Municipalities Face Unique Cybersecurity Challenges

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone, and welcome to episode 132 of the Recorded Future podcast. I'm Dave Bittner from the CyberWire.

Cities and municipalities have made headlines recently in their efforts to defend themselves from cyberattacks, most notably ransomware. Joining us this week to discuss the unique security challenges faced by municipalities are two guests.

Margaret Byrnes is executive director of the New Hampshire Municipal Association, a nonprofit membership organization that provides education, training, advocacy, and legal services to cities and towns across New Hampshire. Joe Howland is chief information security officer at VC3, a managed IT services company whose clients include many municipalities throughout the country. Stay with us.

Margaret Byrnes:

I started out like a normal attorney. I graduated from law school back in 2011, and I started practicing at a small law firm, first in Massachusetts, and then I made my way up to New Hampshire to a slightly larger law firm where I became very interested in New Hampshire government and way of life, and I ended up getting a job here at the New Hampshire Municipal Association in 2014.

I was a staff attorney here, so the first few years here at NHMA, I was giving legal advice to municipalities and really learning so much about New Hampshire local government. I thought I knew a lot until I came here and really started to talk to people who do the governance in the towns and cities, and what they face, and what the challenges are. Through that role I learned a lot about New Hampshire, and then really enjoyed my job here, enjoyed being part of this organization and working with local government, and I became Executive Director just at the beginning of this year. I just started in January of 2019 in that role.

Dave Bittner:

Well, Joe, how about your career? Take us through what led you to where you are today.

Joe Howland:

I think my path is probably not quite so direct. I've been in IT for 25 plus years. Like many people in IT, in the late ’90s and early 2000s, jumping around between different IT jobs until I finally landed at Computer Sciences Corporation, a large international IT organization where I really started developing my IT skills and really diving into the technology and starting to grow specific skillsets instead of just being an IT generalist.

I worked for CSC for many years, and then ultimately about 12 years ago I moved over to VC3. At VC3 I've had several different roles. I've been a Virtual Chief Information Officer, which was a great role where I worked with mostly small government agencies, helping them define their IT strategies and understand how IT could help meet their objectives, and really learning how IT and business merge and marry and come together to help organizations grow. And then just over the past few years I've shifted into this security role as that need has become very apparent, and we've seen that need grow in municipal government.

Dave Bittner:

Margaret, can you give us an overview of what the New Hampshire Municipal Association does?

Margaret Byrnes:

Absolutely. It's certainly a good question, because I think most people probably don't know what a municipal association or a municipal league is. So just by way of a little bit of background, every state except Hawaii, I believe I still have that correct, every state except Hawaii has something like the New Hampshire Municipal Association, and they're either referred to as a municipal league or a municipal association. Essentially what they are is, they are organizations in each state that towns and cities, and sometimes different types of governments too, depending on what kind of structure you have in your state, such as counties, can join the association, become a member of the association by paying dues, and in turn they get services from the association or the municipal league. Across the country, municipal leagues provide slightly different services, depending on what the municipalities in that state are looking for or want out of their municipal league.

So the common denominator is that, I think I'm correct saying, that every municipal league or association provides some kind of legislative service to its members. In other words, lobbying at the state legislature to promote legislation that helps municipalities or oppose legislation that hurts municipalities.

Some municipal leagues also provide other types of training and services for municipalities. For example, the New Hampshire Municipal Association, in addition to legislative services, provides legal services, so we have attorneys that can provide general legal advice to any of our municipal members, and we also provide a lot of training, so workshops and training events on different things that municipalities do, on the laws. We try to keep our municipal officials up to date and well trained in all the different phases of what they do in their town or city, which also means we write a lot of publications, a lot of educational documents and things like that.

Dave Bittner:

And so these days, where does cybersecurity fall in the spectrum of things that have your attention?

Margaret Byrnes:

I think that up until very recently, it was not something that had our attention. I think it was something that had our organization's attention, like most companies and organizations, trying to improve your own internal protocols and protections, but we all of a sudden started to realize that there was a huge need for education, leadership, support for towns and cities in New Hampshire, as well as across the country in this area. As an organization, we've just started to try to look at, "Who can we collaborate with to provide education and support to our members?" since NHMA, as an association, doesn't have that expertise internally.

Dave Bittner:

Now, I would imagine, tell me if I'm correct here, that you have different municipalities of all different sizes from across the state who are members of your organization, and so they would be coming to you with different needs.

