Local governments are more vulnerable to cyberattacks than ever before. DHS wants mayors to step up.

Show Caption

WASHINGTON – Cyberattacks against the machinery that runs America are increasing by the day, and the nation’s top civilian cybersecurity official is calling in the cavalry – America’s mayors – to form a front line of the U.S. defense.

Jen Easterly, who heads the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), says ransomware and other digital threats have made local governments around the nation vulnerable as never before. Water treatment plants, hospitals, police departments and even the automated systems that run entire cities have been hit by hackers, at times with devastating consequences.

In response, Easterly has mapped out a battle plan for fighting back. One of her first moves was to tap Austin, Texas Mayor Steve Adler – long considered an innovative, technology-savvy civic leader – to be her on-the-ground field commander.

More: The next big cyberthreat isn't ransomware. It's killware. And it's just as bad as it sounds. 

In an exclusive interview with Paste BN, Easterly and Adler said their first order of business is to convince leaders at the municipal level that they need to take ownership of the problem given the tens of thousands of bullseye targets in their communities. And their second is to let America’s mayors know that Washington, and especially CISA, has lots of new money and organizational bandwidth to help them.

“In Austin, as in cities across the country, I think there is great angst about cybersecurity, but no direction and no resources” from the federal government as to what to do, said Adler, who chairs the U.S. Conference of Mayors Technology and Innovation Task Force.

“Everyone has seen the growing attacks and the growing visibility of attacks on cities – and on businesses. But they don't really know what to do,” Adler said of his fellow mayors. “And from a local government standpoint, they really don't have the resources to apply against the challenge.”

As a chief evangelist for President Joe Biden’s campaign for improved cybersecurity defenses, Easterly hatched the campaign to convince local and state governments to batten down their hatches soon after her Senate confirmation in July.

It’s not just criminal cybergangs that are targeting this “soft underbelly” of U.S. critical infrastructure, she says. Increasingly, it is also nation states like Russia, China and Iran that seek to harm the United States.

“As ransomware has made clear, everyone is a target and state and local governments face the full panoply of threats that the federal government does, from hostile nation-state actors to cyber criminals and everything in between,” said Frank Cilluffo, a former White House cyber and homeland security official. “And to the extent that the federal government is effectively outgunned and outmatched in this fight, the state and local level are all the more so.”

Easterly, a former top National Security Agency official, said cyber-villains clearly have taken notice of the chronic lack of resources and training at the local government level, and are probing relentlessly for ways into their systems. Already, cyberattacks have crippled major cities like Atlanta, Baltimore and New Orleans in recent years, encrypting their data in attempts to get millions of dollars in ransomware before getting them back online.

In other cases, hackers were out for something more dangerous than financial gain. In Oldsmar, Florida, a year ago, a individual or group almost succeeded in poisoning the local drinking water supply by remotely tampering with the treatment chemicals.

Easterly elaborated on the dangers last month during a panel discussion at the U.S. Conference of Mayors’ 90th annual Winter Meeting in Washington, D.C.

“It has to be a leadership issue” for mayors as well as their chief information security officers, Easterly said.

“At the end of the day, people have to treat it as what it is, which is in some cases an existential risk,” Easterly added. “We are now seeing cyberattacks which can have physical impacts, with the potential to lead to loss of life.”

To help fix the problem, Easterly has plans to help allocate $200 million this year – and $1 billion total over the next four years – in recently approved infrastructure funding for training and other assistance to municipalities coast to coast.

And in December, she established a new CISA Cybersecurity Advisory Committee and appointed Adler to it.

More: JBS, Colonial Pipeline ransomware attacks are just a fraction of what US is up against, DOJ official warns CEOs

One of their first ideas: Finding a catchy slogan to help local governments finally warm to the idea of taking that extra step of multifactor authentication – entering a code sent to an employee’s computer or phone asking them to confirm that it’s really them – before being able to sign in to their government accounts.

“We’re thinking of calling it the Texas Two-Step,” quipped Adler.

Such a campaign is not just a gimmick, Easterly and Adler say. CISA, the nation’s newest federal government security agency, lacks any kind of enforcement power that can be used as leverage. That means they’ll have to convince local leaders of the benefits of voluntarily upgrading their cybersecurity, at potentially significant cost.

CISA’s advisory-only status was by design, Easterly says, so that local and state governments and private companies that manage parts of the nation’s critical infrastructure would be more willing to work with it without fear of reprisal. 

