By Amanda Drane, The Berkshire Eagle
PITTSFIELD — When it comes to email “phishing,” a kind of covert computer security attack, one Pittsfield official has been known to throw his line in.
But when Chief Information Officer Michael Steben sends such messages, he’s testing whether employees will take the bait.
This is one of the ways Steben hopes to protect the city’s data in the midst of a wave of ransomware attacks against municipal governments nationally. Steben said hundreds of hours have gone into securing Pittsfield’s networks against online hackers.
Steben worked as a security analyst for private industry before coming to the city, into a post created by Mayor Linda Tyer, to oversee technology and cybersecurity as a department head.
“Your organization has to respect security,” he said. “Just because we are nestled here in the Berkshire hills, we are not immune.”
Asked how often the city’s cybersecurity system fends off hacks, he said the question can’t be answered in the scale of a year.
“It’s more like how many times per hour?” he said. “It’s a constant tug of war between the hackers and system administrators. The threat is real.”
As an example, a variant of the “Ryuk” virus blocked access to information on 158 city computers in New Bedford in July, according to media reports. The attacker demanded a bitcoin payment equal to $5.3 million.
New Bedford leaders offered $400,000 from insurance proceeds, but the hacker rebuffed the offer, prompting the city to recover the data on its own.
Though the ransom was not paid, the $5.3 million demand got everybody’s attention, said MassCyberCenter Director Stephanie Helm. As a result of that attention, she said cities and towns in Massachusetts are banding together now to combat the threat.
She said the best advice to municipal leaders is this: “Have a plan.”
Municipalities must recognize the data and digital services that are most important to them, she said.
“Start yourself planning, because you’ll hit a lot of the problems that you need to address,” she said. “It’s a calculation of what do you have at risk. What do I really, no kidding, need to protect?”
According to a recent post from the Massachusetts Municipal Association, whose leaders declined to comment for this story, a ransomware attack disrupted Baltimore’s operations for weeks this year and cost the city millions. Attacks outside Massachusetts prompted cities like Worcester and Boston to bolster their cybersecurity efforts, according to the MMA post; Boston announced the appointment of its first chief information security officer this year.
‘All in this together’
Steben said hackers are coming after municipalities because they are seen as unprepared and vulnerable. He is hoping to host a cybersecurity summit in Berkshire County.
“At the end of the day, we’re really all in this together,” he said.
Article Continues After These Ads
Data backups cost money, Steben said, and so under-resourced municipalities sometimes don’t pony up, though taking those steps can save grief and dollars later. When hackers hit up a community for ransom after locking officials out of their own data, it puts local officials in a precarious situation.
“It could get really ugly to have a network compromise,” he said, pointing to sensitive materials used by criminal investigators working for Pittsfield.
A sound cybersecurity strategy requires planning, he said. Does it meet user demands? Can we afford it? How safe is it?
Steben said preparedness boils down to balancing network usability with security. The most secure system would run offline, he said, but taking systems offline in 2019 lessens their value.
Steben said security systems should be layered with what are known as “fail-safes.” User accounts in the city run separately from one another, meaning that no one, not even the mayor, has access to all the data and accounts. That way, if the mayor’s account is hacked, the virus doesn’t spread.
“You actually build your systems with the assumption that you will get hacked,” he said.
Thinking that way helps systems leaders minimize damage when the network is breached, he said.
Just as real-world burglars might “case the joint,” Steben said virtual ones do the same. They’ll check out a system’s firewall, looking for cracks, he said. They are foiled when they discover that people are using up-to-date software with the latest security measures.
And so hackers have changed the game because of that heightened level of security.
“The name of the game now is to get the user to do something that they wouldn’t normally do,” he said, like coaxing them to click on a link provided in an email that installs a malicious program known as malware.
As a general rule, he says, people should be careful about links they click on, especially if they come in an email riddled with spelling errors and strange language. When he sends city employees fake phishing emails, the aim is to help them practice scanning messages for red flags.
“When somebody clicks, we get a report,” he said.
Application “white-listing” is another tool in the box, he said. That approach only enables approved programs to run. That comes in handy, because some of the apps people download with good intentions are Trojan horses for malware.
“Some of these scams are just so believable,” he said.
The city also holds cybersecurity insurance to protect itself, he said.
All good cybersecurity plans start with one question, Steben said: “what would happen if we got hit?”
“You gotta start having these conversations,” he said.
Amanda Drane can be contacted at email@example.com, @amandadrane on Twitter, and 413-496-6296.
If you’d like to leave a comment (or a tip or a question) about this story with the editors, please
email us. We also welcome letters to the editor for publication; you can do that by
filling out our letters form and submitting it to the newsroom.