based on trends and information shared with us.”

The city of Delaware has experienced no serious hacking incidents, but like all organizations and many individuals, employees receive emails that attempt hacking with phishing and malware, Susie Daily, the city's chief information officer, said March 7.

The city created a position of IT manager/security officer and implemented daily activities to battle hacking, she said.

IT staff members also will participate in training, development and certification courses throughout 2022 to enhance cybersecurity skills, she said.

Those efforts include participating in tabletop exercises with other municipalities and government organizations hosted by FEMA to help develop or enhance an organization’s incident response plan, she said. The city also participates in an annual cybersecurity assessment and gap analysis to strengthen policies, programs and procedures.

"Cybersecurity measures have been in place for many years, and we continue to enhance these measures based on current needs and best practices," Fry said. "Cybersecurity measures currently in place include device protection software, multifactor authentication for staff, data backup and recovery, account automation, network protection and filtering, regular server patching, internet content filtering, network monitoring and district level management of devices."

The Delaware school district also uses a series of filtering and identification tools on educational accounts and school-owned Chromebooks used by students at school and at home, she said. For two years, the district has formalized online training in email safety and cybersecurity awareness, she said.

Beeman said Olentangy Schools put firewalls and other security measures in place, working with vendors for support.

“The district manages the configuration, settings and policies directly for these devices and services,” she said. “Access and use of many of the security tools depend on a district's budget and internal staffing resources."

Powell follows precautions issued by federal agencies, Hrytzik said.

“We have a third-party IT vendor that monitors our security of digital assets to ensure we have robust protocols in place to avoid this type of issue," he said.

DACC not only follows cybersecurity precautions; it also trains future cybersecurity experts, Mowry said.

"We do have a cybersecurity program that we run that has been growing,” she said. “They were the first high school to compete on a college-level 'Embedded Capture the Flag' competition. The student who started our first team a few years ago is a freshman at Michigan State University now and is starting their first team."

Sean Miller, Delaware County's director of the Office of Homeland Security and Emergency Management, noted a pair of specific governmental sites that provide detailed information and guidance about cyber threats.

CISA's Shields Up page at cisa.gov/shields-up lists the latest information on cyber threats and includes a catalog of free cybersecurity services and tools.

Another CISA page called Insights provides information on preparing for and mitigating foreign influence operations targeting critical infrastructure.

The county's cybersecurity efforts have been award-winning, according to Jane Hawes, the Delaware County commissioners' communications director.

"Cybersecurity has always been very important for our operations in Delaware County," she said. "We partner with a number of federal agencies, including Homeland Security and the Cybersecurity and Infrastructure Security Agency (CISA), to conduct ongoing tests against our network, as well as receiving sometimes hourly updates on reported threats that we need to address.

"With the current challenges we all face, this has been an opportunity to remind our employees about the importance of maintaining this integrity, but this is in addition to safety procedures we are constantly practicing. As a result, we have won numerous Top 10 awards from the Center for Digital Government. We’re also proud to work directly with a number of townships in the county to provide their IT service, thus ensuring that our cybersecurity efforts go beyond just county government offices."

ThisWeek assistant managing editor Scott Hummel contributed to this story.

editorial@thisweeknews.com

@ThisWeekNews

Comments are closed.