Cybersecurity and IT investments emerge as key priorities

From the Beacon, October 2021

Last month, the MMA had the opportunity to participate in the first-ever public hearing held by the Legislature’s new Joint Committee on Advanced Information Technology, the Internet and Cybersecurity. This was an excellent opportunity to highlight the importance of cybersecurity and cyber resilience to local governments in every corner of the state.

Cyberattacks are impacting all aspects of our society, including individuals, businesses and every level of government. While there have been a number of memorable attacks against state agencies and private entities, the unfortunate reality is that cities and towns appear to be the prime targets of many bad actors.

This disproportionate targeting of municipalities is likely due to two central factors: the essential role of local government, and the challenge of maintaining modern IT systems.

First, local governments deliver essential services, including public safety and emergency response, K-12 education, drinking water and wastewater infrastructure, management of vital records, economic development and environmental permitting, and elections administration. The disruption of these services has an outsized impact on the public, increasing the pressure to immediately restore corrupted and disabled IT systems, and cybercriminals wish to capitalize on this sensitivity.

Second, municipalities have very limited financial resources and thus are usually reliant on aging IT systems and equipment. With Proposition 2½ tightly capping local revenues, local leaders have a limited ability to fund the modernization of IT hardware and software that they desire. Since Proposition 2½ mandates a zero-sum budget balancing dynamic, if communities want to rapidly scale up IT investments, they must implement cuts in other valuable and prized services.

Because cyberattacks present a clear threat to the quality of life in our communities, and municipal funding capacity is capped by state law, local officials are grateful that cybersecurity and IT resilience are priorities for the Legislature and the Baker-Polito administration.

The creation of the MassCyberCenter in 2017 was a stroke of genius, as this agency has been a vital partner with cities and towns, serving as a deeply trusted source of expertise, resources and first-rate training. The agency convenes municipal IT officials in multiple ways and settings, including this month’s statewide summit, monthly briefings, regular trainings and table-top sessions, interdisciplinary workgroups, and more. MassCyberCenter’s toolbox includes sophisticated resource guides, recommended baseline standards for municipalities, and top-shelf advice on how to implement these standards and enhance the platforms and systems needed to protect against a growing number of attacks.

Also working hand-in-glove with cities and towns, the Office of Municipal and School Technology in the Executive Office of Technology Services and Security is a trusted partner as well. The Office of Municipal and School Technology provides technical expertise, free cybersecurity health checks for local agencies, and cyber awareness grants, and it works to promote cybersecurity best practices with funding available through the Community Compact program.

The Commonwealth’s statewide contract for goods and services is an effective way to save cities and towns time and resources in identifying qualified vendors for highly technical and skilled services. The new ITS78 Data and Cybersecurity Statewide Contract prequalifies vendors that cities and towns can contract with for vital support, including early-stage planning, risk assessments, testing and readiness services, and swift incident response actions.

The MMA has been doing its part as well, primarily through our nonprofit member-governed affiliate, the Massachusetts Interlocal Insurance Association (MIIA). This unique local government risk management program has worked with a national firm to bring risk management expertise to Massachusetts. MIIA offers support for members that attend MIIA’s (and the MassCyberCenter’s) risk management training and webinars, supports efforts to implement the MassCyberCenter’s municipal baseline standards, provides bulletins and best-practice alerts and materials to our member communities, offers risk management assessments, incident response planning and free phishing testing for municipal employees, works with members on recovery strategies if an attack occurs, and more.

In spite of all these resources and excellent programs, the task ahead of local government is massive. Cyberattacks are increasing, the availability of coverage from national and international re-insurers is sharply constricting, and local resources are capped by state law. Communities have significant investments to make. Our 351 cities and towns cover a broad spectrum, from small rural communities, to mid-sized suburbs, to large economic engines that act as regional service centers. They operate fragmented IT systems, many built to serve a specific set of activities, including public works, public safety, public education, public finance and public utilities. It is safe to say that communities cannot fund the needed investments in hardware, software and training on their own.

Solutions cannot be top-down or one-size-fits-all. One idea that was floated during the September hearing was for the state to impose an unfunded mandate on local governments, requiring communities to adopt a minimum baseline of cyber standards and data backup processes.

The MMA’s response to the notion of a state mandate was clear and unequivocal. Such a mandate would be unaffordable, unenforceable and impossible to implement, given the limits to municipal budgets and funding capacity due to Proposition 2½, the extreme variation in municipal IT capacity, and the hundreds, if not thousands, of municipal platforms that exist.

The vastly preferred approach is a rapidly scaled-up local-state collaboration, which is the direction that we urge the Legislature, the MassCyberCenter and the administration to follow.

Here are some ideas for moving forward on that path:
• We recommend that the Commonwealth prepare to leverage and augment the $15.7 million for cybersecurity and resilience that may come to Massachusetts in the sweeping federal infrastructure bill passed by the U.S. Senate and pending (at this moment) in the House. This is a perfect time to expand state budget investments in IT training, planning, and incident response and recovery, as well as providing new and significant bond-backed capital funding for hardware and software upgrades in municipalities.

• As the Commonwealth examines the use of its multi-billion dollars in direct aid from the American Rescue Plan Act, the state should consider using a portion of its ARPA funding to invest in resilient IT infrastructure for water and sewer departments and other allowable areas consistent with U.S. Treasury guidelines, so that this critical infrastructure is protected from cyberattacks.

• We recommend that the Commonwealth significantly increase funding to the MassCyberCenter and the Office of Municipal and School Technology, so that their resources for planning, training and implementation of robust cybersecurity can meet the full need that exists among cities, towns and other local governmental districts.

• As the Commonwealth pursues other promising initiatives, such as multi-party consortiums to offer advanced-level training and support that would benefit cities and towns, the MMA asks that local government be included in these consortiums as equal partners, instead of as mere consumers, so that municipal leaders are included in shaping the products, setting priorities and making decisions.

• Let’s explore other aspects of Massachusetts public policy that will influence our cyber future and enhance our resiliency. For example, municipal assessments, test results, planning documents, vulnerability surveys, ransomware coverages and other sensitive information must be appropriately shielded from cybercriminals and bad actors.

Cities and towns have been the targets of cybercriminals, which means that criminals are targeting residents and taxpayers across the Commonwealth. The MMA and local officials everywhere look forward to working with state leaders to build on and scale up the successful initiatives and partnerships that will provide security and protection for our cities, towns and taxpayers.