Marin should broaden fight against cyberattacks – Marin Independent Journal
A man types on a computer keyboard (IJ wire services)
Confidence in the security of our bank accounts, vital numbers and codes, and health information has been shaken by cyberattacks.
In some cases, businesses whose information systems have been attacked have been held for ransom.
Government is not immune. The 2023-24 Marin County Civil Grand Jury is urging the county and other local jurisdictions to work collaboratively to bolster their “cyber preparedness.”
In fact, the grand jury is recommending the county, Marin’s largest employer, to create a new position dedicated to cybersecurity – promoting awareness, education and training, as well as implementing and monitoring preventive systems. That position, and the hiring of two system-engineering positions, would assist other Marin agencies, as well. It could be part of the formation of a new countywide joint powers authority that could share the cost.
The report is a follow-up to a 2020 grand jury study that reported that the county and other Marin municipalities had been targets.
In the case of the county, the grand jury reported that during 2017 and 2018 the county’s data has been the subject of at least five cyberattacks, one in which a hacker conned the county’s finance office to wire $309,000 to the hacker’s bank account.
The county was able to only recover $63,000 of the public cash lost in the breach.
Since then, Marin municipalities have implemented cybersecurity best practices, most of which had been recommended in the 2020 report.
“The grand jury has found that the level of cybersecurity preparedness has generally improved since the 2019-20 grand jury report on cyberattacks. However, due to the dynamic nature of the subject, this will require constant vigilance and investment in technologies,” the 2023-24 grand jury reports.
The 2020 evaluation also led to the formation of the Marin Security and Privacy Council, which was formed to provide cybersecurity information, advice and alerts to local municipalities, nonprofits and private organizations. It dispatches a monthly security newsletter.
The county has reported only one breach since 2020, resulting from an employee’s action. The county’s chief information officer said the breach was not significant enough to be reported publicly.
However, the recent grand jury report found that many municipalities are unaware of the council and its newsletter.
That gap could be filled by creating a joint powers authority – a countywide agency comprised of multiple public agencies – to raise preparedness and maintain a perimeter of defense from cyberattacks.
That makes sense because many Marin agencies couldn’t afford such protection on their own, even the hiring of private firms to provide such protection. A JPA amounts to a pooling of resources to address a common priority.
The hiring of a team of experts to manage the protective system and conduct security-risk assessments should be considered, but officials need to weigh the cost of such a team of experts versus other possibly less costly alternatives.
In addition, it also recommends municipalities regularly re-evaluate their contracts with private cybersecurity firms to make sure their protections are keeping up with the technology and strategies of the ever-changing cybersecurity threats.
The grand jury’s report is pretty technical. It gets into “the weeds” of possible threats, preventive measures and personnel and bureaucratic hurdles.
It is a report that reflects the value of a grand jury, one that takes an independent look at issues that might not be on everyone’s radar, but for good reason should not be ignored.
In the case of cybersecurity, it is a threat that continues to grow. So should vigilance to ensure the technological protections, awareness and training keep pace.
Even just the grand jury’s finding that some agencies are unaware of the work and service provided by the Marin Security and Privacy Council is a valuable public service and a reminder to the council that there is a gap in awareness and education that needs to be addressed.
It is a reminder that institutional memory of human beings is as important as giga- and terabytes of their computer networks.