IE11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Agencies Must Protect ‘Crown Jewels’ from Cyber Attacks

State and local governments may not have a lot of money to spend on the personnel and expertise needed to combat the eventual attacks. Unfortunately, some agencies are lacking even when it comes to the basics of cyberdefense.

Cyberattack_shutterstock_673258504
Organizations that are not taking all the precautions they can to protect themselves from cyber threats should remember that it’s not a case of “not if, but when” a threat actor will compromise your agency.

That “when” came recently for the city of Dallas’ 911 system, along with other city services, and still had officials scrambling to normalize the situation six days later. The ransomware attack shut down the city’s 911 computer-aided dispatch system, forcing first responders to rely on radio dispatch.

Dallas Police Chief Eddie Garcia was one of the few public officials to speak about the incident. “It’s been extremely difficult for our men and women. Again, they rise to the level of expectations that our entire community should appreciate,” he told a local FOX affiliate. “Technology is not foolproof. We’re still answering the call, putting our lives on the line.”

It’s true, technology is not foolproof, and some agencies will be more of a target than others.

State and local entities may be more vulnerable than, say, federal government government agencies because there are more of them, and they supply more targets. Plus, public-sector systems like 911 are likely to have some discretionary funding available to pay a ransom.

But conversely, state and local governments often don’t have a lot of money to spend on the personnel and expertise they might need to combat the eventual attacks. Unfortunately, some agencies are lacking even when it comes to the basics of cyber defense. And often when a 911 call center is hacked, it’s because they are connected to a municipal network where the bad actors gain access and then attack the 911 system.

“Oftentimes the things that are really vulnerable are the computer-aided dispatch systems and other ancillary resources that the 911 center uses,” said April Heinze, 911 and PSAP operations director for the National Emergency Number Association.

Heinze said it’s critical that the municipality, and all the agencies connected to it, practice good cyber hygiene, and “not just cyberhygiene, but the training on cyber hygiene because there are so many times that our network vulnerabilities come through someone clicking on the wrong email or link.”

Once you’ve been hacked there are a few choices for how to get back online: You could pay the ransom; you could reboot, start from scratch and rebuild the system; or you could remove those systems that have been compromised and restore them from backups.

Although it may not be possible to prevent all attacks, it’s critical to take precautions that make it harder for a threat actor to enter a system. The bad guys are looking for “open windows” that make it easier to get in, and if a window isn’t ajar they’ll likely go elsewhere to find an easier target.

For some organizations, that simply means tending to the basics, which some still fail to do. That may mean employing “zero trust” or “least privilege” strategies, which limit the number of people who have access to critical infrastructure or applications and training and educating those few who do.

“Really, just the people that need to have access to systems or infrastructure should have access,” said Brandon Shopp, Group VP of Product for SolarWinds. “Don’t take the easier way and give everyone access to an application or resource on a server.”

Shopp said training and education is something that organizations really need to step up as well, especially as more people work outside of the firewall of the office and at home on their own cable provider’s Internet. “That provides more potential risk points,” Shopp said.

SolarWinds had firsthand experience in late 2020 as the victim of attackers, who deployed malicious code into the company's Orion network management software that is used by government agencies around the world.

“What we found through the years is organizations and agencies still struggle with the basics in a lot of cases,” Shopp said. “And I mean basics like backing up systems, patching systems, things that have been around and organizations know and have known for years they they need to be doing.”

If an organization, for whatever reason, can’t keep up with the basics and keep employees in check, it can outsource security to a managed security service provider. “It’s basically outsourcing your cyber needs or augmenting existing cyber teams with an external team,” Shopp said

In any case, an organization may not prevent all attacks, so it should try to focus on protecting the organization’s “crown jewels,” its most valuable assets.

“A city, say, needs to identify what are my critical services, my crown jewels, what are the things that I want to protect at all costs,” Shopp said. “That’s where you take the zero trust and start to build up layers of protection around those crown jewels.”

*This story originally appeared in Government Technology, sister publication to Industry Insider — Texas.
Jim McKay is the editor of Emergency Management and on the Government Technology editorial team.