Back in February, Cheryl Crooks’ email contacts began getting messages—allegedly from her—suggesting they send her Amazon gift cards.
Most who know Crooks—executive director of the Cascadia International Women’s Film Festival—were immediately suspicious of the messages, especially since they contained the salutation “my dear,” which she doesn’t use.
Crooks was unaware the messages were being sent until she was inundated with calls, texts and social media messages from contacts asking if she knew she’d likely been hacked.
“I don’t have any idea how they got access,” Crooks said. “I’m very careful about what I open, and I have pretty high security systems set up.”
Nevertheless, someone got into her personal email, deleted folders full of messages she needed and diverted incoming emails to another account. They then began spamming her contacts, a couple of whom fell for the ruse.
“I was really surprised by the two people that actually did [fall for] it,” Crooks said. “People are distracted by a lot of things sometimes, and … if it’s really well-crafted, then they might not know.”
Though Crooks eventually recovered her account and most of the deleted emails, the issue was disruptive and embarrassing for her, she said. It took several months to stop hearing from contacts about strange emails.
Then, in August, it happened again.
Growing threat for local government
While cybersecurity is a daily concern among everyday people, it reflects an ever-growing threat to local municipalities and their many departments, which rely on increasingly large amounts of digital infrastructure.
In June, the Whatcom County Library System endured a criminal malware attack that disrupted the library’s ability to receive phone calls and emails, or use most online services.
The following month, it was revealed the breach also affected the data of 735 library patrons, including names, birthdates and library account information. A news article later reported a small number of library employees’ Social Security numbers or driver’s license numbers had been stolen.
The cybersecurity needs of Whatcom County look substantially different from how they did 15 years ago, according to Division of Information Technology manager Perry Rice.
Rice—who oversees a staff of about 25 people—has worked for the county’s IT department for 18 years, and managed it for 17. Back in the mid-2000s, their department would encounter the occasional virus outbreak, usually limited to just one computer. Now, a constant series of weekly, daily and even hourly threats exist, from well-crafted phishing emails to ransomware attacks that could take down an entire network. Some attacks are essentially cyberterrorism, threatening to disrupt critical services such as police and fire departments or public utilities like water service.
“That just wasn’t something that we experienced 15 years ago,” he said of ransomware—a type of malware that threatens withholding, leaking or destroying sensitive data unless a ransom is paid.
Phishing emails are far more common, and email is the primary method for a bad actor to infiltrate the county’s system, Rice said. If someone clicks a malicious email link, it usually takes them to a site that tries to harvest their user name and password.
This opens the door for a hacker to enter their account, where the hacker may not immediately play their hand. Rice said some cybercriminals choose to monitor an account to learn where they can best take advantage of someone.
Fortunately, the county IT department has tools and protocols to prevent these kinds of break-ins.
County email systems have filters in place, Rice said, blocking many spam messages from ever hitting an employee’s inbox. Attachment types are also restricted, and additional tools can open a suspicious attachment before an employee sees it.
Traffic to known malicious sites is also commonly blocked. Rice said they receive weekly blocking updates from the Center for Internet Security, a nonprofit cybersecurity organization that offers free membership to state, local and tribal governments. The center has a 24-hour operations center that can assist a municipality depending upon a problem’s scale, he added.
“The resources have gotten so much better, especially coming down from the federal level to local governments,” Rice said.
A watchful eye
The department also carefully determines who has privileged access to certain systems. Rice said even IT employees lack full administrative access. Although most people run their personal home computers with full administrative privileges, Rice said doing so is a massive risk: on a compromised computer with this setting, a hacker likely has full access to everything on that computer.
If the department is sent a suspicious email by a county department (Rice said this happens regularly), they can use equipment not connected to the main network to follow links and determine its legitimacy.
Keeping technology up-to-date is also a critical piece of the puzzle. Operations systems should have the latest software and patches, Rice said, and firewalls, routers and other equipment must also be current as possible.
Traditional antivirus software also keeps a watchful eye: anything triggered by the software automatically sends the IT department an alert.
Still, Bryce Carter, the City of Bellingham’s senior information analyst, said that successful attacks are a matter of “when,” not “if.” About one-third of municipal governments in the United States reported a breach of some kind last year, he added.
“There’s no perfect way to defend against these things,” Carter said. “Even if we do everything right and implement a very solid citywide information security and privacy program, security breaches and data breaches are guaranteed to happen from time to time.”
