The 2021 Santa Barbara County Grand Jury has prepared a report about cybersecurity for special districts and county service areas following the 2019-20 Grand Jury report “Cyber-Attacks Threaten Santa Barbara County,” which focused on the broader county issues.
The
report urges the 53 special districts in Santa Barbara County to review their
cyber-systems to identify cybersecurity threats. The jury urges the special
districts and service areas to take all necessary measures to protect their
operational data and computer systems.
The
jury has proposed a list of best practices for Santa Barbara County special
districts to consider identifying, protecting and, if necessary, upgrading
their cybersecurity activities to advance the best interests of their consumers.
There
are three types of special districts within the county: Independent Special
District, Dependent Special District, and County Service Area.
An
Independent Special District has its own board of directors, either elected
directly or appointed; they make their decisions on activities and budgets
independent of any city or county oversight.
A
Dependent Special District is actually run by its respective city council or
county board of supervisors.
County
Service Areas (CSA) are different from Special Districts in that they are also
governed by the County Service Area Law (Cal. Govt. Code §§ 25210 et seq) in
addition to Cortese-Knox-Hertzberg Local Government Reorganization Act of 2000.
There are currently 39 Independent Special Districts, eight Dependent Special
Districts, and six Community Service Areas in the county.
Recent
press accounts report cybersecurity breaches across the U.S.
»
California Government Code Section 25210.3 (2016)
»
www.sbcounty.gov/uploads/LAFCO/Publications/CKH_2018.pdf
»
https://thehill.com/policy/cybersecurity/576835-agencies-warn-of-cyber-threats-to-water-wastewater-systems
The
two-day shutdown of a part of Colonial Pipeline’s oil distribution system on
the East Coast in early 2021, which reportedly cost the company more than $2
million in ransom payments, is one example.
Costly
or potentially even deadly cyber attacks also impacted, among many other
business and government entities, police departments, water distribution
systems, a major national meatpacking company, and hospital systems. Health
care systems are particularly targeted. California had the highest percentage
of attempted health-care system hacks, with 21 percent of the nationwide total.
These
intrusions can be expensive to correct. Even when ransoms are paid, the
breached or maliciously encrypted systems must be reconfigured or even rebuilt
entirely. Moreover, there remain potential financial liabilities for critical
infrastructure businesses like utilities, as well as financial institutions, to
their customers.
For
example, Ally Bank (formerly known as GMAC) presently is the defendant in a
class-action lawsuit in federal court in New York for its alleged negligence in
allowing hackers to breach several of its customer accounts and steal names and
passwords.
Unfortunately,
as the special district officials and consultants whom the jury interviewed
candidly admitted, no system is foolproof and precautions may vary greatly from
district to district. It, therefore, is incumbent upon the special districts to
take whatever proactive steps possible to reduce the threats and thereby
mitigate the damaging consequences of the intrusions which inevitably will
occur despite diligent efforts to prevent them.
In
an effort to assess the readiness of special districts in Santa Barbara County,
the jury interviewed a representative sampling of Santa Barbara County special
districts and municipal officials, as well as private industry internet
technology and cybersecurity experts. The jury also reviewed informative
articles, reports, and official publications dealing with the subject of
cybersecurity.
There
are at least three U.S. agencies that address cybersecurity crime. Special
districts are encouraged to access these and strengthen their own websites:
»
U.S. Department of Homeland Security, Cybersecurity and Infrastructure Security
Agency (CISA) https://www.cisa.gov/
»
U.S. Department of Commerce, National Institute of Standards and Technology
(NIST) https://www.nist.gov/cyberframework
»
U.S. Department of Justice, Federal Bureau of Investigation, Internet Crime
Complaint Center (IC3) https://www.ic3.gov
While
there appear to have been no known successful cyber attacks of special
districts within Santa Barbara County, the jury learned that an extensive
number of cyber incursions have been attempted in the U.S., often with success.
These intrusions severely disrupted governmental and private company
operations, costing billions of dollars in ransom payments, system repairs, and
additional defensive measures.
Following
a 2021 White House meeting on the problem and in an effort to meet the
challenge, Microsoft said it is allocating $150 million for cybersecurity
technical services to assist federal, state, and local government agencies. In
addition, it has committed to invest $20 billion over five years to develop
improved cybersecurity programs.
Google
has committed to spending $10 billion for that same purpose, and major
corporations like Amazon and IBM will be increasing their investment in
employee training programs.
The
jury has neither the staff nor the technical expertise to analyze the
cyber-readiness of the special districts or to suggest specific defenses to
cyber attacks. That work should be done by expert consultants and security
firms devoted to such activities. The jury offers the following list of Best
Practices based upon the sources consulted:
»
Create strong passwords and change them often, or at least periodically.
»
Install and regularly update "encryption" software.
»
Install and regularly update "firewall" software (intrusion detection
systems).
»
Update computer systems as necessary.
»
Install and regularly update virus protection software.
»
Secure data by limiting access.
»
Safely dispose of all unwanted documents.
»
Limit remote internet access to the extent possible.
»
Limit physical access to system equipment (access cards, ID cards, etc.).
»
Wipe data from equipment to be disposed of.
»
Monitor employee use of all systems.
»
Periodically test security measures and immediately remediate weaknesses.
»
Report to the appropriate internal security all malfunctions, anomalies or any
other “out-of-ordinary" events no matter how insignificant they may appear
to be.
»
Conduct training for all employees periodically on security policies and procedures,
certify attendance, and teach staff how to prevent, detect, contain, and
eliminate breaches.
»
Hire an outside security consulting firm to conduct a risk analysis at least
annually and consider the possibility of pooling resources with other special
districts to hire such expertise.
»
Consider adequate cybersecurity insurance and the possibility of creating or
joining an existing insurance pool to reduce premium cost.
»
Create and securely maintain back-up data separate from the “live” system.
»
Create a comprehensive Security Policy Manual to centralize information in one
place and make it accessible to all staff.
»
Classify and prioritize all district hardware, software, devices, data, etc. in
accordance with their critical nature.
»
Adopt easy to follow protocols for detecting and reporting known or suspected
incursions and explain the exact duties and responsibilities of different staff
levels in case an incident occurs. Create and maintain a current incident log
designed to immediately document, analyze, and catalog incursions and explain
how best to respond
»
Immediately eliminate all access to data systems and emails upon an employee’s
departure.
Santa
Barbara County Grand Jury
By Pam Olsen
December 10, 2021
No comments:
Post a Comment