In late April, the City of Lowell’s computer system was hacked, forcing the phone and computer systems to almost completely shut down. Three weeks later, the hackers claimed to release online data stolen from the city and threatened to release more unless a ransom was paid.
While it’s unclear what led to Lowell’s breach, the incident provides yet another warning to other municipalities to not take cybersecurity for granted.
The extent of the threat municipal governments face from hackers “cannot be overstated,” said Donald Norris, retired professor of public policy at the University of Maryland, Baltimore County, and coauthor of a book on cybersecurity and local government. “The bad guys are really good at what they do. They’re persistent, they’re innovative. If one method doesn’t work, they figure out another one.” Government at all levels, Norris said, lags behind the hackers. Often, he said, local governments do not even know they were hacked. Because most states lack reporting rules, and no states require public reporting of municipal government hacks, it is impossible to know the size of the problem.
Municipalities have many needs when it comes to cybersecurity, chief among them knowledge, staff, and money. The state and federal governments are putting resources toward helping municipalities, and cities and towns must take advantage of as many of these resources as possible to keep their data and systems secure.
The MassCyberCenter has published guidelines for municipalities, which focus on employee training, regional threat-sharing, response planning, and securing technology. The state Executive Office of Technology Services and Security offers grants for cybersecurity training and one-time information technology projects and provides free “cybersecurity health checks” to help government agencies identify security gaps. The state has a response team to help municipal governments respond to and recover from attacks. A four-year, $1 billion federal grant program Congress created in the 2021 infrastructure bill will give Massachusetts $16 million to enhance cybersecurity, and a committee has been formed to decide the best use of those funds.
Perhaps the most promising initiative comes from CyberTrust Massachusetts, a nonprofit formed last year with state money that is focused on training a pipeline of cybersecurity professionals at public colleges while providing services to municipalities. A pipeline of new workers is desperately needed because current demand for cybersecurity professionals is so high that workers command high salaries, and local governments cannot compete with private businesses in hiring.
At Bridgewater State University, for example, school officials plan to launch bachelor’s and master’s degree programs in cybersecurity in the next academic year and are already running a certification program for information technology professionals from Plymouth County municipal governments. The school plans to open a cyber range — a simulated training environment where novice IT workers and seasoned professionals can learn to respond to threats — using software that CyberTrust Massachusetts gave several universities.
The next step — a potential game changer for municipalities — will be the opening of three Security Operations Centers at Bridgewater State University, Springfield Technical Community College, and one still-undetermined location over the next couple of years. Cybersecurity professionals will work alongside college students and offer assessments, ongoing network monitoring, and threat response to municipal governments.
Peter Sherlock, CEO of CyberTrust Massachusetts, said this will give students hands-on training while using economies of scale and intern-level wages to make services affordable to municipalities.
There are also private initiatives. A cybersecurity clinic at MIT offers free threat assessments to about four Massachusetts cities per semester, using trained teams of students to advise communities how to improve their technology security.
Massachusetts, like most other states, has no mandatory standards for municipal government cybersecurity, and the Legislature is unlikely to impose any because the state would then be responsible for paying to achieve them. The federal government is unlikely to impose nationwide standards. The result is a voluntary system with a patchwork of readiness.
Many rural towns, for example, have old computer systems and do not have an information technology department, much less someone with cybersecurity expertise. They may rely on contracted services or simply a town hall staff person with interest in information technology but no formal training.
States can do little to address the root of the problem. It is up to federal law enforcement and government agencies to arrest cybercriminals, who are often based in foreign countries, and sanction their enablers.
Meanwhile, state and federal governments must continue to offer as many resources as possible to local governments and make sure those resources are tailored in a way that every community, big or small, can access the services they need. Cities and towns should seek out the available resources, prioritize cybersecurity, and update their systems as needed to keep government functioning and keep residents’ information safe. Otherwise, the cost of responding to a successful cyberattack will likely dwarf the amount needed to keep digital systems protected up front.
Editorials represent the views of the Boston Globe Editorial Board. Follow us @GlobeOpinion.