Municipal CISOs grapple with challenges as cyber threats soar

On February 10, the City of Oakland, California, announced it had been hit by a ransomware attack that knocked many of its systems offline. Four days later, Oakland declared a state of emergency as it grappled with the wide-ranging impact of the incident, which left city phone systems and multiple non-emergency services inoperable, including its 311 phone system. As of February 24, many city services were still down, including the 311 system, just as a severe winter storm bore down on the area.

Many city services stayed down for weeks, including the 311 system, just as a severe winter storm bore down on the area, although the city announced on February 28 that 311 and several other services were restored. The Play ransomware group, which security researchers have linked to the Russia-backed Hive gang, has taken credit for the attack and has begun releasing data stolen during the incident. Earlier this year, the Justice Department announced a major take-down of Hive’s operations.

The ransomware attack on Oakland followed a string of ransomware attacks on local governments in recent years, including incidents in Baltimore, New Orleans, Pensacola, Atlanta, and New Orleans. Many other incidents have involved smaller cities or counties.

The ongoing cybersecurity attacks against local governments highlight the challenges that municipal CISOs face in protecting a broad range of diverse services, from publicly owned hospitals to trash collection to subway systems. The challenges municipal CISOs are dealing with also involve differing and potentially overlapping regulations, politics — both local and geopolitical — and workforce shortages while dealing with budgetary constraints.

Diversity of systems to protect is unparalleled

One of the biggest challenges municipal CISOs face is the sheer range of services that local governments need to factor into their cybersecurity plans and policies. “The diversity of our business services and the corresponding diversity of systems is unparalleled in that no organization does what our municipal government does,” Michael Makstman, CISO for the City and County of San Francisco and co-chair of the Coalition of City CISOs, tells CSO.

“We fly planes, we pave roads, we provide public safety services,” Makstman says. “We operate one of the largest, if not the largest, trauma centers on the West Coast. We support many legal professionals for some of the largest legal firms in the country. At the same time, we make sure that vulnerable populations have access to food and care. We have an outstanding municipal transportation network. We have buses and subways and our world-famous cable car.”

Michael Hamilton, founder and CISO at Critical Insight, former CISO for the City of Seattle, and founder and chair of the Public Infrastructure Security Cyber Education System (PISCES) underscores the challenges of managing such a diversity of services. “Government is a collection of agencies,” he tells CSO. “The influence that you have to have as a city CISO is to be able to jump across agencies. The human services department will have health records; the treasury departments will be concerned with credit card payments.”

“I think from a county CISO perspective, the challenges are going to be the different lines of business because they’re very complex and unique in nature,” Jeffrey Aguilar, Los Angeles County CISO, tells CSO. “And what comes with that is unique business requirements, different legislative requirements, and different regulations. And with the different types of legislation and regulations, there is the potential for different types of attack surfaces.”

Regulations vary widely

Regarding the regulatory environment, CISOs must navigate a welter of federal, state, and local regulations and laws. “Healthcare with HIPAA, it’s different from law enforcement with CJIS [Criminal Justice Information Services],” Aguilar says. “There’s potential for overlap because with legislation and for some of the requirements, there is some overlap. How do you apply that to these unique lines of business without creating risk and disrupting business?”

“You have to understand the various regulatory requirements that only apply to each piece of the organization, each agency in that federation,” Hamilton says. “You almost have to create a specific policy for every agency depending on what the regulatory requirements may be, and then the global policy for everybody in the entire city organization, and doing that well, finessing that is really hard because of all those moving parts and the criticality of all that.”

Many regulatory requirements flow down from the federal government, with local municipalities required to implement them. The EPA has sector-specific requirements for water companies, for example, and the TSA has national regulations for transportation systems. “When they come out, and they say you will do a risk assessment annually against the NIST Cybersecurity Framework, the CISO has got to make sure that gets done ultimately because that’s a city agency,” Hamilton says. “The CISO is accountable for that. So, you have to either delegate that or you have got to do it.”

Cities ideal targets for geopolitical threat actors

Not all the challenges local governments face start at the local or even national levels. . As the Oakland attack illustrates, municipal governments have become prime targets for ransomware actors and geopolitical threat groups.

Last March, the FBI issued a private industry notification that threat actors are “conducting ransomware attacks on local government agencies that have resulted in disrupted operational services, risks to public safety, and financial losses.” In December 2022, the city of Mount Vernon, Ohio, was hit by a ransomware attack attributed to the notorious Russia-backed LockBit gang.

“The challenges that we have is that we are targets of criminals as local governments in the United States as well as nation-states, many of whom don’t differentiate local government services from the policies of the federal government,” Makstman says. “So, we fall under this government broad brush, even though we do not come close to DC and their policies. Yet we’re targeted because we’re seeing that an attack against a local government is somehow an attack against the United States. And in fact, from what I understand from some of our intelligence folks is that we are all this unfortunate perfect target. We are small enough that we’re a convenient target that might not lead to a giant response from the federal government.”

Aguilar advises municipal CISOs to pay attention to geopolitical issues from a local jurisdiction perspective. “The implications exist, especially if the jurisdiction deals with things like elections,” he says.

Municipal CISOs need to be aware of local politics

CISOs of municipal organizations of all sizes are required to deftly handle the politics of the governments they serve and the individual service providers themselves, Hamilton says. CISOs are not always welcomed into agencies that do not directly employ them. “It is the politics of ‘I’m jumping into your agency and telling you what to do’ even though I’m not an employee of Seattle Public Utilities or Seattle City Light, and that’s just not very welcome.”

Politics are fundamental when it comes to getting the funds CISOs need. “That’s part of the politics of getting stuff done, knowing where the money is and knowing how to create a value proposition so that somebody will bust out the checkbook, so you can get done what you need to get done,” Hamilton says.

“So, if you want to buy monitoring tools, what do you do? Well, you go to the utilities, where they are much better funded and have a different funding mechanism. [You say to them] it’s a requirement for you to be doing this, and if you pay for this thing, we will set it up and run it for the benefit of the city because we’re all connected here.”

Munish Walther-Puri, senior director of critical infrastructure at Exiger and former director of cyber risk for New York City’s Cyber Command, suggests it is helpful to position cybersecurity as a public safety issue when seeking funding. “If we start to think about cybersecurity as a public safety issue, some of the debates melt away about who’s going to fund it,” he tells CSO.

“We had Atlanta, Baltimore, and New Orleans where people understood these are public safety issues. Watching that debate emerge crystallized the clarity around that. No one said, ‘Oh yeah, no municipality should fund this.'”

Tough for local government to attract cybersecurity talent

Resource-constrained municipalities find it hard to compete for cybersecurity talent with the private sector, which also faces a shortage of qualified professionals. “Compared to the industry, our teams are significantly smaller. In fact, security as an area of focus is new to local government,” Makstman says.

“To get somebody with the acumen to navigate the politics and the regulatory environment, you’re talking about somebody that’s probably not going to work for what they’re paying at a local government,” says Hamilton. “The value proposition of going to work for a city or a county is in 20 years. You get a pension, and you sure have a whole lot of days off. But with practitioners being in such short supply, local governments are just not a destination that anybody thinks of.”

Aguilar thinks one strategy to attract talent is to find mission-driven candidates. “I think the resource challenge regarding security, especially with public service, is the fact that there is just a national shortage of infosec professionals, and the public sector is competing against the private sector,” he says. “How do you attract talent versus private sector organizations that can offer a very lucrative bonus structure and overall package? I think it’s trying to identify who is mission-driven and make it interesting and challenging enough so they see the opportunity and they want to work for these types of organizations.”