Lowell City Hall’s cybersecurity footprint, funding increase

Lowell City Hall city seal sign. (Julia Malakie/Lowell Sun)

LOWELL — Practically every municipality and agency across the commonwealth has experienced some form of a cyber-related event.

That was the message from Chief Information Officer Mirán Fernandez, who appeared before the City Council’s Technology and Utilities Subcommittee on Wednesday, in a continuation of a hearing that originally was held April 10.

Fernandez spoke before Chair Wayne Jenness and Councilors Kim Scott and Sokhary Chau to request the committee’s approval to expand the organizational and operational mission of Management Information Systems to better secure Lowell’s municipal network, which was hacked last April.

“A cyber-related event is any event that essentially is security related from an external or internal force,” Fernandez said. “… there’s so many different ways that these bad actors can access information and attempt to gather, steal information and impact an organization.”

The 2023 cyberattack of Lowell’s municipal network knocked phones, email, financial, human resources and asset management and revenue systems, as well as other ancillary services like dog, business and marriage licenses, offline.

It also disabled the computer-aided dispatch system in Lowell Police Department cruisers. Officers use the CAD system to write accident, incident and arrest reports from their cruisers. They can also access an in-house records system that gives them background information on the call such as address or a prior history with law enforcement. Patrol officers have been largely operating without that technical support since last year, instead filing their reports from area precincts.

Police Superintendent Greg Hudon told the City Council’s Public Safety Subcommittee on Tuesday that CAD capability should be restored within the next two weeks.

The cyberattack was identified as one of the culprits behind the pervasive mold growth at Pawtucketville Memorial Elementary School, when it disabled the school’s HVAC systems.

City Manager Tom Golden also attended the meeting and conveyed his administration’s priority of protecting the city’s networked infrastructure.

“This is something that we need to make happen,” Golden told the committee. “I support this 100%. This is one of our major pieces.”

Fernandez’s proposed fiscal 2025 MIS reorganization will bring all networked operations — City Hall, fire, police, career center and library — under the MIS umbrella. It will also add a deputy chief information officer position that will directly report to Fernandez. The reorganization does not include Lowell Public Schools. In February, an outside attempt to gain access to the district’s file server was blocked by its cybersecurity software.

In total, the reorganized department adds eight new positions, growing from 23 to 31 positions, all of which will be funded through American Rescue Plan Act money.

“ARPA was really meant to bring back the workforce,” Golden said. “I believe that the way we’re doing that, that this is a soft landing because of the growth over the next few years.”

ARPA was signed into law by President Joe Biden in March 2021. Lowell received a $75.9 million allocation to assist with the ongoing pandemic recovery effort. ARPA-funded positions expire in 2026, and jobs created with those funds would then need to come from the general budget.

A report on the source of the April 2023 cyberattack has not been provided to the council, and Golden has not updated the council on the costs of rebuilding the compromised systems from the ground up or the financial impact on operations.

Former Superintendent of Schools Joel Boyd and Golden allocated more than $1 million combined funding from their respective budgets to purchase LifeLock protection for all current city and school employees impacted by the cyber breach.

LifeLock is identity theft protection software, that, according to the company’s website, “monitors for identity theft, the use of personal information, and credit score changes.”

Former City Councilor, now School Committee member Dave Conway requested that then-City Manager Eileen Donoghue report on the city’s plan against a possible ransomware attack that would ensure that all city departments had sufficient protocols and updated technology to prevent hackers from comprising Lowell’s systems.

The motion response to Conway’s 2021 request was titled “Cyber Security Protocols” by Fernandez.

MIS falls under the Finance Department led by Chief Financial Officer Conor Baldwin and Fernandez told the council then that “The City of Lowell’s MIS Department has adopted a baseline designed to improve our overall cybersecurity posture,” which included “implementing best practices designed to secure our technology and data.”

The increased staffing and line authority over the city’s sprawling municipal network should enhance security, Fernandez said.

“The silver lining to us was that we had the opportunity to rip everything out and start over from scratch,” he said. “… we rebuilt everything using current best practices. We are doing our best to minimize the risk to the taxpayer and to the organization in general.”

Chau’s motion to bring both the proposed reorganization, staffing increases and deputy position before the council for a public hearing unanimously passed.

“Can we say that it will ever happen again?” Fernandez said. “Absolutely not. But we are doing our best to minimize the risk to the taxpayer and the organization.”