Massachusetts officials provided a rare glimpse into the state’s cybersecurity infrastructure Wednesday, laying out a range of actions needed to prevent future attacks from crippling online systems.
A roughly three-hour-long virtual hearing, chaired by Democrats Senator Barry Finegold and Representative Linda Dean Campbell, featured a number of high-profile cyber leaders from the public sector, industry, and academia.
Some implored lawmakers to provide more funding to lure tech talent to government work, provide more support to smaller municipalities, and move antiquated government IT systems to the cloud. Others debated the need for a statewide mandate on cybersecurity standards, which some officials said small towns would struggle to comply with.
The session follows a spate of cyberattacks in Massachusetts that cost the state upward of $100 million in damage last year, an FBI report tallying cybercrime complaints showed. It also comes after attacks that crippled the state’s auto inspection system for three weeks, paralyzed small towns, and disrupted local universities and ferry systems — giving some lawmakers a sense of urgency to combat the issue.
”Unfortunately, success builds success,” Finegold said. “Criminals are going to keep doing this, and that’s why we have to find a new way to counteract these crimes online.”
Curt Wood, the state’s chief information officer, said over 600,000 suspicious e-mails came into Massachusetts systems last year. He added that over a billion suspicious “connections” from across the world, mostly emanating from Russia and China, targeted the government’s systems. (The nature of these connections was not immediately clear.)
“This is critical,” he said. “We cannot take things for granted.”
Wood, who previously served as chief information officer in the state’s Executive Office of Public Safety and Security, said his agency needs more money to hire high-level talent to make Massachusetts’ cyber defenses more sophisticated.
“I cannot pay people enough money,” he said. “These kids can walk out the door tomorrow and make $200,000 a year. And they can work from home.”
A topic of particular debate was the need for statewide cybersecurity standards, which could require Massachusetts towns and cities to implement provisions such as two-factor authentication and data encryption to protect municipal networks.
Geoffrey Beckwith, executive director of the Massachusetts Municipal Association, urged lawmakers not to implement standards, saying that small towns could struggle to comply. “It would be unenforceable and unaffordable,” he said. “It would lead to all sorts of confusion at the local level.”
Finegold, the state senator from Andover, disagreed, saying standards would enable state systems to be in line with best practices often followed in the private sector. “Is that so bad we put a law in place?” he said. “It is helpful to have standards to make sure that people are doing what they need to.”
Executives from corporations including Oracle, Google, and Microsoft offered their suggestions for what state lawmakers should do to make systems more secure — likely previewing a fight for any future state contracts that might arise to modernize state systems.
Representatives from Oracle and Google suggested streamlining the state’s legacy systems and moving them to the cloud, minimizing the “attack surface” of systems that need to be protected. An official from Microsoft stressed state users practice “cyber hygiene” and complicate their passwords, to reduce a nation-state’s ability to hack systems through brute-force password attacks.
A VMware representative suggested lawmakers route federal cybersecurity funding to protect critical systems like water, emergency services, and utilities, while taking a hard line against ransomware gangs by not paying them.
Notable cyber experts from Massachusetts also testified, sometimes challenging testimony from others about how simple it is to protect against cyber breaches and ransomware attacks.
Bruce Schneier, a fellow at Harvard’s Berkman Klein Center for Internet and Society, said “a random small town in western Mass.” trying to protect itself from Russian cyberattacks is “just not a fair fight,” and trying to implement a strategy that would actually work is financially unrealistic.
“There’s no way to solve it without spending a lot of money,” he said. “And that’s going to be hard.”