A recent report by the Maryland Cybersecurity Council has focused attention on cybersecurity at state and local agencies.
The report, released in December by the council’s Ad Hoc Committee on State and Local Cybersecurity, sought to identify policies, governance and resources that could increase cybersecurity. Surveys were sent to 89 units of executive governance; 70 responded by the time the report was written, according to the report, which added that the State Board of Elections was among those units that did not respond.
“We’ve seen that no matter the size of the jurisdiction and no matter which unit of local government is affected, cyberattacks at the local level are inevitable and they are increasing,” said Ben Yelin, program director for public policy and external affairs at the University of Maryland Center for Health and Homeland Security and co-chair of the ad hoc committee.
State Sen. Katie Fry Hester (D-Howard and Carroll), who co-chaired the committee with Yelin, said she was struck by how few resources many local leaders have at their disposal. She remembers learning at a meeting with the Maryland Association of County Health Officers that some local health departments still use fax machines.
The Maryland Department of Health was the victim of a ransomware attack in late 2021.
Hester said she thinks about the vulnerability of Maryland’s state and local agencies every time an attack happens, such as the 2020 ransomware attack on Baltimore County Public Schools.
“First of all I get angry that we haven’t done something already, and then I start to think about the real-life, kinetic impact,” Hester said. “How many kids are not going to school? How many teachers are not getting paid?”
Yelin has been particularly interested in helping local governments prevent cyberattacks. He recalls opening a water bill from Baltimore City and finding an eye-popping number; the city, the victim of a ransomware attack in 2019, had been unable to bill customers and now wanted several months of water usage paid for at once. Such a bill would pose a problem for low-income residents or those on a fixed income, he noted.
The report found that 40% of the units of state government that responded to the committee’s survey indicated they had at least one legacy system, which was defined as software or hardware that no longer receives updates or security patches, or whose manufacturer no longer provides replacement parts or technical support.
“The presence of legacy systems introduces risk, especially if there isn’t a plan to upgrade or modernize them,” said Chip Stewart, the state’s chief information security officer, who added that the Department of Information Technology, in coordination with other state agencies, has plans to upgrade many of the systems.
The report also indicated that more than 60% of state agencies had not conducted cybersecurity risk assessments, though Stewart said the state’s Office of Security Management had completed external cybersecurity risk assessments on those agencies.
Yelin said the extent of the vulnerabilities was a surprise. He said that though state agencies and school districts are making good-faith efforts to improve security, the situation remains challenging.
“The longer you go without doing risk assessments, without doing inventories of your system, without doing training and exercises to test your own vulnerabilities and capabilities, then the more that problem starts to fester,” he said.