Damage control and assessment from the April 24 cyberattack on City Hall continues. On Wednesday, May 17, a new update was posted on the city website. It listed the services that have been restored and also acknowledged the May 11 assertion by an online hacking outfit that claimed responsibility for the attack and threatened to release data that had been taken. The city’s update simply states this claim is “being monitored by a variety of agencies and waiting to be further assessed.” It ends with links to a couple of websites that allow you to look up if your passwords have been compromised and another link to the Department of Homeland Security’s CISA office which has information on best practices for personal cybersecurity.
On Thursday, however, the Lowell Sun reported that cybersecurity consultants who surf the dark web have found sensitive personal information of city of Lowell employees dating back to 2017. The article said that redacted documents given to the newspaper “provided a startling glimpse of what private information may now be available to cyber criminals and others.”
The Sun article went on to quote City Manager Tom Golden as confirming that the data on the dark web is from the city and that “the city is working to implement an identity and credit monitoring service for all city employees and their families.”
A couple of observations:
The city’s IT department should get good grades for having usable backups that allowed data to be restored once individual computers are wiped clean of any stay-behind hacker files. At least that’s how it seems . . .
That caveat must be added because the clarity and flow of information coming from City Hall has been poor. Certainly it’s an ongoing criminal investigation and that requires some level of confidentiality, but that circumstance can become an excuse to not be forthcoming with negative news that could and should be released without jeopardizing the investigation.
This Monday will be four weeks since the attack and city employees, vendors, and even tax payers are left to speculate whether their personal online lives – passwords, social security numbers, dates of birth, bank accounts - are at risk. Offering free identity and credit monitoring to individuals who have been put at risk seems like standard procedure in these types of incidents, but the longer it takes to implement that, the greater the possibility of financial harm to individuals.
Although this shouldn’t be necessary, City Councilors should be more precise with the questions they ask about this incident. For instance, when Councilors questioned the City’s MIS Director two weeks ago, they asked something like, “was any city data taken?” After a pause, the answer was “No.” However, in the cybersecurity world, “taken” means “do you still have access to it?” not “did the bad guys get a copy of it?” Since the city had solid backups that could be safely restored, it wasn’t deprived of the data. The follow up question that should have been asked was “Was any city data exfiltrated?” to which the answer would have been “Yes” or “We don’t know yet.” I don’t say this as a criticism of Councilors, at least as far as this line of questioning is concerned, because I took the initial answer to mean there was no breach of city data, but as we now know, sensitive data did fall into the hands of the bad guys.
Cyberattacks are a constant. It’s just not tech-savvy criminals doing it, either. For instance North Korea has been involved in various cyber activities, including state-sponsored hacking and cyberattacks targeting financial institutions, cryptocurrency exchanges, and other entities. These activities are believed to be part of North Korea's efforts to generate revenue and evade international sanctions.
While it seems almost inevitable that governmental entities, hospitals, colleges, and businesses will fall victim to cyberattacks, it’s extremely important to use the latest cyber defense practices. It’s a little like having locks on your door at home. A determined criminal can still get into a house with locked doors, but the locks may be enough of an impediment to cause the criminal to move on to an easier target. In the same way, increasing computer defenses is no guarantee against attack but a strong defense makes it more likely that attackers will move on to a softer target.
It is unclear what vulnerability the attackers exploited to break through the Lowell defenses. That’s not something you want to broadcast to the world until after you’re sure it’s been fixed. But some comments made over the past month suggest there’s been a lack of urgency about creating a culture of cybersecurity among the city’s workforce. Two things in particular lead me to that conclusion: First, the MIS Director stated that employees must partake in recurring cybersecurity training and added, “If they don’t do it, we’ll shut off their access.” Mandatory cybersecurity training for government employees has been around for a longtime and it can be challenging to find time to take the training. But if the highest levels of leadership make it a priority, it will get done. If the highest levels of leadership don’t see it as a priority, it won’t get done because there’s always something that seems more pressing on the employee’s To Do list. I took the MIS Director’s comment to mean that cybersecurity training has already been offered but not everyone has taken it and, those who have not, have suffered no consequences.
The second thing the MIS Director said was that the city will now make two-factor authentication mandatory. Two-factor authentication is an additional layer of security that helps protect user accounts by requiring two forms of identification or verification before granting access. The preferred method is to install an app on your cell phone. Whenever you log into your work computer, you cell phone prompts you that someone is logging into your computer and asks you to allow or deny it. If someone has stolen your password and they try to log into your account, you would be able to deny them access.
Implementing two-factor authentication throughout the city’s workforce is a big undertaking that will take a lot of resources and will cause short-term headaches for employees. Still, it is now standard practice in cybersecurity. How quickly the city implements this will be a test of whether cybersecurity is now a priority or just a trendy talking point.
