“With an event like this, as my cybersecurity manager would say to me, ‘it puts a target on our back,’” said Milwaukee County CIO Lynn Fyhrlund.
While plans are in a very early stage — Fyhrlund spoke with Government Technology within a week of the county learning of the RNC designation — he had a number of concerns on his mind.
Fyhrlund said attacks against government systems in relation to the RNC might come from anyone, foreign or domestic, who “wants to make a statement.” Likely threats include spear phishing, attempts to take over or shut down websites, disinformation and other efforts.
Another concern: that perpetrators may launch cyber attacks to interrupt government’s ability to respond to on-the-ground violence.
“The things that concern me are if there’s an actual threat … it’s not just a direct attack — it’s [also that] you have to take out the logistics part prior to anything you would do,” said Fyhrlund, whose perspective is informed in part by prior Army experience. “So what systems would we have in place that you would consider someone would want to remove to delay a response?”
2024 won’t be the county’s first brush with a national convention. Milwaukee got a taste of what to expect from hosting the 2020 Democratic National Convention (DNC), which was scaled down due to COVID-19.
The county’s cybersecurity team was “relatively new” at the time. Preparing for and hosting the DNC helped shape the county’s approach to cybersecurity in general and saw the team tackle areas like inventorying the county’s internal systems, training county workforce on the kinds of cybersecurity activity to expect during the DNC and identifying helpful third parties the county could reach out to. That experience has put the county on firmer footing as it looks toward 2024.
“I am glad we’ve gone through the DNC because I feel very comfortable with the RNC,” Fyhrlund said. “We’ve gone through the rodeo before.”
Fyhrlund limited his comments to GovTech to avoid tipping his hand to threat actors, but said the county will be focused on keeping systems resilient and maintaining communications capabilities, even in the event of an attack.
“Government needs to be able to function in a chaotic time,” Fyhrlund said. “And part of that, when you’re in IT, is, ‘How do we keep our systems functioning?’ Because that’s where the communication and information is, right? If that goes down, things become a lot more difficult to control.”
Preparing against disruption includes making sure continuity of operation plans and redundancies are in place, as well as increasing phishing awareness training for the overall workforce. Government will also need to play close attention to their third-party contracts, to ensure cloud providers and other vendors are committed to taking sufficient security measures.
PARTNERS AND COLLABORATIONS
The county isn’t going it alone. For one, it expects to receive advice and alerts from federal agencies like the Cybersecurity and Infrastructure Security Agency (CISA) and the U.S. Secret Service.
Local and state governments will also be coordinating. The county’s IT team began working more closely with the state in advance of the DNC and has continued the collaboration since. County IT staff currently join the state’s cyber response team for on-the-ground incident response activities, boosting these efforts while giving county personnel more firsthand experience.
When readying for the 2020 DNC, Milwaukee County reached out to former convention hosts like Cleveland, Ohio, to learn from their experiences, and it will likely once again seek tips from other municipalities, Fyhrlund said.
On a county level, Milwaukee will be particularly focused on working with the Office of Emergency Management and Sheriff’s Office to prevent disruptions to their systems, ensuring these agencies are better able to respond to crises.
And the county only handles a portion of the cybersecurity and physical security work — with host city Milwaukee assuming a strong role.
THE UNSEEN COST OF CONVENTIONS
The RNC announcement caught Milwaukee County during its 2023 budgeting cycle. The government will likely wait until 2024 to assign funding for convention cybersecurity efforts and should have a clearer vision of its needs at that time.
National conventions can pose a logistics and budgeting challenge: Departments may have to delay other projects to focus on convention preparations and this work comes with significant financial expenses that local governments must pay upfront, Fyhrlund said.
The budgeting process itself raises cybersecurity questions. Fyhrlund said the county needs to balance public transparency against the risk that malicious actors will review IT budgeting records to learn what kinds of defenses to expect.
“We try to hide what our budget is the best we can … so that the threat actors don’t know what we have — they just know we have this amount of money,” he said. “Those are things I worry about.”
The DNC has yet to announce its 2024 location.