The city of Lakeland’s Information Technology Department is working to adapt to two new state statutes, to update the city’s computer systems to be more efficient and also to fend off any cyberattacks.
Cybersecurity Manager Timothy Evans told city commissioners earlier this month that House Bill 7055 now prohibits paying computer system hostage-takers in ransomware incidents. House Bill 7057 exempts from public record for all state and local agencies insurance coverage limits and deductibles, information related infrastructure, network schematics, hardware and software configuration, and importantly, responsible practices.
“Traditionally, we would have had to release this type of information, which could give a potential attacker a roadmap to breach,” Evans said. “Think of it as the opposing team asking for your playbook and you have to give it to them.”
Evans explained that a cyberattack is a computer and/or system infiltration that intentionally works to infect and lock data. Someone will contact the user and demand payment to unlock the computer or system.
“The most critical thing that an organization has is typically its data. They’re trying to extract a payment from you,” Evans said. “The state of Florida has removed the financial incentive to attack public organizations. I don’t know if that will prevent attackers from continuing that, but we are no longer allowed to, or our insurance company, to pay those attacker in the event that we receive threats.”
Evans explained that the “threat landscape,” both regionally and globally, is seeing an increase in the frequency and complexity of cybersecurity incidents. Between 2016 and 2019, there were 14 high-profile ransomware incidents targeting Florida public entities and in the three years since, there have been 26 incidents, most recently in October on the city of Dunedin.
That attack happened on Oct. 4, and for several weeks, crippled Dunedin’s city email system. The city continued to issue certificates of occupancy and notices of violations in code compliance, water and wastewater treatment facilities were secure and operational, and the phone system continued to work, along with utility payments and marina slip rental payments through the city’s third-party system, Paymentus, city officials said. At an Oct. 18 meeting, city commissioners passed an emergency purchase order of $133,377 for IT network equipment replacements due to the cyberattack, paid for with American Rescue Plan Act funds.
“Everything has been restored except for our permitting — it was a really antiquated system,” Sue Burness, director of communications for the city of Dunedin, told LkldNow. “There’s really no impact to city services. We maintained permitting and things were done manually. Pretty much every city in Pinellas County has had the same thing happen – we’ve just been transparent. It’s still under investigation. It’s still in the hands of authorities. Obviously we’ve learned a lot and had a lot of upgrades budgeted. Some of that is ARPA money.”
In 2020, the Polk County Tax Collector’s Office was hit. Tax Collector Joe Tedder said in a press release then that driver license numbers were possibly exposed to “an unknown third party” during the targeted computer virus attack on the agency.” Tedder added that there was, however, no evidence that personal information was leaked or misused from “a new strain of virus that hadn’t been seen before.”
Earlier this month, Tedder said “it was a complicated event where the breach came in through an email described as a payment schedule for a tourist development account. The perpetrator never got sensitive information and our systems were never closed down by the virus.”
No arrests were made and Tedder said the perpetrator was operating from overseas.
In light of false rumors nationally about alleged breached voting systems, LkldNow asked Polk County Supervisor of Elections Lori Edwards if she has seen any cyber threats.
“I’m thankful to report that we have not had any issues,” Edwards said.
Evans said the sophistication of incidences has increased substantially, with 38% of incidents caused by complex breaches and attacks that leverage a combination of several different methods, including social engineering, malware and hacking. He said 78% of the reviewed incidents impacting governments globally are caused by “external actors, people outside the organization.” But, he added, employees are seven times more likely to be a cause of breaches by making mistakes than by an intentionally malicious act.
“The answer to this is more training,” Evans said, adding that “80% of the reviewed incidents impacting governments were motivated by financial or personal gain, with the attackers most commonly going after personal information and credentials to be used in further attacks.”
Mayor Bill Mutz asked how cybersecurity and cyber governance works within the city.
Oscar Torres, Lakeland’s chief information officer and director of information technology, said they have set up a deliberate system so there is no conflict of interest for employees.
“The staff that actually has the passwords that can control the actual security type of hardware and software, it’s not the same staff that has oversight and governance and automating things like that,” Torres said. “So we specifically did that. And then we align them so that they don’t report to the same person, as well so we eliminate that conflict of interest when it comes to execution and oversight.”
Phil Lambert, assistant IT director, said the city is migrating to using the internet as its network and the cloud as its data center.
“This is a philosophical change in perspective, Lambert said. “The way that we view our home network or our office network, as separate and not the internet. But in reality as soon as we connect to the home network or the office network, it is the internet. So philosophically, internally, we are changing our perspective to understand and embrace that approach and that knowledge as we move forward.”
Lambert said they also have to keep in mind that any device, whether it’s a desktop, laptop, phone, or electronic notebook, can become a network device.
“When we have applications for systems hosted in the cloud, the need arises for staff and leaders to be able to access on the fly something that might be in a cloud environment,” he said. “As we think about our out-of-office work experience, we begin to realize that we can no longer support this idea of a walled garden, where you’re in the office and you’re secure. We need to be able to take that logically and move it out of the office and that’s why identity becomes the new perimeter versus the network being the perimeter access gateway, in and out … data is lifeblood of the city, it is the crown jewel of the city and it’s true for almost every organization out there, regardless of public sector or private sector.”
Lambert also pointed out that the city has several legacy systems,” including human resources and the finance department. The entire network and all the data will have to be migrated to the cloud or online systems.
“Our vendors are telling us five years, 10 years from now, there will be no on-premises option – ‘You will use our cloud or you will have to use our technology’ for an organization such as ours,” Lambert said. “This is a significant undertaking. We’re looking at potentially a two-year, maybe a three-year migration from on premises to the off ramp … We have a seven-year heads up. That means we need to start discussing in the next year to two years how are we going to fund it and how are we going to provide resources to get us through that transition.”
SEND CORRECTIONS, questions, feedback or news tips: email@example.com