By Pam Olsen
for Santa Barbara County Grand Jury
The 2021 Santa Barbara County grand jury has prepared a report about cybersecurity for special districts and county service areas following the 2019-20 grand jury report “Cyber-Attacks Threaten Santa Barbara County,” which focused on the broader county issues.
The report urges the 53 special districts in Santa Barbara County to review their cybersystems to identify cybersecurity threats. The jury urges the special districts and service areas to take all necessary measures to protect their operational data and computer systems.
The jury has proposed a list of best practices for Santa Barbara County special districts to consider identifying, protecting and, if necessary, upgrading their cybersecurity activities to advance the best interests of their consumers.
There are three types of special districts within the county: independent special district, dependent special district and county service area.
An independent special district has its own board of directors, either elected directly or appointed; they make their decisions on activities and budgets independent of any city or county oversight.
A dependent special district is actually run by its respective city council or county board of supervisors.
County service areas (CSA) are different from special districts in that they are also governed by the County Service Area Law (Cal. Govt. Code §§ 25210 et seq) in addition to Cortese-Knox-Hertzberg Local Government Reorganization Act of 2000. There are currently 39 independent special districts, eight dependent special districts, and six community service areas in the county.
Press accounts have reported cybersecurity breaches across the U.S. including the two-day shutdown of a part of Colonial Pipeline’s oil distribution system on the East Coast in early 2021, which reportedly cost the company more than $2 million in ransom payments.
Costly or potentially even deadly cyberattacks also impacted, among many other business and government entities, police departments, water distribution systems, a major national meatpacking company, and hospital systems. California had the highest percentage of attempted health-care system hacks, with 21% of the nationwide total.
These intrusions can be expensive to correct. Even when ransoms are paid, the breached or maliciously encrypted systems must be reconfigured or even rebuilt entirely. Moreover, there remain potential financial liabilities for critical infrastructure businesses like utilities, as well as financial institutions, to their customers.
It, therefore, is incumbent upon the special districts to take whatever proactive steps possible to reduce the threats and thereby mitigate the damaging consequences.
To assess the readiness of special districts in Santa Barbara County, the jury interviewed a representative sampling of Santa Barbara County special districts and municipal officials, as well as private industry internet technology and cybersecurity experts. The jury also reviewed informative articles, reports, and official publications dealing with the subject of cybersecurity.
There are at least three U.S. agencies that address cybersecurity crime. Special districts are encouraged to access these and strengthen their own websites:
- U.S. Department of Homeland Security, Cybersecurity and Infrastructure Security Agency (CISA) https://www.cisa.gov/
- U.S. Department of Commerce, National Institute of Standards and Technology (NIST) https://www.nist.gov/cyberframework
- U.S. Department of Justice, Federal Bureau of Investigation, Internet Crime Complaint Center (IC3) https://www.ic3.gov
Following a 2021 White House meeting on the problem, Microsoft said it is allocating $150 million for cybersecurity technical services to assist federal, state, and local government agencies. In addition, it has committed to invest $20 billion over five years to develop improved cybersecurity programs.
Google has committed to spending $10 billion for that same purpose, and major corporations like Amazon and IBM will be increasing their investment in employee training programs.
The jury has neither the staff nor the technical expertise to analyze the cyber-readiness of the special districts or to suggest specific defenses to cyberattacks. That work should be done by expert consultants and security firms devoted to such activities. The jury offers the following list of Best Practices based upon the sources consulted:
- Create strong passwords and change them often, or at least periodically.
- Install and regularly update “encryption” software.
- Install and regularly update “firewall” software (intrusion detection systems).
- Update computer systems as necessary.
- Install and regularly update virus protection software.
- Secure data by limiting access.
- Safely dispose of all unwanted documents.
- Limit remote internet access to the extent possible.
- Limit physical access to system equipment (access cards, ID cards, etc.).
- Wipe data from equipment to be disposed of.
- Monitor employee use of all systems.
- Periodically test security measures and immediately remediate weaknesses.
- Report to the appropriate internal security all malfunctions, anomalies or any other “out-of-ordinary” events no matter how insignificant they may appear to be.
- Conduct training for all employees periodically on security policies and procedures, certify attendance, and teach staff how to prevent, detect, contain, and eliminate breaches.
- Hire an outside security consulting firm to conduct a risk analysis at least annually and consider the possibility of pooling resources with other special districts to hire such expertise.
- Consider adequate cybersecurity insurance and the possibility of creating or joining an existing insurance pool to reduce premium cost.
- Create and securely maintain back-up data separate from the “live” system.
- Create a comprehensive Security Policy Manual to centralize information in one place and make it accessible to all staff.
- Classify and prioritize all district hardware, software, devices, data, etc. in accordance with their critical nature.
- Adopt easy to follow protocols for detecting and reporting known or suspected incursions and explain the exact duties and responsibilities of different staff levels in case an incident occurs. Create and maintain a current incident log designed to immediately document, analyze, and catalog incursions and explain how best to respond
- Immediately eliminate all access to data systems and emails upon an employee’s departure.