IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Massachusetts Consortium Convenes First Cyber Policy Hearing

A newly formed joint committee is looking for innovative — and effective — ways to crack down on ransomware payments, bolster localities’ cybersecurity defenses and meet widening gaps in the workforce.

ma cyber panel - better.png
The Joint Committee on Advanced Information Technology, the Internet and Cybersecurity convened panelists from academic, technology firms and government.
Massachusetts lawmakers are asking what the state can do to better defend against cyber threats.

The commonwealth’s new Joint Committee on Advanced Information Technology, the Internet and Cybersecurity tapped academics, policymakers and technology firm representatives for its first-ever policy meeting on Sept. 8, where speakers examined how the state can improve cybersecurity.

Massachusetts lost roughly $100 million to cyber crimes in 2020 per FBI records, and unreported incidents may drive that number even higher, said Committee co-chair Sen. Barry Finegold during the virtual meeting.

Three panels of experts debated best methods for supporting local governments’ defenses, elevating cybersecurity among public and private organizations, growing the workforce, and cracking down on ransomware payments.

Making meaningful change will require continued investments, widespread collaboration, committed efforts from governments’ executive branches and more meetings like this one, said state CIO Curtis Wood.

“We cannot solve this by thinking the IT guy is going to be able to buy a new server or upgrade the software and eradicate or stop these threats,” Wood said. “It’s really an investment of our people, our processes and technologies. We need to make sure that... it’s always a cabinet-level item to us.”

RANSOM PAYMENTS


Ransomware attacks have struck everything from Colonial Pipeline in May to the state Steamship Authority in June.

Perpetrators often demand extortion in cryptocurrencies, which provide anonymity and quick access to funds, and Finegold questioned whether Massachusetts should attempt to crack down on the profitability of such crime by banning ransomware payments or tightening controls over the cryptocurrency sector.

Harvard University Berkman Center for Internet and Society fellow and Electric Frontier Foundation board member Bruce Shiner cautioned that the federal government is better positioned to effectively enforce ransom bans, while state-level prohibitions are more likely to result in victims simply making their payments secret.

Still, Josephine Wolff— associate professor of cybersecurity policy at Tufts University’s Fletcher School — said states could discourage paying by prohibiting cyber insurance plans from covering the ransom costs. Such a move would force victims to think more seriously about alternate options before reaching for their wallets. Requiring reporting about ransomware — including any payments and to what crypto address — could also help states make more informed responses.

Efforts to stamp out illicit crypto transactions could also be fruitful, Wolff said.

She advocated for more strictly enforcing existing anti-money laundering (AML), know your customer (KYC) and counter the financing of terrorism (CFT) policies in the crypto realm. Doing so may require the state to establish regulatory teams with specialized knowledge for applying traditional financial-sector rules to this newer space, she added.

STATE INFLUENCE


State regulations can also help head off threats before they develop into extortion or data theft, panelists said.

Ransomware perpetrators often use botnets to send out waves of phishing emails in hopes of gaining access to victims’ systems, and Internet service providers (ISPs) have the high-level, across-network views to spot suspicious traffic indicative of botnets at play, Wolff said. Policymakers can hobble attackers by compelling ISPs to cut off Internet service to computers involved in such activities until the devices are cleaned of the malware, she said.

States with sizable economies also have the leverage to make private firms better protect consumer data and systems — like California did in banning default, generic passwords on connected devices, Shiner said. New security standards often spread beyond borders, because companies wishing to avoid the costs of creating a separate product just for that state respond by bringing all their products up to the new standard.

“Massachusetts is big enough that the laws you pass benefit the national and actually the world,” Shiner said.

REGULATING CITIES, TOWNS?


Panelists turned a spotlight on small and mid-sized localities, which are especially prone to cyberattacks. They tend to have few resources and personnel to spare on upping defenses or modernizing legacy technologies, so attackers who launch indiscriminate mass attacks are more likely to slip through.

