In the early morning hours of January 10, the Lower Connecticut River Valley Council of Governments in Essex was hit with a ransomware attack that left their files encrypted with a demand to pay a foreign attacker. The agency’s work was “severely impeded,” according to Executive Director Sam Gold, because computers left on at the time were rendered inoperable and staff access to email was lost.
Gold said that his agency does not currently have an estimate on the total costs of the attack, but said he “would not be surprised if the ultimate costs are close to $100,000” after counting the damage and time that staff spent making repairs.
“When you pay a ransom the hackers do not just turn on your system,” Gold said. “They provide you a key that IT professionals use to decrypt your files. This key does not come with instructions and takes a lot of time. Copies of all the encrypted files must be made, to ensure that if there is a problem with decryption you can go back. Once the decryption was completed and we recovered the vast majority of our files and email, everything was reset and installed new on new hard drives.”
Gold said that RiverCOG followed cyber attack protocols provided by the State Department of Emergency Management and Homeland Security; notified the council’s member towns; contacted DEMHS and state police, and began work with their insurance carrier. Given the financial costs, Gold emphasized just how important it is for towns and government agencies to have cybersecurity insurance policies.
Although RiverCOG temporarily lost access to the data, Gold told members of RiverCOG at their February meeting that there was no evidence that any data had been stolen by the attackers.
In recent years, news outlets across Connecticut have reported on similar attacks on governments and schools in Colchester, Hamden, New Haven, Pomfret, West Haven, and Wolcott — by no means a complete list.
When it comes to cyber security for towns and local agencies, Connecticut’s Chief Information Officer Mark Raymond said, “By far the [greatest] challenge is qualified resources and budget. They often have one part-time tech person if [they’re] small, and [that job] may be administrative in nature and not really a deep cyber professional, yet the threats that they face are often far more advanced than the skills that we can bring to bear.”
Resources and Challenges for Local Cybersecurity
In a March 5 phone interview, Raymond explained that the common cyber threats facing Connecticut’s towns and cities are ransomware attacks, efforts to steal or destroy town data, actual theft of money, and denial of service attacks — which he described as “electronic traffic jams” that block access to a website, payment system, or other applications.
Raymond said that in 2019, officials had faced 988 attempted denial of service attacks on the Connecticut Education Network, which provides internet for all Connecticut’s schools, most of its municipalities, as well as some libraries and universities. Raymond said that the state had already seen over 200 such attacks since the beginning of this year.
“The simple business email compromise — ‘I’m the mayor, please send money to the following address’ — is still prevalent and people are using social engineering techniques to get people to hand over taxpayer dollars,” said Raymond.
“Cybersecurity is a risk management discipline, just like insurance and other kinds of risk management protocols,” he said.
Raymond said that there are direct financial costs to taxpayers from breaches in cybersecurity: the costs of paid ransom, damage to equipment, direct theft of taxpayer dollars, and the multiple operational losses that come from loss of data.
“Police, fire, all of those are critical town services that could be devastated by an unexpected financial loss, and then there’s the really difficult to quantify… Think about lost [police] body cam data that I can’t get back so you may have a criminal go free.”
In its 2019 Internet Crime Report, the FBI estimated that all reported cybercrime in Connecticut (not just for governments) resulted in a total loss of $33.78 million in 2019, putting Connecticut at the 22nd highest among U.S. states and territories.
The state offers template protocols and strategies related to cybersecurity for individuals, businesses, and governments, Raymond said. The federal Department of Homeland Security also has a more extensive set of guidance for state, local, tribal, and regional governments.
Raymond said that the state has also received federal funds that have been used to create training programs for municipal government.
In the past year and a half, Connecticut has created plans and conducted drills to muster state emergency services in the case that a town or school suffers a major cyber attack, but Raymond said that these plans have not yet been put into action.
“If it’s happening in a town and overwhelms their ability, we can activate the state’s emergency response framework just like for a snow storm or hurricane,” he said, “and we’re set to provide emergency management assistance as well.”
Voting Machines Aren’t Connected to the Internet, but Voter Files and Reporting Systems are
Deputy Secretary of the State Scott Bates, a member of the Connecticut Cybersecurity Task Force for the state’s elections, said in a March 3 interview that the state’s actual voting machines are not connected to the internet, but Connecticut’s voter registration files and the Secretary of State’s reporting systems are connected to the internet.
