(The Center Square) – Pennsylvania lawmakers focused this week on protecting municipal governments from cyberattacks that threaten communities statewide.
The joint hearing, hosted by the Senate Communications and Technology and Local Government committees, follows an attack that compromised Bucks County’s emergency dispatch system last month and a wider national attack in December affecting the Municipal Water Authority of Aliquippa.
The attack affecting Aliquippa was committed by Iran-backed hackers targeting Israeli-made technology in retaliation for Israel’s bombardment of the Gaza strip, highlighting the deeply interconnected nature of cybersecurity.
Aside from newsworthy attacks like Bucks County and Aliquippa, security systems are subject to a constant barrage of potential threats from attacks intended to steal money and information and to create havoc within systems.
“Municipal authorities are not unlike any other businesses or governmental agencies subject to attack,” said John Berti, IT and telecom manager for the Wyoming Valley Sanitary Authority. “Simply put … it’s not a matter of if, but when.”
Clifford Shier, a cybersecurity expert for Unisys, explained that situations like this are why there needs to be a “statewide baseline” for security best practices that protect both small municipalities and the connection they share with the much broader network of governing bodies.
“Even if you’re talking about a small tax base in a small part of the commonwealth, there’s still potential for that to impact should there be a cyber attack,” said Shier.
Senators expressed concern about finding funding for a system that would be able to offer protection across the commonwealth. While many smaller municipalities are equally vulnerable to attacks that could open the door for wide-scale damage, they are often lacking the resources required to follow best practices.
Even in areas with a larger tax base, the cost of creating and maintaining adequate security can be staggering.
“There is no doubt that cybersecurity and cloud technologies are forcing a growth in IT expenditures in our county,” said Joe Sassano, executive director of IT and chief information officer for York County. “Our spending in cybersecurity technologies has more than tripled over the last four years, and this trend also shows no sign of decreasing.”
One of the biggest challenges to mounting a rigorous cybersecurity strategy is proving its importance. For much of the public, these kinds of attacks are abstract, and it’s difficult to find the justification for using the collective pool of tax dollars to protect local-level systems.
“You’re going to have to get people to – number one – agree to what that baseline is, agree that there’s a public good that comes from it,” said Sen. Tim Kearney, D-Media, whose experience in Delaware County required a massive insurance payment to resolve a ransomware attack.
To that end, experts emphasized the importance of education. One major area of vulnerability is the user of the system itself. Digital hygiene can help prevent security breaches that stem from phishing emails and increasingly common socially engineered attacks.
“Spreading awareness of the issue can help in mitigating this,” said Dr. Mai Abdelhakim from the University of Pittsburgh. “Imagine nobody was subject to social engineering attacks, nobody responding to phishing emails. Spreading the importance of the issue early on is going to protect systems eventually.”