The Coronavirus Cyber Safety Challenge: 'New Opportunities for the Bad Guys'

On March 6, 2020, the governments of the city and county of Durham, North Carolina shut down computer networks after being hit with a ransomware attack similar to the one that had infected multiple local government computer systems in 2019. The Durham attack, which likely stemmed from employees clicking on infected emails, occurred just days before the World Health Organization announced that it was declaring COVID-19 a pandemic.

Attacks like this have delivered crippling IT blows in the public sector for some time now. Durham was fortunate enough to have had a recovery plan already in place, and the attack was spotted and addressed quickly.

But entities are often worse off than Durham after a cyberattack. And here’s the really bad news. These attacks have already proliferated in the days of Covid-19, which has created “new opportunities for the bad guys,” says Meredith Ward, director of policy and research for the National Association of State Chief Information Officers. Phishing emails are now luring employees to click on Covid-19 messages promising information on where to find personal protective equipment, or how to locate response funding.

“The threat factors have never been worse than in the last three weeks. This is absolutely fertile ground for the hackers,” says Barry Condrey, chief information officer of Chesterfield County, Virginia.

And, if hackers are successful, “the consequences are more severe than ever before,” says Alan Shark, the executive director of the Public Technology Institute. A breakdown of security that can shut down government information systems, even temporarily, would be devastating when residents are looking online for information and services because physical government offices have closed.

Ransomware is just one worry among many faced by information security officers as they strive to protect local and state governments in a world that has been transformed by the coronavirus. That mission is complicated by a wide variety of factors:  The speed of the transformation, the pressure on health and unemployment services, and the need to adapt to a decentralized home-bound workforce.

Added to those pressures is the real possibility of burnout when technology employees are working round the clock to make sure their governments are secure. As Washington state CIO Jim Weaver said in a March 24 NASCIO podcast, “We have to be very careful about our people not staying up all night, not trying to work 24-hour Herculean days to make the state safer . .  We need to be aware of them burning out.”

Despite the pressures and difficulties, multiple lessons have emerged over the last month about how to build a secure technological environment. While many governments are small and under-resourced in this area, there is a great deal of help available from larger governments and concerned organizations.

Knowledgeable security experts urge all local governments to join the Multi-State Information Sharing Analysis Center (MS-ISAC,) a free-membership service, which is run by the non-profit Center for Internet Security that regularly sends out advisories about threats, available low-cost tools and potential remedies. The National Governors Association and NASCIO released a brief in January detailing ways states can help with local cybersecurity, while the National Association of Counties Tech Xchange provides cybersecurity information, including links to free and low-cost training.

Government technology security managers at all levels benefit by forming relationships and sharing lessons about handling emerging problems. For example, word has spread quickly about the measures that governments need to take to avoid “Zoom Bombing” incidents in their virtual public meetings. Reports of pornographic pictures being shared, or racist remarks being voiced on Zoom during public comment periods, have alerted multiple governments that they need to put protections in place around virtual “open” public meetings that are utilizing Zoom or similar software.

“If you don’t check the right boxes to keep a Zoom meeting secure, a bad actor can become part of your meeting,” says Rita Reynolds, chief technology officer at NACo.

A set of basic practices are emerging. Multiple security experts tout the importance of central IT having good visibility into what’s going on in a decentralized technology environment. Patching of devices with frequent security updates is also critical, they say, as are updating firewalls and anti-virus protection. Increasing the availability of 24-7 help desks makes sure that employees have a place to turn if something goes wrong. 

In general, mobile workers are being supplied, where possible, with government issued laptops or having their office desktops delivered to their homes. Virtual private networks (VPNs) are used to connect these computers to city, county or state internal systems. “That creates a secure, encrypted tunnel between employees and the county,” says Sybil Gurney, assistant chief information officer in Alameda County, California. Signing onto networks requires multi-factor authentication—a way for governments to make sure the sign-on is legitimate by sending a code that needs to be input before accessing the network.

When government-issued devices aren’t available, personal devices can be utilized as “dumb terminals” that can access internal government information through a virtual desktop on a web browser. While this basically cuts off contact with the contents of the personal computer, security experts emphasize that cyber hygiene and the basic privacy rules learned in office settings should also be practiced at home.

One of the most important actions taken by security professionals during the pandemic is to double down on the advisories and training provided to employees about their own behavior when dealing with email. Anti-spam and advanced tools are used to filter out malicious emails and attachments, but the technological solutions only go so far, says Dave Kohn, chief technology officer in Alameda County in California.

 “The bad guys are pretty smart, and they come up with things people have never seen before,” he says.

A theme in Alameda County, and elsewhere, is that it only takes one misplaced click to cause major trouble. “We’ve really been focused on our awareness training,” says Kohn. “We want to make sure that our employees are aware of what can go wrong.”