and Loose Laptops Sink Cyber (Security)
Is City-Cyber-Armageddon just around the corner?
Today City governments depend upon technology – more than ever – to operate. Constituents depend upon the Internet, web, e-mail , cell phones to communicate with their government for information and services. But, gee, how secure and reliable are these systems, these networks and these communication?
I recently had a non-classified meeting with some fedgov Department of Homeland Security cyber folks, and DHS contractors about potential cyber security tools. I’m a “geek”, so I love tools and software. I’m a senior public official, so I also like charts and graphs and statistics. My meeting had plenty of both tools and statistics. But I walked away from the meeting ready to move to a mountain cabin “off the grid” and isolated from the world.
Is cybersecurity really a major issue? What can a municipal government do to improve HomeCity Security?
Is it an issue? I offer the following observations:
• A laptop computer with records of 26.5 million veterans was stolen from the home of a Veteran’s Administration employee in May 2006 (later recovered). But these veterans (including me – I’m a retired Army Officer) received letters notifying us of the problem. The VA also lost records of 1.8 million veterans in February 2007 and covered up other data breaches. They (that’s “we” for those of us who pay fedgov income tax) paid for a lot of clean-up and credit monitoring.
• The day after his inauguration, President Obama published a cybersecurity plan and intends – as a top priority – to appoint a national cybersecurity advisor.
• Within the last few months, Heartland Computer Systems may have lost over 45 million consumer credit card numbers .
• The nation’s electrical grid is allegedly vulnerable to cyberattack (and my City operates the nation’s ninth largest municipal electric utility with 300,000 customers)
• Conficker worm may be infecting one million new computers a day
What scares me?
1. Injury to the people who trust the government of the City of Seattle. The people of Seattle entrust their credit card numbers, their phone numbers, their personal information to my government. When they call 911, they expect help. And we’ve had web-based SQL databases compromised by SQL injection attacks, so any constituent visiting those websites receives computer viruses… from us! If someone is hurt physically or financially or emotionally because we’ve failed to keep the telephone network or their personal information cybersecure, I’ve failed as CTO, and I’ve failed big-time. I never want to be sending letters like the one I received from the VA.
2. Damage to the City of Seattle’s reputation. One reason my government works so well is that the people of Seattle trust us: last November, despite a looming recession, they passed levies to fund more parks, a Pike Place Market renovation, and a $17 billion transit system. A cyber-incident will damage that special relationship.
3. Outage of the City’s technology systems. Constituents use technology to report problems and request service from the City. They call 911 or 684-3000 (utility customer service). They send e-mail. The pay bills on the web. And City employees use technology to coordinate our response – radio systems for public safety, telephone and data networks, electronic mail systems, Windows servers and a 24×7 data center. I’m proud of 99%+ uptime on those systems to “make technology work for the City. Cyber incidents endanger those systems.
How can we improve HomeCity Cybersecurity? Here’s what I’m doing:
1. Hired a damn fine CISO. My Chief Information Security Officer, Mike Hamilton, is the best. Worked for a long time in private industry, came to Seattle ready to give his expertise in public service. Like all CISO’s, he sees bad guys everywhere. Unlike many CISO’s, he knows that technology and the Internet are here to stay and we need to take practical measures to make them as secure as possible.
2. Assemble and train a team of cyber-techies and professional cyber-sleuths. We have dedicated, skilled IT security professionals scattered throughout City government. Their departments and agencies spent money to train them, and CISO Hamilton matrix-manages them to patch and secure systems. We use them as a cyber-incident-management team under Hamilton’s Deputy – David Matthews – to investigate and get to root cause of any potential cybersecurity incident. They are our best cyber-defense.
3. Test every doggone Internet-facing application. Do penetration testing on our Internet connection. Watch firewall logs. Apply every Microsoft or Cisco or (fill-in-the-blank technology company) security patch as soon as you can. No more than five days max from patch release to deployment.
4. Selectively outsource. We’ve outsourced management of credit card payments to skilled third parties, rather than “storing and managing our own”. We can’t outsource accountability, but we can share risk.
5. Buy some basic tools. Anti-virus for every computer. Patch distribution software. Vulnerability scanning software. System logging and aggregation software. Web site blocking software. Then use it.
6. Educate, train, harangue and educate again. The weakest link in every cybersecurity defense is employees. Employees who transport data from work to home on thumbdrives, potentially losing the data or introducing a new virus or worm. “Loose lips sink ships” and “Loose laptops sink cyber-security”. Employees who surf the Internet and hit questionable websites. We train employees on good security practices, harangue management to enforcement them, and then train again.
I’m not as concerned about cyber attacks crippling public safety radio systems or the SCADA systems which control the electrical grid and water supply or traffic signal control. These systems are vulnerable, but have in-depth layers of defense and employees dedicated to protecting them.
I’m concerned about that single lost portable hard drive with social security numbers. Or that one SQL server database which should be “read only” but is “read-write” and compromised. Or that employee who goes to a web gambling site and downloads a day-zero cyber virus.
Technology is here to stay. Internet access will only increase. But we’re working hard to mitigate the vulnerabilities.
And I don’t sleep very well at night.
the Chief Seattle Geek blog 
bill, please, step back, take a breath! does this mean i should be looking at at your db services for holes?
Yes, I don’t sleep well either some times. Well said. I love Web 2.0 and I’m getting about 1 request a day for more of it – and it’s both a security nightmare AND a reall, really useful tool that there no real way to stop users from doing all by themselves other than education and sticks.