School of Public Policy hosts forum on cybersecurity

This story first appeared on news.umbc.edu and was written by Max Cole.

Cybersecurity concerns continue to make headlines, including the recent attacks at MedStar Health and fraudulent tax returns being filed for Baltimore City employees. In response to this, many local governments, like their counterparts in the private sector, are taking steps to protect their websites and information.  

UMBC’s School of Public Policy hosted a forum on “Cybersecurity Concerns in Local Governments” on Friday, April 15 to present research on cybersecurity initiatives in local governments in Maryland and to highlight the policy implications of these initiatives. The event was sponsored by the UMBC School of Public Policy, bwtech@UMBC Cyber Incubator, and the UMBC Center for Cybersecurity. 

Speakers included School of Public Policy Professor and Director Donald Norris, Anupam Joshi, professor and chair of computer science and electrical engineering (CSEE) and director of UMBC’s Center for Cybersecurity, Rob O’Connor, chief technology officer for Baltimore County, and Gayle Guilford, chief information security officer for Baltimore City.

Norris discussed cybersecurity challenges in local governments across the country based on his research. In 2013, along with Joshi, he convened a focus group of technology officers from around Maryland to identify challenges and what governments are doing to help prevent cyber attacks.

“It was fascinating, because in part, we went in thinking cybersecurity is a technology problem and that the technology would fix itself,” Norris explained. “But people, policy, and process in government and large organizations are almost always the problem.”

Norris found that technology professionals in government identified people as the weakest link in cybersecurity threats because of phishing emails, lack of user training, under enforced and inefficient policies, and lack of funding to deal with cybersecurity threats.

To further research constantly evolving cybersecurity challenges in local government, Norris and his colleagues developed a questionnaire which will be conducted through the International City and County Management Association (ICMA) for city and county governments with populations greater than 50,000 around the country. They anticipate receiving the results this summer.

“We want to find out what local governments across the nation say are their biggest cybersecurity problems and the barriers that they face in addressing cybersecurity,” Norris said.

Joshi discussed various policies that are needed to keep computer and data systems secure, and said that policies should ideally be written in terms that both people and computers can easily interpret. “We need shared ontology that many systems can understand,” he explained. Computer systems can use policies to better understand the computer system’s actions and behaviors and identify issues and cybersecurity threats as they arise.

To regulate access to information, Joshi recommends having adjustable responses and a “need to know versus need to share” framework that can determine who has access to what levels of information. For example, he said that a general question, such as a person’s location, can be answered generally or very specifically. Sharing the state where the a person is located is less helpful than knowing what city they are in, and sharing GPS coordinates is the most helpful information. This method can be applied to providing access to information and data that needs to be kept secure and confidential.

He says that it is increasingly difficult to walk away from a cyber attack, especially if the cyber attack is in progress. “Technology evolves so quickly that hacks also have to evolve rapidly,” Joshi said.

Gayle B. Guilford, chief information security officer for the City of Baltimore, pointed out that the “new ransomware does not require human interaction,” so education about maintaining security on computers needs to change. “It used to be ‘don’t click,’ now you don’t even have to click,” she said, adding that the users should be the biggest group identifying oddities and suspicions.
“End users are the biggest vulnerability, but need to be the biggest defense,” said Rob O’Connor, chief technology officer for Baltimore County.

Note: On the same day as the forum, Norris and Richard Forno, assistant director of UMBC’s Center for Cybersecurity, were quoted in a Baltimore Sun article about fraudulent tax returns being filed for Baltimore City employees. Read “Federal, state authorities investigating source of data used to steal city employees’ tax returns” on the Baltimore Sun website, and “Investigation into Baltimore City Employees’ Stolen Tax Returns Underway” in Government Technology.

Forno also was quoted in “Maryland National Guard steps up role in cyberspace” on the Baltimore Sun website, and “Why haven’t hackers taken down the power grid?”in Parallax.

Image: Cybersecurity Forum Speakers (from left to right): Donald Norris, Gayle Guilford, Anupam Joshi, and Rob O’Connor. Photo by Marlayna Demond ’11 for UMBC. 

Posted: April 27, 2016, 6:23 PM