Cyber Security and Municipalities: Speaking with N.C. Secretary and State Chief Information Officer Eric Boyette
Cybersecurity is an urgent priority to all municipalities, and the person overseeing that effort for North Carolinians is Eric Boyette, who has served atop the N.C. Department of Information Technology since 2017. In 2019, Boyette was elected president of the National Association of State Chief Information Officers.
Many cities know the risks—namely, that your municipal data can be hacked and held ransom. Many, though, do not know the resources, which, as compiled by Boyette, are many. Partnerships, experts, emergency management services, the National Guard—they’re all ready and able to help towns before, during, and after an attack.
To learn more about the cybersecurity situation in North Carolina, we reached out to Sec. Boyette directly. Our conversation is below.
What are the cybersecurity risks for municipalities? What do these risks look like?
The biggest kind of attacks we’re seeing are ransomware attacks. That’s where you have a bad actor send out a phishing attack, and some of your employees will receive a link that is not an official link. They’ll click on that, and that allows the bad actor access to your infrastructure, your server, things like that. They can actually hold your data at ransom. They’ll lock it, and when you click on anything looking for your data, it will ask you for an encryption key. And you’ll have to either pay for that key or, as we’ve encouraged most of our people we work with, to make sure you have good backups, so you can restore that data without having to pay that ransom.
That’s one of the ways we’ve seen lately. We actually had one this past weekend with ransomware where this was an insider threat. An employee was terminated, but the employer did not terminate their credentials. With ransomware, there are surface level attacks, like the first one I talked about, and there are insider threats.
How frequent are these attacks?
Unfortunately, we are seeing an increase. We’ve had about 10 that we know of. We recently had a legislative change, so hopefully we’ll at least be aware of other attacks as they’re happening. We’ve recently seen a trend upwards. I don’t know if that’s because our agency was not very prevalent in the cybersecurity scene with counties and municipalities when I first got here, but our Chief Risk Officer Maria Thompson and I have really done a push to let people know in the state that we are a resource for the agencies, for our municipalities, and for our county governments, to use us. I think that’s part of the reason why we’re actually understanding and seeing more of those attacks pop up.
How do counties and municipalities use you? What are some of the resources that are available?
We’ve got a great partnership with the North Carolina National Guard. We actually have an MOU (Memorandum of Understanding) with the National Guard within the Department of Public Safety. Anytime we have an attack within a county, municipality, or agency, we can work with the Department of Public Safety to deploy Guardsmen and actually have them on scene very quickly. Our staff also works with them. There’s a great partnership there, and we have contract vehicles and we have a security operations center.
Also, there are devices called sensors that we put on the network where we can see traffic. Hopefully we had one on the network in the affected area—we have about 13 out there right now. But if we didn’t, we put a sensor on that network to see what kind of traffic is there. We then use our security operations center, our National Guard is on the ground trying to assess the damage and look at what does remediation look like, and then our staff would go out. We’ve had one of our counties recently hit through the school system, and we had about 20 different sites affected. You don’t think about it, but things like telephones—they’re all IP based, they’re all going through some sort of computer system. We had to go out and help the school get back up and running.
We have lots of partnerships. We have one now where we work on prevention. When you apply for a loan, you get a credit report. We have something similar that we do now for all counties, where we look at their cyber health. And if we see a trend up or down, we let them know what we’re seeing.
This seems like a really creative use of the National Guard. Is it, or are other states doing this too?
We’re very fortunate here. We have a great partnership. Other states are doing this, but some of the states do not have the partnerships that we have. We’ve always had a great partnership there and with the Department of Public Safety and with Emergency Management. We all work together. I’ve seen it in other places—Louisiana has a similar type of setup—but we’re very fortunate.
I have a lot of my peers around the state asking, “How do we get these arrangements?”
If there is an attack, your recommendation is that municipalities call your office immediately, right?
Absolutely. You can contact our office, or you can go through the Emergency Management systems, which feeds back to us. We also have an online portal here at DIT.
What are some ways that municipalities can prepare, and are there ways that you assist in that preparation?
The biggest thing that we stress, especially in the executive cabinet, is training. We have cyber security training that is mandated for all of our employees. It’s something that is often overlooked, but it is critical. Employees that are not trained are susceptible to some of the phishing attempts, but the more we have the training in front of them, the more we can help them be aware of the attacks.
Beyond training, we look to partnerships. We have contracts that we maintain for security assessments, which can be anything from training to looking at your current infrastructure and preparedness. We have several contract vehicles there that counties and municipalities are open to use, and some of them have.
Plus, our expertise. One thing I always stress is that we’re not the big brother who will come in and tell you you’ve done something wrong. We are a state entity and we all want to make sure we’re protecting the citizens and residents of our state. How do we do that? We do that together. So we want to come in and work together, side by side.
Why are municipalities so targeted? Why are they often in the crosshairs?
It’s not just municipalities. It’s anywhere where the IT budget may not be a top priority. There’s a lot of activity around technology today, and we may have not paid attention to our security standards with that technology.
The bad guys know where to look. They’re going to find that low-hanging fruit. They understand budgets almost as well as we do, and they understand the smaller, more susceptible areas. I don’t want to say municipalities are easy to compromise, because it could be anybody. It’s anywhere where attention is not being paid to cybersecurity and strengthening your systems.
What advice would you give to municipalities, counties, and public entities?
There are three things.
First is training. You really have to train your staff to understand not only what they receive, but also what type of critical information they have access to, to make sure that’s protected. Second, the ability to share information. If you have an incident, reach out and be willing to share. That will help protect our brothers and sisters across the state. We have to make sure we help each other. And third, be vigilant. Share training, talk about things that worked well and things that did not work well, and be willing to be open.
You have to establish a trust between you and the municipality.
You’re absolutely correct. That’s what we’re trying to do with municipalities, you at the League, and with the counties. We want to prove that you can trust us. You’ll notice that I haven’t named any counties or any municipalities.