Margaret Byrnes:

Absolutely. And that's across the board. That's certainly not just in the IT or cybersecurity or information security world. We have a huge cross section, so unlike probably other parts of the country, other states, New Hampshire, and as well as New England, we have a lot of small towns, but if you look at New Hampshire, we've got a lot of small towns, some medium sized towns, and then a couple huge cities. And when I say huge cities, I recognize that in comparison to the rest of the country, outside of New England, our cities are not as huge as other places in the country.

So we have towns that have 300 to 1,500 people, and their capabilities, their needs, their staff are going to be very different than one of our larger cities like Manchester or Nashua. Very different make up of both people as well as employees, money, things of that nature. So one of the things that we always have to think about is, "How do we provide education, training, and services that touch on all the different needs of different sized and differently placed municipalities in New Hampshire?" And that is a challenge across the board.

Dave Bittner:

And when they're communicating to you, what are the things that are at the top of their list in terms of their security concerns?

Margaret Byrnes:

Well, I think the number one thing that we hear is that they are concerned about having the budget as well as the knowledge and skills in order to be able to implement the right protocols, the right services, the right protections. So small municipalities who have no internal person with any knowledge or skills in this area, who have tight budgets and small budgets, who have perhaps never ventured into looking into their protocols, what they need, what they do, what they shouldn't do, they're nervous about what the next step is for them, and this of course includes police departments in small towns. Their budgets are strained as well, and so their big question is, "How can we do what we need to do on the budget that we have? What are the first steps that we should take, and where should we turn for support and education in this area?" And so as I said, we're trying to be a place to help, that municipalities can turn to to find some education and assistance.

Dave Bittner:

And Joe, how does that echo the types of things that you're hearing with your clients and the folks that you work with?

Joe Howland:

Very, very similar. We are a managed services provider that really focuses and specializes in small government. We support a lot of municipalities, a lot of counties, water and sewer authorities, councils of governments, leagues, as Margaret was talking about, and we see the same kind of struggles. We see organizations that know that security is an issue, but they don't know where to start. They don't feel like they have the funding. Municipalities are on fixed budgets. If they start spending on security, that means that there's possibly some service they're not going to be able to provide. They really struggle with those dollars, and where do they spend them?

And then you've got just a lack of understanding, especially when the smaller municipalities that don't have a large IT staff, they don't have a security specialist sitting on staff who understands the ins and outs of security. They're looking at this landscape of products and advice and information that's out there, and in some cases, they feel like they're drowning, and their response frequently is to just put their head in the sand.

We see that same struggle. We see municipalities that don't have a lot of money to spend, and they certainly do not know where they need to spend that money. They know it's a problem, but they simply do not know what to do.

Margaret Byrnes:

I think that's such a good point about putting their head in the sand. I think what happens a lot is it's overwhelming. As you point out, they look at all the information out there. They want to do the right thing. They don't have the knowledge or expertise to assess what's out there and make the decision about what they should do, and some of that stems from the fact, especially here in New Hampshire, most of our towns, all of our towns and cities are run via volunteer individuals, volunteer governance.

You know, we have 234 towns and cities in New Hampshire. Only 13 of them are cities, so over 200 towns are governed by boards of selectmen, and these are individuals who essentially volunteer their time, run for office, become elected, select board members in their community, and have a huge amount of responsibility, oversight, and governance over the operations of the municipality. And you bring to them, "Well, you've got to do better in this area. You need to hire someone. You need protocols. You're not doing this, you're not doing that," and it's overwhelming. And so that can lead to nothing happening, or maybe just not the right thing happening, even if they're well intentioned, to try to address the issue.

Dave Bittner:

Yeah. It strikes me that part of what could be going on here, and let me know if I'm off base here, is a velocity mismatch, where things are changing very quickly when it comes to the bad guys out there. They're adapting and evolving and finding new ways to come at cities and towns and individuals, but municipalities, they run at a different pace. Their budget cycles are different, and it's harder for them to be nimble.

Margaret Byrnes:

That is absolutely correct. You know, here in New Hampshire, municipalities budget for an entire year. The towns, most of our towns still operate on a town meeting government style, which for those of us who don't live in New England or haven't spent any time in New England, our communities still, the voters still come out once a year and they vote on everything. Not just who to elect, but they vote on budgets, they vote on projects, and that means that that process is slower, and not only is it slower, but there has to be a level of buy-in from your residents.

So if, for example, a town manager recommends to his or her select board or town council that we enter into this new contract with this service provider, it's going to cost X amount of additional dollars that are going to have to be put in our budget, well then they have to generally be able to explain to the public why those additional dollars are necessary, what the benefit is, and why this has to happen, and that is a slow and steady process as well. And it's not the only thing that they're trying to sell to their voters, right? There are road projects and bridge projects, and you need to build a new public safety building. So this cost, this expense is just part of a really big picture of things that they're trying to balance out and balance out in their budget.

