Cultivating a Culture of Technology (Before a Disaster Occurs)
By Deborah Lynn Blumberg
When the City of Lewiston was hit with a ransomware attack last year, its accounting, sewer and water, and payroll systems instantly went down.
The city of 1,500 couldn’t apply payments or pay its vendors for weeks. City leaders ultimately found program back-ups and got their systems up and running again. But still, employees had to rebuild some of the city’s crucial data from scratch.
Bobby Falcon had just started in his role as Lewiston city administrator at the time. Already, before the cyberattack, he knew he wanted to shore up the city’s information technology (IT) systems and infrastructure. But the attack happened before he could get updated protocols in place.
Since the attack, Falcon has prioritized technology infrastructure and worked to cultivate a culture of technology among city staff. But, most importantly, he knows that as city administrator, he too must stay on top of Lewiston’s IT needs. Falcon understands that, with cybercrimes on the rise, it’s no longer sufficient for city leaders to delegate their community’s technology matters to contract providers or department-level staff.
Instead, leaders themselves must be aware and engaged, and recognize IT as an integral piece of the overall strategy for their city. IT isn’t just a “technical matter,” says Christian Torkelson, cybersecurity loss control field consultant with the League of Minnesota Cities Insurance Trust (LMCIT).
IT today must be part of cities’ DNA since core services are intertwined with technology such that delivery is impossible without, or even indistinguishable, from it. More and more, the public is also demanding better services and digital convenience, while cities big and small upgrade equipment and tap into new technologies to meet residents’ demands and more efficiently provide and administer their services.
“Often technology is considered a supporting service, or worse yet, an afterthought, when really we should look at it as becoming a core service of the government,” says Torkelson. “As more and more cities depend on technology to run services, city administrators, managers, and clerks need to incorporate technical management into their managerial skillset.” This is critical for cities of all sizes, he adds. “The truth is, and we know from our claims data, that cyberattacks happen to all types of cities — even larger cities that have invested lots of resources into IT controls.”
Taking an active role
Historically across cities, city administrators, city managers, and elected officials have tended to outsource the cybersecurity and incident planning process to experts.
City leaders’ immense workload makes dedicating time to IT a challenge, and the topic is complex and falls outside most city leaders’ areas of expertise. Meanwhile, some leaders don’t believe their city will experience any IT issues at all.
At the same time, IT staff are often not equipped with the budget and knowledge of the overall city strategy, which could help them decide what to prioritize.
Torkelson says it’s not uncommon for municipal IT staff to feel overwhelmed in this environment and as if the role is being over-delegated to them. “I hear it from IT staff all the time,” Torkelson says, “they feel alone and in the dark about what city priorities are.”
Adds Melissa Reeder, chief information officer for the League of Minnesota Cities, “If leaders aren’t involved, it’s hard to determine priorities for your city. Outlining your disaster planning before you experience a crisis will help avoid working in silos and having disagreements while in the middle of a true crisis.”
Those arguments will only waste valuable time when responding to an incident.
Being prepared also applies when systems go down outside of an attack. For example, one city was mulling over what would happen if the point-of-sale checkout terminal it uses for its recreation facility was to fail and they couldn’t take payment. Would they close for the day? Or, would residents get in for free?
“The person or vendor responsible for the IT system doesn’t necessarily understand the revenue, operational, or political implications of system failure,” says Torkelson. “It isn’t just an IT issue. Leaders need to understand the consequences of failure for technology systems in their environment.”
Reeder adds that to be truly successful, the city should take a comprehensive approach that loops in both city leaders and IT.
To get ahead of these types of situations, city leaders have to be more involved in technology decision-making and planning, Torkelson says, even if they might initially feel intimidated by the technology.
There’s value to taking a more active role in technology planning and policy, and more seamlessly incorporating it into strategic planning, Torkelson adds. It could very well help prevent a debilitating cyberattack or to lessen the impact on city residents and the city’s budget if an incident does occur.
A collaborative approach
One way to start is for leaders to get up to speed on their existing technology before there’s an incident. What systems and software does the city use to support services and business functions?
Before investing in IT solutions, Torkelson says, key stakeholders should meet. “Too often, I see entities — in both the public and private sector — eager to buy a tool or product to address a problem, thinking that alone will solve their problems.”
While the tool or product may ultimately be necessary, he adds that the danger with that line of thinking is that it can lull leaders into a false sense of security. They think they’re protected, but they often haven’t looked at the big picture.
“Bringing people into the room together is critical,” he says.
Leaders and IT need first to have much-needed conversations about:
- Which technology systems exist in your environment?
- How might IT outages for those systems impact dependent city services and business functions?
- What services and functions are priorities for your city, and which would you target to be brought up first?
- What are tolerable levels of impact in terms of downtime, data loss, revenue, or service degradation?
- Are there alternative or fallback methods of doing business, and how long can that be sustained?
When leaders consider IT incident scenarios and know which systems they want to prioritize to get back online, that helps to inform where IT money should be spent. It should be a collaborative business approach, Reeder adds.
To be successful, cities “need leadership backing the cybersecurity program and plan,” says Torkelson. “You need leadership buy in. Leaders need to be engaged in the conversations.”
Lewiston has this buy in from Mayor Beth Carlson and Lewiston’s City Council. The IT incident in Lewiston “was an eye opener,” Carlson says. “It’s serious, and the size of your city doesn’t matter. If you’re a smaller city, you might even be a bigger target because the cyberhackers may think you’re not investing in protecting yourself.”
When Lewiston switched to a new IT provider after the attack, Carlson appreciated that representatives came to speak with city employees and address their questions. Carlson and the Council were quick to approve funds needed for system upgrades, which included moving data to redundant storage in the Cloud and instituting dual authentication across all city devices. The city’s IT budget nearly tripled in the aftermath of the attack. It was a line item that Lewiston city leaders acknowledge was underfunded.
“You need to understand what your people need in order to do their jobs,” Carlson says. “Our price tag did go up, but it should put us in a position that, when an attack happens again — because it really is a matter of when, rather than if — we’re prepared to re-set up shop with our backup.”
Falcon says council members are very receptive to IT needs. While Lewiston’s municipal staff is small, he says larger cities would likely benefit from an IT committee that meets monthly or quarterly to review their city’s IT systems and needs. Vendors, too, should be involved in planning conversations early on and seen as collaborators.
Through collaboration between leadership, the City Council, and IT partners, Lewiston has defined its risk tolerance and set targets for acceptable levels of impact for incidents that might occur in the future.
“If an attack were to happen tomorrow,” Falcon says, “we may be down a day or two, but it would be a quick rebuild now versus having to start over. “The challenge is going to be for people that haven’t had this happen to them,” for them to commit to the idea of taking a bigger role in IT and making it an integral part of their business strategy.
Deborah Lynn Blumberg is a freelance writer.