Protecting a City from Cyberattack: What 'Hoosiers' and Cybersecurity Have in Common
By Jennifer Monahan
The journey to an unlikely state basketball championship dramatized in the film Hoosiers looks a little different than the high-tech challenges facing cybersecurity experts today. But the underlying strategy – intense preparation, attention to getting the fundamentals right, relying on the playbook – is remarkably similar.
What does it mean to keep a city safe from cyberattack?
Municipal governments provide valuable services to their communities. The specific offerings vary by city – everything from waste disposal and clean drinking water to marriage licenses and libraries to police, fire, and EMS departments. Protecting a city from cyberattack means maintaining the availability of those services and safeguarding the data on city systems.
Cyberthreats are a reality for communities small and large. When the city in question is sometimes known as the “Capital of the World” like New York City, the threat actors are especially motivated and the stakes are especially high.
Defining the Threat LandscapeThe threat landscape for cybersecurity is about as bleak and depressing as the cold, barren terrain the Huskers travel through in the movie.
Potential threat actors include nation-states, insider threats, terrorist groups, cybercriminals, “hacktivists” (people who use hacking as a form of civil disobedience), and thrill-seekers. Each of those entities might have different motivation for disruption, and the vulnerabilities are as easy to exploit as successfully targeting a single employee who falls victim to a phishing scheme or whose secret password is “Fluffy1234.”
Anything and everything are on the table for ransomware.Will Liu (MSISPM '14), CERT Lead, NYC Office of Technology and Innovation’s Cyber Command
Will Liu (MSISPM ’14) is the Computer Emergency Response Team (CERT) Lead at the NYC Office of Technology and Innovation’s Cyber Command, focused on incident response for the city of New York. Though he previously worked in the private sector, Liu has spent the last three years as a civil servant, working to protect city systems that deliver critical services to residents.
“Anything and everything are on the table for ransomware,” Liu said. Because ransomware is often financially motivated, municipal governments are especially ripe for attack. Availability of online systems to pay a parking ticket or get a business license has value. The financial systems cities use to pay their vendors have value. The data about residents stored within a government system has value. If threat actors can cut off access to services or steal personal data, they have the potential for significant profit.
Threats to critical infrastructure – at a high level, any cyberattack that affects citizens’ life and safety – are another concern for cities. Police, fire-fighters, hospital systems, emergency response services, and clean water comprise vital services whose disruption could have grave consequences.
How Do You Protect a City?Preparation is the key to preventing cyberattacks and to responding effectively when they inevitably occur. In the world of cybersecurity, asset inventory is an important component of that preparation.
“Having good asset inventory, which is understanding everything that a city owns – all the computers and components – and the services it provides, is vital,” Liu explained.
Having the right playbooks matters, too.
Part of Liu’s role is to make sure the playbooks are good – that the proper procedures are in place to respond to cybersecurity incidents.
“A lot of events could impact a city government, and one of the things you can do is prepare for those. So often it's making sure that you have good IT/cyber hygiene, getting the basics right,” Liu said. “If something happens at two a.m., do you know who you're calling, or who's responsible for a specific IT service?”
The “good IT hygiene” includes implementing security controls like multi-factor authentication (MFA) and making sure to do the proper identification and labeling of critical assets—that is, knowing where important data and personally identifiable information are stored and then categorizing those systems as critical assets.
The federal government provides frameworks for creating those playbooks. The National Institute of Standards and Technology (NIST) and the Cybersecurity and Infrastructure Security Agency (CISA) both publicly share best practices and industry standards. The guidelines can help minimize risk, though ultimately cyberattacks still occur.
“In terms of ransomware, you can prepare for different scenarios, making sure you have the proper staff and training for that, making sure you have good asset inventory, making sure that you know your lines of communications and responsibilities during an incident,” Liu explained. “Those are the main things, so that when something happens, the response isn't to panic.”
In cybersecurity, the three components are people, process, and technology. People cost money, and so does technology, but process doesn’t necessarily. One of the things you can do, without spending a lot of money, is prepare for those [incidents].Will Liu
“Frequently in large-scale incidents, the [cybersecurity] staff that you have are extremely busy, and that's where you rely on that third-party retainer to help augment and speed the response, ” Liu said. “It becomes a team effort at that point, where the full-time staff on hand help direct the incident, and then the consultants or vendors will help provide that forensic analysis capability and help decision-makers quickly determine the next steps.”
Challenges and Vulnerabilities
Some of the toughest issues facing cybersecurity professionals come from within the organizations they protect.
Legacy systems – information systems and software that are still in use in a department, but are no longer supported by the vendor or open-source community – represent a significant point of vulnerability in cybersecurity. The risk is increased because the likelihood is greater that it’s unpatched. If someone uncovers a vulnerability with the software, no one's there to fix it. The vendor either has moved on to newer software or gone bankrupt.
“Chances are, if you have a system online for so long, it's likely providing a critical service,” Liu explained. The dual whammy of out-of-date security features on essential software also heightens the risk and vulnerability.
Asset inventory, one of the fundamentals of good preparation, is easier said than done. The broader the range of services, people, and technology within a city, the tougher the job. The difficulty was exacerbated exponentially by the COVID pandemic.
“What you saw in a lot of organizations was a sudden need to transform the IT environment quickly,” Liu said. “People were suddenly working from home, which meant that IT administrators needed to spin up new ways for people to work remotely in what had historically been on-site organizations.”
Out of necessity, the priority was to get workers equipped for remote work. IT staff in many places had to play catch-up in reassessing and reanalyzing asset inventory in the new environment.
If those challenges sound daunting for large cities that are able to employ IT and cybersecurity staff, how can smaller municipalities even hope to take on cyberthreats?
Much like the 1954 Milan High School ballers – the real-life team that inspired Hoosiers – there’s hope for the underdog.
The federal government, through the Infrastructure Investment and Jobs Act, has made grant money available for state and local governments to address cybersecurity risks and threats. Additionally, Liu said, there are ways to address cybersecurity issues on a smaller budget.
“In cybersecurity, the three components are people, process, and technology,” Liu explained. “People cost money, and so does technology, but process doesn’t necessarily.” Cybersecurity events such as inadvertent data disclosure, a ransomware incident, an impact to critical infrastructure, or an insider threat are known types of incidents. As such, Liu said, “One of the things you can do, without spending a lot of money, is prepare for those.” Back to the basics. Back to the playbook. Have a plan and procedures in place for when the events happen. Test out the plans through tabletop exercises to identify gaps and areas for improvement. Practice the plays prior to the game so that everyone on the team understands their roles and how to coordinate with their teammates when it’s game time.
Even for cities that can afford to hire cybersecurity staff, the prospect is challenging. Municipal governments compete with well-known organizations like Google, Amazon, or Meta – all of whom have deep pockets – for a relatively small pool of tech-savvy workers. Cities often lose out, but the challenge can be addressed.
“I think it’s a branding issue,” Liu said. Civil service isn’t the first option that comes to mind for many young people. Government programs, municipal cybersecurity internships, and partnerships with local universities are already underway to try to create a hiring pipeline. And Liu believes if students understand public service as a potential career path, some will choose it. Protecting a city from cyberthreats is a worthy endeavor. “The mission is cool, and the work is impactful,” Liu said.
An array of bad actors. A host of threats. Attackers planning in the shadows and executing their crimes in silence. The world of cybersecurity looks at first like an overwhelming prospect. But just as the storied Huskers suffer a few losses along the way and ultimately prevail against seemingly insurmountable odds, that strategy of sticking to the fundamentals and effectively executing the basics allows cybersecurity experts to meet the challenges facing modern-day underdogs.