For the threats that do make it to the inboxes of municipal employees, the person behind the keyboard becomes the next line of defense. And while some scams are obvious to anyone with an inkling of common sense, other phishing scams and compromised links require employees to exercise judgment.
“Most successful attacks target people directly, and exploit human psychology,” said Carter, who sees cybersecurity as a people problem just as much as a tech issue.
The county’s IT department briefs new hires on cybersecurity tips, like using strong passwords and changing them frequently, checking email addresses and not opening documents of unknown origin. Rice said the department is also piloting a program with software that can simulate phishing, though it hasn’t been widely implemented yet.
In a smaller municipality like Ferndale, this education is essential.
Riley Sweeney, the city’s communications officer, said the city has seen a dramatic uptick of increasingly sophisticated phishing attempts. These include messages that appear to be from city officials, asking employees to click on a document and review it. Because of this, the city sends out regular email alerts to all staff about what to watch for.
“We really have to do a lot of employee education to make sure that they know what a cyberattack looks like,” Sweeney said. “Because it’s not like your whole computer lights up and says, ‘Hey, you’ve been compromised!'”
Education is especially critical for Ferndale, which lacks an IT department and instead relies on a third-party consultant for cybersecurity. That business, NW Technology, has been City Hall’s go-to for at least eight years, Sweeney said.
A few incidents have still happened, however. In one, a city credit card was stolen and used on a shopping spree in Florida before quickly being stopped. In another, someone erroneously uploaded a document containing sensitive employee data to a city website. It was promptly removed, with the affected employee receiving I.D. protection monitoring afterwards.
Beware the stranger
Tony Harrell, IT director for San Juan County, said they also pay to have employees undergo regular security training. Harrell also suggests online tutorials as a great self-education tool for anyone wanting to stay informed on cyber threats.
“Like anything else, just beware,” he said. “You don’t let the stranger that knocks on your door, who you don’t recognize, into your house.”
Even with a healthy level of scrutinizing, Crooks admits it’s hard to always know what’s what as the organizer of an international film festival.
“I get emails from filmmakers in Iran,” she said. “It’s a little hard sometimes … to tell if it’s a legit one or not. I’ve gotten emails that are written in Cyrillic.”
Crooks has her own method of checking an email without opening, and will delete anything she finds overly suspicious. She also never saves her credit card information on web pages, and frequently changes the passwords for film fest email accounts.
“There are people out there who are really good at this,” she said of hackers. “[It would] be nice if they would put their skills to better use.”
Carter is currently the City of Bellingham’s only dedicated information security employee—his job covers physical and IT security, as well as privacy compliance, emergency risk policies and incident management. But he won’t be alone for long.
Next year, the city will add a chief of information security position, who Carter said will serve as a community voice for privacy and information security.
“It’s a Swiss Army knife of positions,” he said.
Expanding cybersecurity personnel in an age of unprecedented demand is critical, as the IT industry faces a nationwide shortage of more than 750,000 cybersecurity workers. According to cyberseek.org, there are more than 16,000 openings in Washington alone, with 44 in Bellingham.
Part of the shortage, Carter said, is likely due to those who’ve quit due to burnout from around-the-clock work.
“It’s a stressful job that never stops,” he said. “Most successful attacks happen late at night and on weekends.”
That demand for IT workers is compounded for municipalities, who often can’t match the wages of private sector gigs and subsequently find themselves with a smaller pool of potential hires.
Education training centers, like Whatcom Community College’s nationally recognized cybersecurity program, can certainly be part of the shortage solution.
Since 2012, WCC has received over $34 million in cybersecurity-related grants for the program, which has four full-time adjunct faculty and over 260 students. The program features curricula that are constantly updated, partly because some classes are based on industry certifications, said Marni Saling Mayer, director of communications and marketing for WCC.
Carter sees programs like Whatcom’s as essential to the future of cybersecurity, which won’t be getting easier anytime soon.
“We need these types of programs,” he said. “We need to lower the barriers to entry and provide more opportunities to enter the work force.”
—Reported by Matt Benoit
- Subscribe: Sign up for our weekly newsletter for all the news, delivered.
- Comment: We welcome letters to the editor responding to or amplifying subjects addressed in the Salish Current.
- Contribute: To contribute a Community Voices essay, email your subject proposal to Managing Editor Mike Sato (firstname.lastname@example.org) and he will respond with guidelines.
- Donate: Support nonpartisan, fact-based, no-paywall local journalism from the Salish Current.