State officials are understandably concerned with elevating these localities’ cybersecurity postures but must find the right strategies.

Sen. Finegold floated the idea of requiring agencies and certain businesses to adopt common best practices that help defend against run-of-the-mill cyber attacks. For example, organizations might be required to use multifactor authentication (MFA) to ensure that cyber criminals who manage to guess or steal an employee’s username and password are still blocked from accessing government systems.

But representatives of local government cautioned against new regulations on municipalities, especially those compelling them to take specific steps.

Geoff Beckwith, CEO and executive director of the nonprofit Massachusetts Municipal Association, a local government advocacy organization, said the sheer variety of digital platforms of different localities poses challenges to crafting regulations that are relevant across the board. Plus, obligation also could easily become “unenforceable [and] unaffordable,” if not paired with funds to enable agencies to implement the steps, he said.

Some municipalities may have systems that are too old to enable MFA and thus either need an exemption or money for upgrades, said Tewksbury, Mass., Selectman James Mackey. He also advised policymakers to offer lenient compliance deadlines.

The fast pace of technological evolution also means that laws tied to specific tools and techniques can quickly become outdated, said Shiner. In a later discussion about driving private-sector change, Shiner recommended that states mandate certain desired outcomes, such as resisting password-based attacks, while leaving the entities free to select strategies for meeting these goals.

BOOSTING LOCALITIES


Several existing voluntary guidelines can help direct localities’ improvement efforts, Mackey said. He noted that his town is first pursuing inexpensive, “low-hanging-fruit” improvements and looking to four basic cybersecurity goals outlined by the state’s MassCyberCenter (MCC). The municipality aims to ultimately progress to meet the more complex and detailed framework provided by the National Institute of Standards and Technology (NIST).

“We’ve been working through a triage-first process,” Mackey said. “But that’s a very long road, especially without resources.”

The state could assist localities by providing them with cybersecurity audits to guide their improvements, said Beckwith, although he asked that the evaluations be exempted from public records requests so that hackers cannot view the reports to learn about easy targets.

Other efforts to provide services that take tasks off municipal personnels’ to-do lists could go far. Some efforts are already helping, with Mackey saying the MCC offers cyber policy templates that towns like his can adopt and tweak to meet needs. MCC Director Stephanie Helm added that her organization provides lists of pre-approved IT vendors to spare municipalities from this work and help them quickly identify partners.

WORKFORCE EXPANSION


Municipal and state agencies across the U.S. are straining to hire and retain enough cybersecurity workers.

Wood said internship programs targeted at early career professionals can help agencies recruit affordable talent while interns benefit from a few years of skills training before moving on to richer private-sector salaries.

Officials also aim to supplement and level up existing workforces.

Vinny deMacedo, Bridgewater State University director of regional partnerships and former state senator, spoke of ongoing state efforts to create a public-private cybersecurity consortium to help coordinate and provide threat monitoring and hands-on training. Armed with $1.5 million worth of fiscal year 2022 seed funding, the consortium would establish and manage four to six centers that include cyber ranges and cybersecurity operation centers (SOCs). Centers would be spread across the state, including southeastern, northern and central Massachusetts as well as the Greater Boston area.

Mackey said such a consortium could supports towns like this which struggle with the personnel costs involved in continual threat detection.

“You could have the best, most expensive firewall or endpoint protection in the world, but if no one is looking at your logs or acting on that, it doesn’t matter,” he said.

Massachusetts is not the only state gathering a broad array of stakeholders to examine statewide cyber postures, and Idaholaunched its own Cybersecurity Task Force last month.
Jule Pattison-Gordon is a senior staff writer for Governing and former senior staff writer for Government Technology, where she'd specialized in cybersecurity. Jule also previously wrote for PYMNTS and The Bay State Banner and holds a B.A. in creative writing from Carnegie Mellon. She’s based outside Boston.