More funds, lessons learned
In November, President Joe Biden signed the $1 trillion Infrastructure Investment and Jobs Act, which included a $1 billion grant program managed by the Federal Emergency Management Agency to help states prevent cyberattacks.
An email from a FEMA spokesperson said the agency will administer these grants and that states and tribal governments will be required to submit a plan outlining how the money will be used to improve cybersecurity. FEMA said it’s up to states to decide how to allocate the funds, but 80% must go to “local units of government” and at least 25% must be set aside for rural communities.
What defines a local government or rural community has not been outlined yet. In addition, the federal Cybersecurity and Infrastructure Security Agency will assist FEMA in creating program goals and reviewing each state’s cybersecurity plan. FEMA’s spokesperson said the grants can help to reduce cybersecurity vulnerabilities and increase capabilities, but noted that organizations cannot use the funds to pay ransoms.
“I’m excited about this [program],” said Beyer of UW’s Cybersecurity Initiative. “We know how vulnerable cities and schools are. Lack of resources is something everyone points to.”
Mike Sprinkle, director of IT with Clark County, has been closely examining the federal grant program and waiting to see how the money will be allocated.
Clark County previously applied for and received over $7 million in federal American Rescue Plan funds to completely overhaul its computer architecture and increase cybersecurity. Sprinkle said the program helped his IT department segment its network to decrease the risk of entire systems being hacked, and to hire a service that provides security monitoring 24/7.
“My big goal has been to make sure that Clark County IT and myself are not in the newspaper,” Sprinkle said with a chuckle, noting that so far the county has prevented an attack.
He noted that while Clark County has an IT staff of about 50, many smaller counties have much smaller IT staffs and could really put the FEMA funds to good use.
Annie Searle, an associate professor at UW’s Information School who focuses on cybersecurity, said small municipalities can take simple steps that do a lot to prevent attacks.
Searle said simply updating software patches and installing all operating system upgrades can make a big difference.
“If those two things were done, perhaps 80% of the problems would go away,” she said.
The Washington State Auditor’s Office has also performed more than 60 free security audits to local governments, school districts, health care systems and tribes since December 2021.
“In those 60 audits, we’ve identified more than 500 critical vulnerabilities,” said Erin Laska, IT security audit manager with the State Auditor’s Office. “And these are really the worst type of weaknesses that can be used to cause a breach.”
Kacoroski, Northshore’s system administrator, said one thing he would advise other organizations to do is create an “air gap” between a system and various external backups of data, such as a tape or USB drive that completely pulls data from the server.
In addition, taking an inventory of the real-world systems, such as cash registers, vehicles or heating controls that could be affected by an attack, can also be helpful, Miedema noted.
“You have all these little systems that you install and it just works and you forget about it — and then everything comes crashing down,” he said.
After its attack, Northshore managed to pay its employees after some tweaking of its systems, but it soon became apparent that many school systems couldn’t function with the computers down. Students couldn’t purchase lunches because cash registers didn’t work. New students couldn’t get assigned bus routes. Heating systems couldn’t be turned up when a cold spell hit.
Even the district’s football scoreboard was affected.
“We have a beautiful football stadium, and it has this great reader board on it. And you’d think that’s not critical,” Kacoroski said. “But the Friday after the attack, ESPN was signed up to put one of our football games on TV. So we had to have that reader board up and running.”
Eventually, his team got the scoreboard working.
Both Kacoroski and Miedema urge small organizations to take the threats seriously and to talk to one another about what they’ve learned.
“We shouldn’t be ashamed of the fact this happened,” Miedema said. “The fact is, school districts and public entities are outgunned in this fight. They really want to hit you, and it’s going to be pretty hard to stop — which is kind of sobering.”
The UW’s Beyer agrees.
“The idea that you’re eventually going to suffer some sort of cyberattack is a better way of thinking about things,” she said. “Thinking about resilience and recovery rather than the idea you can prevent everything. Yes, try not to click on those links. But have a plan for when it does happen.”