April 9th, 2019, was like any other day at work. I logged in to my computer, checked my email, and did my supplement reports to criminal investigations. I also used my personal computer to register for Fall 2019 semester as I continue to pursue a master’s degree. There were no warning signs of what tomorrow would bring.
The following morning, I looked at my work cell phone and noticed that I hadn’t received a work email since about 3 am. I just figured it was a slow night and didn’t think much of it. At 8 am, I walked into the Greenville, NC, Police Department and saw a paper note taped to the door stating: “Do not use/turn on computers! Virus city wide!” It would seem that fate had a sense of irony as I was at the time studying cybersecurity in my homeland security class. An interesting question posed in the course was “who is responsible for cybersecurity?”
My first thought was this security breakdown was the fault of the information technology (IT) department. How could the subject matter experts not keep our computers secure from outside threats? It should be as simple as “Googling” the answer. Then I realized that I couldn’t even “Google” the answer myself or email them to ask them these questions. The communication channels that I had been accustom to as a working adult for the past two decades were gone. I felt like I was back in the early days of local government and might have to walk over to the IT office to ask them what the next steps in recovery were. However, the more I thought about it, the more I realized that IT was not solely responsible for this. It was my naïveté to think that way.
My second thought was that this was the administration’s fault. How could our leaders fail the community and their employees by getting hacked? After all, they are paid the “big bucks” to oversee the city and make the best decisions for all. With all the city policies written about scenarios, it was difficult to realize that there was nothing in place for such an event. The convenience of using and over-reliance on the internet had been exposed. However, essential city functions like police and EMS response remained intact due to those services not solely relying on computers. While we still had simple but useful tools for communication for our staff working the streets (two way, multi-channel radios), we were forced back to paper processing. (What is amusing about the timing is that the police department had just gone through a significant upgrade to our online records management system.) The further into the situation we went, the more I realized administration was not primarily responsible for our vulnerability and was critical in coordinating efforts on our road to recovery.
After more than 45 days of computerless activities at the office, I concluded that it was not the fault of a single individual or department. We all failed to recognize that cybersecurity is the responsibility of everyone. Only in the past two years had we started city in-services about phishing and other lazy cyber attack methods. This was a step in the right direction, but more efforts were needed to educate ourselves on how to protect ourselves and our communities. There is no simple solution to the complex question of how we protect ourselves online. If we start to consider this general problem as a real threat, maybe we can start moving in the right direction in terms of learning and applying the best practices.
A fundamental concept that I have learned in my cybersecurity class at Clemson is that you control what you choose to click; therefore, users should stop and think before they click. Another concept is to have an incident response plan to a cyber attack, similar to a disaster response plan. This would help with confusion about roles and more progression in recovery efforts. It is not a top-down solution nor a bottom-up problem, and everyone has a stake in promoting good cybersecurity habits and what better time than now.