The local delegation campaigns for cybersecurity | New
Members of the local Tewksbury delegation, including State Senator Barry Finegold and Selectman James Mackey, participated in the inaugural hearing of the Joint Committee on Advanced Information Technology, Internet and Cybersecurity on September 8, 2021.
State and local officials, tech company executives and cyber policy experts from academia came together virtually to share their experiences and advice on moving Commonwealth towns and villages forward in the fight to stay ahead of the curve. cybercriminals.
Several major cyberattacks have recently taken place in municipalities in Massachusetts and across the country. The hearing focused on securing legislative support to strengthen cybersecurity preparedness and resilience at local, state and regional levels.
Finegold said, “Massachusetts needs to get ahead of the curve and become a leader in cybersecurity. Over the past year, dangerous cyber attacks have disrupted critical infrastructure, healthcare organizations, city governments, school districts and local businesses. Unfortunately, this problem will not go away: criminals are successful and find new ways to commit crimes online.
Finegold referred to the most recent attack on the state’s automatic inspection system, which was shut down for three weeks due to a malware attack. Cybercrime represents hundreds of millions of dollars in losses to consumers, businesses and municipalities every year.
Finegold co-chairs the committee with Representative Linda Dean Campbell from Methuen. The three-hour public hearing covered many topics, highlighting agencies already in place that have worked regularly to create plans for municipalities, schools, and public safety organizations to implement and standards to follow. .
Stephanie Helm, Director of the MassCyberCenter, discussed a toolkit for municipalities that includes state and federal resources for funding training and implementing a base of cybersecurity measures. Further efforts include working with local colleges and universities to develop cybersecurity talent.
Geoff Beckwith of the Massachusetts Municipal Association discussed ransomware attacks targeting towns and villages; nearly 45 percent of all attacks nationwide target medium and small communities. Beckwith said the disruption that can be measured on a town or city and the services it provides by a ransomware attack leaves communities vulnerable.
Tewksbury coach James Mackey spoke at the hearing. Mackey is a senior security engineer and cyber expert. As an Army veteran, Mackey has helped lead cyber operations activities for the National Guard for the past three years in regional and FEMA-level exercises.
Regarding cybercriminals, Mackey said, “It’s not that they build a better mousetrap; they throw everything up against the wall and try to see what sticks, ”suggesting that cybercriminals attack known vulnerabilities and exploit them.
Mackey cited Tewksbury’s plan for a proactive triage first process. Evaluating the city’s “handy results” for changes that can be made at little or no cost, including encryption policies, acceptable use policies, password policies, fixes, was a first step.
Mackey said the city is working on the MassCyberCenter four-point minimum base plan, with an eye on the Department of Homeland Security’s Voluntary Critical Infrastructure (C3) Cybercommunity Program, and the ultimate goal of being a NIST certified community.
The National Institute of Standards and Technology (NIST) Cyber Security Framework is a voluntary framework developed by industry to help organizations manage and improve their management of cybersecurity risks. Mackey said problems come into play on the detection front, a costly process.
Mackey thought the resources of the Mass Cyber Consortium, which he called “observers”, were very exciting.
“You may have the most expensive firewall or endpoint protection, but if no one is looking at your logs, it doesn’t matter,” Mackey said.
He urged lawmakers to be flexible and not too granular in developing plans and policies.
“One size does not fit all and we need alternative paths. “
Beckwith pointed out that some communities in Massachusetts still do not have broadband. Beckwith also raised the issue of developing preparedness, while working to protect this information through the Public Records Act and creating exceptions to protect municipalities when working through policies and regulations. best practices. and frameworks so as not to expose information that could create an opening for criminals as a community seeks to “catch up” and strengthen its security infrastructure.
Executives from Google, Microsoft, VM Ware and Comcast discussed industry insights and the steps these organizations are taking to identify “bad actors” and “contain threats”. The directors shared their appreciation for participating in the discussion and all agreed that in addition to technological improvements at the local level, training and workforce development will be key factors in the fight against cyber threats. in the future.
The protection of the physical systems that support the computer networks in a city or town, including the protection of climate resilience, was also discussed. The “hardening” of the infrastructure and its protection against floods, heat, power cuts, etc. are as necessary as the software used.
Tom Kellerman of VM Ware said: “The end goal [of these attacks] is to use the infrastructure to attack the constituency. Don’t limit the lens to a supplier issue or a supply chain issue.
Experts from Tufts University, Harvard University, Lincoln Labs at MIT and Boston University discussed the importance for the Commonwealth of tracking cyberattack data in a more formal and organized way.
“We need to know how many ransomware attacks there have been, who paid the ransom, what cryptocurrency wallet address was paid to, etc. University degree and School of Engineering Tufts.
The data loss prevention technology was suggested by Jeff Gottshalk, deputy chief of the cybersecurity and information services division at MIT’s Lincoln Laboratory.
“You don’t want the data the Commonwealth holds in the public trust to become weapons,” Gottshalk said.
The committee will come back and review the expert information presented and determine its next steps.