Joe Howland:

Yeah. And I will add to that as well. Definitely we see the local government moving slowly because of their budgets. Well, that is a major component of it, and we also see that that local government frequently is a, "I want to see other people in my community do it first, before I embrace it." So that slows the progress down even more, because in a lot of cases, especially when it comes to new technologies and emerging technologies, they don't want to be the first one on board. They don't want to invest those precious dollars in something that isn't yet proven. So they're waiting for another organization, another state agency, somebody else locally to adopt something so they can see, "How does that work? Okay. It's seeing benefits, so now we'll go ahead and adopt that for ourselves," but that slows that cycle down even more.

Dave Bittner:

Now, Margaret, in terms of your organization and your lobbying function, are you going to your state, are you going to the feds to say, "Hey, this is something that we need some help with?" Either providing us with resources, or funding, or education? Is that a component as well?

Margaret Byrnes:

Absolutely. One of the bells that we ring every legislative session, no matter what we're really talking about for municipalities, is funding and assistance with all of the things that they have to do and the costs that are born on municipalities, and security, information security, that's no different. We are aware that at the federal level, there is some activity to try to provide funding back to the states and the local governments to support better cybersecurity practices, which of course is a great thing to hear and we hope that that happens.

On the state level, NHMA actually is looking to partner with the state and other entities in New Hampshire that provide support and education to municipalities, to start bringing some education directly to towns and cities in this area. As far as legislation goes, however, it's important that we don't end up with a knee jerk reaction to the situations that have occurred, and that we don't get one size fits all mandated security requirements for all municipalities, because every town and city is different, and we see an opportunity for education, for leadership, for funding assistance, and not one size fits all mandates that probably will not fix the issue, and that will miss things, if we just try to look at every town and city as being the same. So we wouldn't want to see that happen, but we would like to see more leadership, more education and funding opportunities to assist municipalities.

Dave Bittner:

You know, certainly in the news lately we've heard many stories about ransomware and municipalities having to deal with ransomware. What's the reality of that on the ground? Is that a shadow that hangs over smaller towns, or towns of all sizes? What's your interaction with that?

Joe Howland:

Most definitely that is hanging over towns of all sizes. I frequently talk to customers that say, "Well, we're too small. Nobody's going to care about us. Nobody's going to attack us." But what they don't understand is that ransomware frequently, it's an attack of opportunity. There is a campaign out, "I'm going to send something out there. I'm going to see who will click on a link. I'm going to scan the internet and I'm going to find an open firewall, an open port, an open service, and I'm going to attack it." They aren't considering ... They aren't looking at the size of the municipality, how sophisticated that municipality is. That's not the thought process that's going into the attacks. It's simply, "Here's a target. I've got an avenue in. I've gotten a user to click on a link and do something that gives me access to the environment, so now I'm going to do what damage I can and ask for money in return."

It's certainly not something that is targeting only the Baltimores and the Atlantas. As we have seen recently, there have been many smaller municipalities attacked with ransomware, and frequently they are the least well equipped to actually handle and respond to those attacks. So yes. It is hanging over everybody.

Margaret Byrnes:

And it has happened here in New Hampshire. Some of the small towns, small town police departments, school districts. There have been attacks even here in New Hampshire, and they don't get the big press probably because they don't have the big dollars attached to them that some of the big cities have, with the amount of money that has to be paid back, or with how big of an impact it has. We haven't seen trains shutdown and water systems shutdown, but they have happened here in New Hampshire. So I don't think any state or municipality is immune from the issue.

Joe Howland:

Yep. 100 percent.

Dave Bittner:

I want to touch on threat intelligence briefly, because that is one of the topics that we cover here, and I wanted to get your take. Joe, why don't we start with you? What part do you think threat intelligence plays when it comes to equipping cities and municipalities to better defend themselves?

Joe Howland:

Well, it's certainly important. Certainly threat intelligence is going to add layers to the security models and layers to the frameworks that every organization, municipality or not municipality, government, not government, need to be putting in place to help prevent attacks and to defend themselves. So it is critically important.

However, I will say, again, coming back to the municipal space, I find that the threat intelligence platforms tend to be on the pricier side, and so I'm not going to find a lot of small municipalities that are going to go out and invest in the threat intelligence platforms that are really going to come in and make a difference, when there are smaller things, smaller steps they can take in the short term that will start them down that path. Doesn't mean they won't end up there a year or two years from now, but that's probably not where they're going to start.