“Small towns need to have as high a quality [cybersecurity] as the largest city in Connecticut because when it comes to cybersecurity you’re only as strong as your weakest link,” Bates said. “So for example, to protect our statewide network and voter files we’ve got to make sure each town is as protected as the next.”
According to Raymond, Connecticut’s voting systems have a robust security system, but malicious attackers could seek to “sow discord” and “undermine confidence” in elections’ validity by spreading disinformation through social media.
Bates said that Connecticut was one of 21 states during the 2016 elections that the federal government identified as having been probed by Russian security services for vulnerabilities in their elections systems.
“We turned them back successfully,” Bates said, “but we’ve had briefings that this threat is ongoing and persistent from malicious foreign actors.”
Over the past year, Connecticut has received about $5 million from the federal government to strengthen its election systems under the Help America Vote Act, passed in 2002. The state is set to receive an additional $5 million under the same act
“We’re putting that to work and that’s directly benefiting towns in the sense that we are putting in secure networks” and working directly with town registrars of voters, Bates said.
The state legislature’s Public Safety and Security Committee is also considering legislation that would create a cybersecurity task force to increase coordination between different government agencies.
Bates said that the governor’s package sent to the legislature this session calls for an additional state-level cybersecurity specialist who could share expertise with municipalities.
Raymond also added that the legislature is considering updating reporting requirements for towns regarding cybersecurity. He noted that many governments could be rightly hesitant to share information that deals with their security, but he encouraged towns to report breaches to the Connecticut Intelligence Center Unit (CTIC).
Municipalities are required by law to report to the IRS if they think tax data is compromised and certain other breaches have to be reported to the State Attorney General, but Raymond said that gaps in current reporting requirements somewhat limit the state’s understanding of what towns face.
“We don’t have great visibility into what’s happening at the municipal level,” Raymond said. “Obviously, on behalf of state agencies we have a really good view on what that looks like, but municipalities are often on their own from their technology perspective.”
Most Breaches Begin with Human Error
Joseph DeLuise, director of information technology for the Connecticut Conference of Municipalities (CCM) and the Connecticut Interlocal Risk Management Agency (CIRMA), said that education for public sector employees is critical for cybersecurity defense.
He said the overwhelming majority of cybersecurity breaches at government agencies begin with an employee falling prey to a phishing scam — clicking on a dangerous link, entering their password into a fake login screen, or otherwise inadvertently giving a malicious actor access to the system.
“Most breaches are the result of human error,” DeLuise said. “It wasn’t a brute force attack. It was someone making a mistake at the keyboard.”
DeLuise frequently gives workshops to CCM member towns on cybersecurity, during which he said awareness of email threats is one of his greatest focuses.
CIRMA also offers insurance plans for most of the state’s municipalities to provide cybersecurity coverage, DeLuise said.
DeLuise said that the federal government, through a department of the Cybersecurity and Infrastructure Security Agency (CISA) also offers cybersecurity defenses at no charge to local agencies.
A Shortage of Professionals
An additional problem for town defenses on cybersecurity is a shortage of trained cybersecurity professionals. Raymond said that he had seen reports of over 3,000 unfilled jobs in cybersecurity, and DeLuise noted that town governments could be competing with large companies in the private sector for a small pool of applicants.
That shortage is “particularly acute in Connecticut, but it’s not a problem that’s unique to Connecticut,” DeLuise said. “It’s an issue we do have, which makes it even more difficult for municipalities to get access to those issues.”
Raymond said that Connecticut’s councils of government, state agencies, and the Connecticut chapter of the Association of Government IT Leaders (GMIS) have looked for increasing ways to share services between municipalities for cybersecurity.
“The danger,” Raymond said, “is for our elected officials, to say, ‘My tech guys have this and I don’t have to consider it because it’s a technology thing.’ People really do need to understand the value of their data, why people are interested in disrupting what they do, and specifically what we are doing — as a state or as a municipality — to lower our risks, and if we can create those kinds of discussions, that’s going to be the fastest way for us to improve.”