At the Conference of Mayors panel, and a similar meeting with state government leaders recently, Easterly said cyberattacks have gotten too sophisticated to prevent. Instead, she told attendees, they should focus on resilience, or finding the best ways to reduce the risk of attack and to mitigate the potential for harm when it occurs.

Adler urged his colleagues to confer immediately with their information security teams to make sure they have the right security protocols. And he asked  them to make use of all of the resources CISA has to offer, as Austin has, including free on-site cybersecurity evaluations and help with responding to ransomware attacks.

Baby steps before harder ones 

Easterly and Adler say local governments could thwart more than 90% of all cyberattacks by taking such basic steps as backing up their data and requiring all employees to use multifactor authentication in order to log into the critical infrastructure systems they oversee.

Those may sound like obvious and relatively easy solutions. But they’re steps that cities, counties and state governments have chafed at for years, if not decades, according to cybersecurity experts contacted by Paste BN.

More: Dam releases, bank failures and poisoned water: Cyber pros warn worst cases are possible

“It’s like requiring people to wear seatbelts,” Easterly said. “It’s second nature now, but it took a long time to even require that cars had seatbelts."

Local government leaders say there are plenty of reasons as to why they’ve balked at putting in place significant cybersecurity defenses. Most have inherited antiquated systems that would be enormously expensive to replace, and it would be virtually impossible to accomplish such an overhaul given their year-to-year spending cycles and budgetary constraints, according to Adler and other mayors who participated in the recent Conference of Mayors event.

Many still struggle with a legacy mindset within their governments in which employees are accustomed to thinking of security in physical terms – padlocked facilities and police officers – rather than in the digital terms needed to protect their computerized operations and valuable data, Adler told Paste BN.

Others, like Mayor Walt Maddox of Tuscaloosa, Alabama, worry that the more cybersecurity insurance they purchase, the more vulnerable they become if it becomes a matter of public record. "We're really looking for guidance on this question, especially now the insurance companies are charging a hell of a premium on this as well," he asked Easterly and Adler at the mayors' conference event.

Mayor Jack Bradley of Lorain, Ohio, asked how his city can protect itself from well-meaning employees who make mistakes, such as oversharing of sensitive data. "Not only do we have to worry about cyberattacks, but we also have to worry about internal breaches where our employees sometimes can't help themselves," he said.

And Mayor Brian Wahler of Piscataway, New Jersey, said he is concerned about all of the third-party vendors that provide a "backdoor way for cyber criminals" to potentially hold his city hostage through a ransomware attack or other cyber intrusion.

More: Homeland Security warns that Russia could launch cyberattack against US

Easterly and Adler acknowledged that even putting in place something as simple as multi-factor authentication can seem like an insurmountable task for city leaders. That's especially the case given all of the computers, smartphones and other devices that might require upgraded software, and employees – and more recently, record numbers of municipal contractors – who would need to be taught how to use it. 

At the mayors event, Shreveport, Louisiana Mayor Adrian Perkins said his department heads spent months “griping and complaining” about the disruptions that would be caused by the city’s push to incorporate multi-factor authentication into its critical systems. But once the requirement was in place, he said the grumbling stopped. 

 “And I always compare that two weeks to what would happen if we did get a ransomware attack, and how much money that would have cost,” Perkins said.

Welcome action but long overdue

Easterly, 54 , seems to have the skillset – and mindset – needed to rally local government leaders to the tasks ahead, many experts told Paste BN.

A self-professed puzzle nerd, Easterly learned before the age of 12 how to solve the Rubik’s Cube puzzle – behind her back. She soon took that same initiative in learning the digital ones and zeros of the computer world.

The daughter of a military father, she was one of the first female cadets to graduate from the U.S. Military Academy and earned two Bronze Stars during her service overseas. After returning to West Point to teach, she was chosen to help stand up the U.S. military’s first Cyber Command. She also served in senior national security and counterterrorism roles in the Bush and Obama White Houses, led cybersecurity efforts for Wall Street giant Morgan Stanley and was the NSA’s deputy director for counterterrorism.

More: Hackers targeted US drinking water and wastewater facilities as recently as August, Homeland Security says

For all that, though, Easterly appears equally at home with a group of white hat (good) and black hat (bad) hackers. Last year, she delivered a keynote address at the Black Hat USA hackers and infosecurity convention, solving a Rubik’s Cube puzzle while she talked.

