WASHINGTON — Cities can’t always prevent cyberattacks, but they can take steps to mitigate and recover from breaches, the director of the Cybersecurity and Infrastructure Security Agency told those attending a the U.S. Conference of Mayors meeting Thursday.
Some of those measures include “cyber-hygiene” practices, such as using complex passwords, updating software and implementing multi-factor authentication, agency Director Jen Easterly said.
For mayors attending the U.S. Conference of Mayors 90th winter meeting, cybersecurity risks are an increasingly pressing problem. For example, major ransomware attacks occurred under Atlanta Mayor Keisha Lance Bottoms in 2018 and Baltimore Mayor Bernard Young in 2019.
According to Easterly, nobody is immune from these attacks, so mayors should focus on building their cities’ resilience.
“It is increasingly difficult to prevent bad things from happening,” Easterly said, advising mayors to build a system to plan, prepare and develop resources for cyberthreats. In that way, they can “reduce the damage that they’re going to have to go through to rebuild systems,” she said.
Easterly told the mayors that cybersecurity should not focus on technology, but rather on people and incentivizing them to practice cyber hygiene. Like physical hygiene practices such as brushing teeth or washing hands, cyber hygiene includes updating software and ensuring passwords are complex and unique, she said.
Most importantly, she said, mayors need to implement multi-factor authentication – a second piece of identification needed to prove identity when logging into accounts.
“If you implement MFA, you are about 99% less likely to get hacked,” Easterly said.
Her speech came a day after President Joe Biden signed a memorandum expanding the National Security Agency’s ability to protect sensitive government computer networks.
The memorandum, required by his executive order, “Improving the Nation’s Security,” authorizes the NSA to issue directives that require agencies to identify their national security systems and protect against cyber threats.
It also makes cybersecurity practices, such as encryption and multi-factor authentication, mandatory for national security systems, the Defense Department and Intelligence Community systems.
“Cyber criminals are also looking at what your mayor is paying, what your team is paying, in terms of all of the things that you’re doing to keep their city safe,” Easterly said.
“So, cyber criminals are going to go after the soft underbelly for targeting, and if they think that you have invested those resources, they’re probably not going to go after you.”
Cities are not only impacted by external security breaches, but internal ones, too.
Lorain, Ohio, Mayor Jack W. Bradley described a situation in which the city auditor office filled a request for the salaries of all city employees by sending a spreadsheet via email.
The Excel spreadsheet she sent contained metadata with employees’ last four digits of Social Security numbers, date of birth, home address and driver’s license numbers.
A council member who received the spreadsheet then sent it out to a third party, unsolicited, leading to it being posted and shared by more than 800 people, Bradley said.
He said his office contacted its cyber insurance carrier, which was to send payments to the breach victims.
Said Easterly, “It has to be a leadership issue, at the end of the day, and people have to treat it as what it is, which is in some cases an existential risk.”