They're going to start with training their users, making sure their firewalls are locked down, multi-factor authentication. Some of these really basic concepts that I think corporations have adopted for the past several years, we're now starting to see penetration in the municipalities, and we're starting to see that's where we're starting to make some traction and some headway on their security posture. Threat intelligence is important, very important, but I feel like that's going to be a longer play in the municipal space.

Dave Bittner:

Margaret, are there opportunities or have there been explorations of some of these localities teaming up, ganging up, pooling their resources to try to come at some of these issues?

Margaret Byrnes:

That's an interesting question, and I'm not aware here in New Hampshire of municipalities teaming up to attack the issue, although I will say that one of the things that New Hampshire municipalities have the ability to do is to enter into something that's called an intergovernmental agreement, so they can agree with other municipalities to do something jointly or provide a service jointly, and you will sometimes see that. You will often see that with emergency services, multiple towns coming together to provide emergency services, and you may also see it with sharing administrative services or administrative offices. Multiple towns or a couple towns in a school district will jointly provide that. So it's possible that that could be a way to handle it here in New Hampshire. In effect, I don't know whether that would be a better solution, or if towns and cities really have to assess, each one has to really assess itself and make the right judgments for its own makeup and needs. I don't know what Joe thinks of that.

Joe Howland:

That actually is a great point, and there are states where we have seen at a state-wide level threat intelligence platforms get deployed and be offered to the municipalities. Again, back to the lack of understanding and a lack of education, sometimes they have difficulty even embracing those platforms or taking advantage of those things that are out there for them, because they don't understand them, they don't realize they need them, but we are starting to see some traction in certain states where those platforms have been put in place by a central authority within the state and made available to the municipalities. And when we can really see that and we can see, "Hey, here is something being offered to you that you can take advantage of, that costs you nothing or virtually nothing and gives you a huge layer of protection," then we are starting to see them jump on board.

Dave Bittner:

Where do you think things are headed? For organizations like yours, Margaret, is the range of services that you see yourself providing for municipalities, is that going to expand to increase more of a focus on cybersecurity, or what do you see in the future?

Margaret Byrnes:

That's a great question, and I'm not sure whether I see our municipal association directly providing that service, but what I do see is us being part of the leadership and solution in helping municipalities get the right education and the right information, and that includes our association working with others, such as the state, such as our risk pool here in New Hampshire that provides services to municipalities as well as working with third-party providers and consultants who are in the municipal world and provide services to municipalities.

I see that role for the municipal association, but because this is such a specialized area in the sense that the knowledge needs to be correct, the people who are providing the information need to have the correct information and need to be on the cutting edge of what's happening, that it's better for us to serve as a resource to help municipalities get what they need.

You know, governments are subject to Freedom of Information law, so at the federal level, the federal government is subject to FOIA, the Freedom of Information Act, and every state has its own form of that, that governs the state and that governs towns and cities and counties and other governments within the state. Here in New Hampshire, we have the Right to Know Law. It's RSA chapter 91-A, and basically the concept is that records and documents of a municipality and a local government and the state as well as meetings are open to the public, and there are of course exceptions. There are things that are not open to the public, but because the majority of what towns and cities do is public information, that presents a different challenge that private companies and entities don't have to deal with.

Municipalities have their information out there in the world, who they contract with, who their employees are, their email addresses, because they're supposed to be open and accessible to the public and that can make them even more vulnerable. So they're complying with open records and meetings laws, but at the same time they are making themselves vulnerable.

Joe Howland:

Yeah, and I wholly agree with that. That is a unique security challenge that local governments face. There is so much information that is available to the attackers easily and readily available that they can construct very compelling attacks against the local government. I can go online and I can find out, Concord, New Hampshire, as I'm just going to pick as an example, I can find out who their contracts are with. Do they have an IT services provider? Who are they working with on construction projects? What do those contracts look like? Who are the points of contact with those contracts? And with all of that information available to me, I can make very specific and targeted attacks that are extremely compelling for somebody to fall for. We just saw that all the way down in Naples, Florida. I think that's a perfect example of an attack that was very specific to, "I know who the contractor is. I know the dollar amounts that are involved. I know who the points of contact are, so now I can be very creative and clever in how I go after and use that information to go after that municipality."

Dave Bittner:

Our thanks to Margaret Byrnes from the New Hampshire Municipal Association and Joe Howland from VC3 for joining us.

Don't forget to sign up for the Recorded Future Cyber Daily email, where every day you'll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

We hope you've enjoyed the show and that you'll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast production team includes Coordinating Producer Monica Todros, Executive Producer Greg Barrette. The show is produced by the CyberWire, with Editor John Petrik, Executive Producer Peter Kilpe, and I'm Dave Bittner.

Thanks for listening.