Some cybersecurity experts contacted by Paste BN said they are confident she will be able to handle the stresses – political and otherwise – of the high-profile job. 

Her predecessor, Christopher Krebs, was fired by former President Donald Trump for publicly stating that CISA had done its job in helping ensure that the 2020 election was the most secure in U.S. history.

Tatyana Bolton, a former senior CISA official, said the agency has been trying since its inception to push local, state and federal officials to adopt stronger cybersecurity measures.

“I think the critical new piece here is that Jen Easterly has committed a billion dollars to this effort. That's a huge amount of money, and that will make a significant difference,” said Bolton, who also served as senior policy director for the U.S. Cyberspace Solarium Commission, a government-wide effort to reform U.S. approaches to cybersecurity.

“But I think we also have to get across this broader cultural message that cybersecurity isn't your last priority, it should be your one of your first priorities” as a local government leader, Bolton told Paste BN. She said high-profile ransomware attacks like Oldsmar and last year’s shutdown of the Colonial Pipeline and JBS food processing company occurred because their systems were vulnerable – and hackers knew it.

More: Majority of $4.4 million cryptocurrency ransom payment in Colonial Pipeline hack recovered

“A lot of these hacks happen because employees aren't paying attention,” said Bolton. “And that's an issue of training, which I think, again, goes to what Jen Easterly is trying to address – the cyber hygiene problems, the things that if we all do together could literally stop more than 80% of cybersecurity attacks.”

Michael Hamilton, founder of the Critical Insight security firm and former chief information security officer for the city of Seattle, said Easterly faces some daunting challenges.

Cities – and local governments more broadly – purify water, treat waste, manage traffic, conduct radio operations for public safety and law enforcement, manage emergencies, operate 9-1-1 systems, conduct elections and perform a host of other important functions, Hamilton said.

“These are some of the most critical services at the scale we live our lives,” Hamilton said. “In this light, it is nearly incomprehensible that cities and counties have not done more to take themselves out of the category of ‘low hanging fruit’ for criminals.”

Hamilton, one of the earliest municipal adopters of more stringent cybersecurity measures, said there are deep-rooted institutional problems that Easterly must overcome.

He said funding shortfalls have meant cities lag far behind the private sector in implementing security controls. Money they do get usually goes first toward more urgent – and physically noticeable – needs such as fixing potholes and putting cops on the street.

And skilled cybersecurity experts can make 10 or even 20 times the money working for fast-growing private security firms or even the federal government, Hamilton said. 

The upcoming funding from the state and local cybersecurity grant program in the infrastructure bill will go a long way toward increasing “not only awareness, but the ability to raise the risk bar and encourage criminals to find softer targets,” Hamilton said.

Easterly said CISA and other agencies are working out the details of that rollout over the next few months.

Clamoring for help, money and staff

At the recent Conference of Mayors event, Easterly and Adler faced a barrage of earnest questions from the leaders of cities both large and small.

Some wanted to know whether to pay ransoms or publicly acknowledge they’ve been hacked. Others asked for advice on how to vet the many contractors they’re hiring to help run their city infrastructure. And many asked how they could possibly get their employees to agree to security measures, including multi-factor authentication and adopting better passwords, when they’ve been so resistant to it before.

In all cases, Easterly and Adler urged the mayors to be transparent and upfront with their employees – and the general public.

Cilluffo, the former White House cybersecurity official, said in recent testimony before Congress that the challenges in getting local governments to adopt tougher cybersecurity measures will only get harder as time goes on.

“To make matters worse, the Internet of Things with all that it entails from smart cars to smart cities and beyond will expand the surface of attack by orders of magnitude,” said Cilluffo, a member of the Department of Homeland Security’s Advisory Council under presidents Trump and Obama. He also directs the McCrary Institute for Cyber and Critical Infrastructure Security at Auburn University.  

For Easterly and Adler, that’s where the strategic messaging campaign comes in. Whether they ultimately settle on the "Texas Two-Step" or something else, getting employees to use multi-factor authentication should stop as much as 99% of all ransomware attacks, even when it comes to all of the newfangled Internet of Things devices.

“It's really not that hard. And the more people do it, the more it becomes second nature,” said Adler. “And to have a protection that is 99%? I mean, nothing gives you 99% protection in today's world.”