SOUTH HADLEY — At a recent meeting of the South Hadley’s Select Board, the town’s Appropriations Committee brought up what might have seemed like a dull topic: liability insurance.
But the rising insurance premiums that the committee asked about point to an urgent problem that cities and towns across the state are grappling with: potential cyber attacks from hackers looking to lock up municipal data in order to extract a ransom. Such “ransomware” attacks have reached “pandemic” levels, some experts have warned, as municipalities grapple with the increasing likelihood that their systems will be the next that hackers will breach.
“It really isn’t a reflection on South Hadley,” Town Administrator Michael Sullivan said in an interview, noting the town has boosted its cybersecurity insurance coverage, doubling premiums up to $32,000 annually. “It’s a reflection on where we’re at in America right now.”
Cybersecurity isn’t the only reason South Hadley’s liability insurance costs have gone up; the cost of police indemnification has also risen for municipalities, Sullivan said. But when it comes to preparing for the possibility of getting hacked, South Hadley is far from alone. Municipalities across the region are trying to improve their own cybersecurity as hackers grow bolder and more sophisticated.
“The incidents of hacking, of breaches, of attacks, it’s just way way up,” said Geoffrey Beckwith, the executive director and CEO of the Massachusetts Municipal Association. Those attacks aren’t just happening in Massachusetts, but worldwide, he said.
Given that reality, some municipalities have increased their cybersecurity insurance — if they can. Beckwith said that many insurance companies have pulled back on the cybersecurity coverage options they offer, given the significantly increased risk of being hacked. Other cities and towns are undertaking significant efforts to update their digital infrastructure and training to prevent attacks from happening in the first place.
In Easthampton, the city is doing both, expanding its insurance coverage but also investing in fixing vulnerabilities by updating its hardware and software. Mayor Nicole LaChapelle said that the city’s digital infrastructure is just as important as what people typically think of as “infrastructure” — the city’s roads and what’s underneath them — but doesn’t get nearly as much attention.
“Funding for those systems is woefully inadequate,” LaChapelle said.
She said the city will be spending hundreds of thousands of dollars in the next five years to upgrade all of its systems. That work is vitally important, she added.
In the basement of Easthampton’s Municipal Building on Monday, the city’s tech staff stood in front of some of the servers that the city uses to store data. Karin Moyano Camihort, the city’s IT director, explained that officials have determined what needs revamped in order to provide city residents with better service — seeing their water consumption when they pay their bill online, for example — and to combat cyber attacks.
“That costs money,” Moyano Camihort said. “But the cost of having an attack is far greater.”
And those attacks are far more common than you think for municipalities, said Noah DuBoff, the city’s computer technician.
“Constantly we’re being attacked,” DuBoff said. None of those attacks have been successful in Easthampton yet, but there have been examples of public entities being hacked in recent years in western Massachusetts.
Chicopee Public Schools was hit by a ransomware attack in 2019, for example, and Sullivan revealed that South Hadley’s Fire District 1 — which is separate from the town — was hit by a similar attack in recent years.
Stephanie Helm, the director of the state’s quasi-public MassCyberCenter, said municipalities and other institutions that provide people vital services — health care systems and schools, for example — are at increased risk of facing an attack from hackers who suspect they’ll be more likely to pay a ransom to get those services running again quickly.
“They know that there’s an incentive for municipalities to play ball, so to speak, if they get caught in a ransomware attack,” Helm said. A career naval officer who held leadership roles in cyberspace and information operations, Helm said municipalities can also suffer from resource constraints when it comes to updating systems.
The state launched the MassCyberCenter, which is part of the Mass Tech Collaborative, in 2017. The organization provides resources to organizations, including municipalities, to support their cyber resiliency. Helm said that begins with developing a plan for when an attack happens. Such plans allows organizations to save valuable time knowing what they will do to “get out from underneath” a cyber attack instead of paying the ransom.
The state also has provided grant programs for training through its Executive Office of Technology Services and Security. Moyano Camihort said Easthampton went through one of those trainings, which taught employees how to avoid opening the city up to an attack by falling for an email-based “phishing attack,” which account for the vast majority of all attacks they see. Those kinds of efforts need to happen on a regular basis, though, Moyano Camihort said.
For Helm, cybersecurity concerns need to garner far more attention from municipalities.
“I really think for years this has been considered the IT problem, and I think the way the cyber threat has really become very professional and very deadly in terms of efficiency and focusing on hitting us where it hurts, I think this is a leadership issue for town leadership,” she said. “We really need mayors and town managers to really get on board with the potential that cyber security can be a disaster if it hits your town.”
Helm said municipal leaders should be speaking about cybersecurity in public, promoting what their city is doing to be more resilient and what the public can do to help.
In Easthampton, LaChapelle said that the city has worked hard to improve its own systems, but that more help is needed.
“One major thing I’d love to see from the state, the federal government, would be help offsetting the financial cost of putting all your docs in the cloud,” she said. “It can be thousands of dollars a month to do that, but it’s the safest way to do it.”
The stakes couldn’t be higher for cities and towns, particularly in an era when so much of a municipality’s services rely on its digital infrastructure.
“It’s not if it’s going to happen, it’s when,” Moyano Camihort said.
Dusty Christensen can be reached at email@example.com.