Cybersecurity has gotten a bit lost in the news cycle, but it shouldn’t.
Ransomware attacks — where hackers shut down files or IT systems until a ransom is paid — are more common than ever. And for targets in Massachusetts, the ransomware gangs have had a good year.
Attacks, often emanating from places like Russia and China, have shut down ferries, hampered universities, thrown school districts offline, and upended police districts.
When everyday things go off the rails, chaos is guaranteed, and the pressure to pay money is high. And the FBI estimates the state suffered $100 million in damage last year from cyber attacks.
State lawmakers are not oblivious. Hearings are being held, legislation has been discussed as recently as Wednesday, and there’s a refreshing clarity that local and state IT systems are outdated, and the need to protect them is more urgent than ever.
“Unfortunately, success builds success,” Massachusetts state senator Barry Finegold said of ransomware attacks in a hearing last month. “Criminals are going to keep doing this, and that’s why we have to find a new way to counteract these crimes online.”
But in the bid for solutions, two problems get in the way: money and power.
At the center of the policy debate is a simple question: Should we require local IT systems to meet certain security standards, and follow certain protocols?
On one hand, standards are a best practice. Local officials should have emergency plans, modern IT systems, a clear understanding of whether ransoms should ever be paid, protocols to back up citizen data regularly, and training on simple things, like how to deal with suspicious e-mail attachments.
On the other hand, officials from small towns have started to ask: Who decides the standards, and who pays for systems to get upgraded? The problem is made trickier by a statewide, arcane fiscal regulation: Proposition 2 1/2. It caps certain revenue towns can raise by 2.5 percent annually.
Municipal officials say this puts them in a predicament. They can increase budgets to update IT systems, but doing so most likely requires cutting services elsewhere, because raising property taxes more than the ceiling allows is not possible.
Geoffrey Beckwith, executive director of the Massachusetts Municipal Association, urged lawmakers last month not to implement standards, saying that small towns could struggle to comply. “It would be unenforceable and unaffordable,” he said. “It would lead to all sorts of confusion at the local level.”
The fight might end in compromise, with something short of mandated standards, and along the lines of state-issued suggestions. There is also little movement on how much state money will be kicked in to local governments.
Others, like the state’s chief information officer Curt Wood, want money too. “I cannot pay people enough money,” Wood has said of the state’s problem in luring top tech talent to protect state networks. “These kids can walk out the door tomorrow and make $200,000 a year. And they can work from home.”
It’s kind of ironic, given the strength of the local cybersecurity industry, which includes Akamai, BitSight, CyberArk, Rapid7, and Snyk.
At the end of it all, everyone knows the next big cyber attack is not far away. The question is, will we be ready?