****
Further evidence of a culture of noncompliance among the City workforce was present in a June 30, 2022, Management Letter from Powers & Sullivan LLC, the city’s outside auditors, that found its way into last week’s Council meeting packet. The report noted five items that had been brought to the city’s attention in audit letters from prior years that remain unresolved. These were:
Purchase order dates
General Ledger maintenance
Checks written to and from the City
Preparation of the schedule expenditures of Federal award
Review and restructure the payroll process
My comment on a “culture of noncompliance” comes from the first item on purchase orders. Here’s what the audit letter says about that:
“In previous management letters we noted during expenditure testing several purchase orders were dated later than the corresponding invoice dates. Creating purchase orders after the invoice is received bypasses the City’s purchasing policies and defeats the internal control that a purchase order system is intended to provide. Purchase orders allow the City to ensure that budgetary funds are available and that the purchase has been properly approved before funds are expended.”
Admittedly, government purchasing can be cumbersome but as the audit letter explains, there are many good reasons for that to be so. Here’s how it is supposed to work in simplified form:
Let’s say you’re a government employee. You want to purchase a desktop scanner. First, you identify three vendors who sell the scanner and ask each of them for a quote (meaning the price and terms). When they respond, you select the one that gives “best value” which is usually the cheapest. You take that quote to whomever it is who handles your office finances. Let’s say it’s the auditor. The auditor looks at that balance of money you have in your budget and, if it’s enough to pay for the scanner, creates a “purchase order” for you. That “encumbers” or ties up that money so it will be available to pay the invoice when it is received. You call the vendor and order the scanner, giving the vendor the purchase order number. Once the scanner is delivered, you take the vendor’s invoice, write the purchase number on it, and forward it to your auditor for payment. If all is in order, the invoice is paid promptly.
When the audit letter says that invoices have dates before corresponding purchase orders, it means whoever made the purchase did so outside of this established system.
And for emergencies, there’s a way to have “open” purchase orders to rapidly respond to things like water main breaks and heating plant failures. But they require good organization, advance planning, and a system that demands compliance. The purchase order system may be cumbersome, but it’s necessary to provide some order and protection in the expenditure of tax payer funds. Just as it’s easy to say, “we’re too busy to do cybersecurity training,” it’s also easy to say, “We didn’t have time to get the purchase order before ordering the item.” Both are a reflection of the prevailing culture at City Hall.
****
Anytime Auxiliary Dwelling Units are on the agenda, it triggers anxiety among some councilors, mostly because there are strong feelings on both sides of the issue. The agenda item last week was to refer the proposed zoning change to the July 11, 2023, Council meeting for a public hearing. What is usually a simple procedural step expanded into a renewed debate on the merits and risks of ADUs.
When the roll was called, voting to send the matter to a public hearing were Councilors John Drinkwater, Wayne Jenness, John Leahy, Vesna Nuon, Dan Rourke, and Paul Yem. Voting against sending it to a public hearing were Rita Mercier, Corey Robinson, Kim Scott, and Erik Gitschier. (Mayor Sokhary Chau was absent).
Mass. General Laws chapter 43, section 99 states in part, “The affirmative vote of a majority of all the members elected to the city council shall be necessary for the passage of any order, ordinance, resolution or vote, except that the affirmative vote of a majority of the members present shall be sufficient to adjourn any meeting of the city council.” The ADU proposal is an amendment of the zoning ordinance so I believe it requires a majority vote to pass (as opposed to a vote on the budget that requires a two-thirds vote). With an eleven-member Council, a majority vote would need six Councilors to win, so if the six who voted to advance ADUs to the public hearing all support it, ADUs should pass.
****
Next Saturday, May 27, 2023, at 11am, lala books at 189 Market Street will host a “book launch” event for The Lowell Review 2023, a 200-page collection of essays, stories, poems and photos from area writers and artists. Read more about the event and about The Lowell Review and its two prior issues on richardhowe.com this weekend.
Here's the real story of the recent cyber security attack on city hall. Prior to 2022, the cybersecurity budget for the city of Lowell was zero. Only in 2022, did the city receive a cyber security grant for $89,585 and then in 2023 a grant only for $40,561. The average salary of an IT security Administrator "is" close to $90k, but that's "annually". We hear in the news that we have thousands of job postings that go on unfulfilled. Everyone must be lazy? But in our example the 2022 budget requesting to fill a cybersecurity position went on to never being filled because it had no job security, pun intended. Just my opinion but I highly doubt anyone would be able to hire a half decent admin that would give a damn if they know they'll only just be hanging around for under the year.
Ransomware as a business isn't the type of criminal activity where targets are put on a list for a gang to exert energy trying to break in. Ransomware is all about picking the low hanging fruit or more often about picking up the rotten fruit that's already fallen to the ground...
IT as a whole is not a one stop shop. IT is an integral branch and a division unto itself of vastly differentiated departments. You have the software guy, hardware maintenance, network maintenance, the help desk, compliance officer and then you have a cybersecurity wing. These jobs are not interchangeable but distinct and depend on completely different skill sets then another. Just because you have an IT department doesn't mean you have a cybersecurity person. This is why the city was hacked. Not because it was a target but because the city made it an afterthought and never even bothered to fund it as a job, if nothing but just a task. Tasks don't get done by themselves, tasks get done by people. Hire a damn cybersecurity position and payroll it as an annual salary!