Lessons from Georgetown & Lexington: Protecting Counties against Cyber Attacks, Exercises of English Literature

Download Lessons from Georgetown & Lexington: Protecting Counties against Cyber Attacks and more Exercises English Literature in PDF only on Docsity! 52 FALL 2021 How Counties Can Protect Themselves Against Cyber Attacks By W. Stuart Morgan III Counties are attractive targets for hackers, and they are under attack! After Georgetown County sustained a ran- somware attack on January 20, the county worked hard to recover until receiving a clean bill of health 52 days later. Threatened by a growing number of cyber attacks in recent years, Lexington County continues to work hard to avoid one. Both counties have learned lessons worth sharing. Lessons Georgetown County Has Learned “Our county’s cyber intrusion event occurred over the weekend when someone opened an email attachment,” recalled Seth Housand, IT Director, Georgetown County. “The email itself did not set off any red flags within the email se- curity filter at the time nor did it have any key idicators such as mispelled words, a strange email address or sense of urgency that you often look for in phishing emails. “The only exception to that email was its attachment,” Housand added. “Once that attachment was opened, its malicious payload was delivered. We became aware of the intrusion three days after the attack when alerts began and red flags went up because a server was rebooted off schedule and its services stopped. Upon investigation, we found a ransom note and all data had been encrypted.” That cyber attack destroyed all of Georgetown County’s computer systems, and halted all of the county’s virtual operations requiring Wi-Fi. The county paid a $10,000 deductible on its cyber attack insurance policy, which helped replace computer equipment. County Council also voted to approve a general fund increase of $140,000 to help pay for necessary network upgrades. “Our county’s cyber intrusion occurred over the weekend when someone opened an email attachment. The email itself did not set off any red flegs ... . The only exception to that email was its attachment. Once that attach- ment was opened, its malicious payload was delivered.” Seth Housand, IT Director, Georgetown County “The wide-ranging media interest in the days, weeks and months following the attack was more than a little surprising. Media interest was immediate, and the public had ques- tions about how this could impact them and whether any of their private information was compromised.” Jackie Broach, Georgetown County PIO Jackie Broach, Georgetown County Public Information Officer (PIO), said hackers tried to gain access to county records, most of which were already public record. But they did access the social se- curity numbers of about 50 county employees in one department that were stored on a computer, and some of the county’s bank account information that was outdated and no longer used. Georgetown County’s leaders recognized that the attack would affect the public and county employees, and the importance of mes- saging immediately after the attack. “Our initial media statement went out early Monday morning, January 25, once initial stages of the investigation were conducted over the weekend,” Broach said. “The wide-ranging media interest in the days, weeks and months following the attack was more than a little surprising. Media interest was im- mediate, and the public had questions about how this could impact them and whether any of their private information was compromised. COUNTY FOCUS 53 “My primary responsibility was to answer questions on how the cyber attack would affect the public, and to respond to the concerns of the public and media,” she added. “After notifying county leadership, law enforcement and our county’s cyber insurance company, I needed to tell the public what I could and be as honest and as transparent as I could about it.” Communicating externally with the public was one thing, but communicating internally with county staff was another, according to Broach. Communication internally was significantly more difficult. The county’s administrative services/HR director set up regular virtual conferences on GoToMeeting every Monday, Wednesday and Friday morning to update departments on the latest developments. Communication was conducted virtually with department heads and other key county personnel until the county’s computer systems were up and running again. Gmail accounts were set up and used for two weeks immediately after the cyber attack while the county’s email system was inaccessible. “The most difficult part about messaging following a cyber attack is figuring out how to answer ques- tions when you are still trying to determine exactly what has been compromised,” Broach said. “Because a huge part of my job is to be ready to communicate during disasters, such as hurricanes, and our county’s cyber attack was very similar to that, my files were backed up, and all my equipment was mobile. So, I was able to grab my stuff, move to the Emergency Operation Center (EOC) and keep working. “The biggest issue for me was that I couldn’t access my email,” she added. “But I used the gmail address, which was set up for county use, and used that account to send out the initial news release to let people know that they could use my gmail address to contact me for the forseeable future.” Brandon Ellis, Director of Emergency Services, Georgetown County, facilitated the operation of the county’s EOC after the cyber attack, and coordinated with emergency services agencies operating under the EOC umbrella. He also helped allocate emergency/disaster resources and coordinate with county leaders as they dealt with the attack. Georgetown County’s experience and approach to managing events like major floods, hurricanes and COVID-19 helped the county respond effectively and efficiently to the cyber attack. “The all-hazards approach to our planning process allows our emergency response plans to be applicable to any and all emergency situations,” Ellis explained. “In ad- dition to our comprehensive emer- gency operations plan, which has a detailed appendix specifically for cyber incidents, we were also able to leverage our continuity of opera- tions plan and our logistics plan to ensure that government operations continued while our county network was basically unavailable. “Typically, during an emergency,” he added, “our county’s IT “ ... after the cyber attack, our IT staff served as the operational lead and other depart- ments were forced to step back into more of a support role.” Brandon Ellis, Director of Emergency Services, Georgetown County There is nothing quite like suffering a cyber attack to make you rethink your county’s plans and procedures for handling one. Just ask Brandon Ellis, Director of Emergency Services, Georgetown County. He learned some lessons after his county sustained a cyber attack earlier this year that he believes could help other counties prepare for a cyber attack as well as any other catastrophic emergency or disaster. Ellis emphasized that it is important to: “Be Flexible. Staff members get in a routine and they enjoy technology when it is working. When it’s not, they don’t handle the situation as well. We were constantly preaching to our staff to be patient and be flexible. As we worked through the process we had to identify alternative methods to accomplish normally simple tasks. As sys- tems came back online, they did not operate as fast as they may have previously due to added protection and scanning mecha- nisms. “Have a Backup Plan in Place and Know What It Is. We have a very com- prehensive continuity of operations plan (COOP) that each department reviews, up- dates, and contributes to annually. The first option was to activate this plan to continue operations but it was quickly identified that the information therein was not completely up to date for all departments. As we waded through this information and encountered challenges along the way, we successfully worked through them but our efficiency in navigating these issues and deficiencies would have been much better had we been provided the right information in the plan. The point: Review your plans and update them when requested. We do this so that the guesswork is out of the picture when an emergency occurs. “Have Backup or Alternative Systems. We quickly learned that our emergency man- agement department housed the majority of available surplus laptops, mifi devices, and cradlepoints within the county. We were able to manage the distribution of these resources to other departments using our resource allocation and tracking processes that we utilize for every other major emergency situation, and with great success. “Build Relationships. From our emer- gency planning and coordination initiatives, we were fortunate enough to have some of our partner agencies from outside of county government immediately reaching out to provide assistance and resources. These relationships are based on years of great coordination and team building, and is a true testament to our whole community ap- proach to emergency planning and response. “We must approach every situation with an open mind and be willing to learn from it,” Ellis said. “As a county, I think that we suc- cessfully did that after we discovered holes in our plans and procedures for handling a cyber attack when we suffered one earlier this year.” How to Prepare for a Cyber Attack (Continued on next page)