Episode 88: The Changing World of Cybersecurity
Municipal Equation Podcast | 2024-12-19 | 44:48
There's always something new with cybercrime – what it looks like, how it's carried out, what the trends are, who the targets are, and on and on. It's a full-on industry, and it evolves as such. There is, however, a constant: the fact that letting our guard down online can have enormous costs. Most of us exercise basic internet security smarts, but, with the landscape always changing, how do we keep informed enough to stay ahead of the bad guys? On this episode, we talk with cybersecurity expert Erik Wells from the N.C. League of Municipalities about today's internet crime scene, how it affects municipal governments, and how we can stay cyber-safe.
Top Keywords
- help 0.009
- cyber 0.008
- cybersecurity 0.008
- municipality 0.007
- well 0.007
- generative 0.007
- municipalities 0.006
- criminal 0.006
- systems 0.006
- data 0.006
- using 0.005
- mean 0.005
Transcript
Speaker 0
0:03 – 3:04
From the North Carolina League of Municipalities, this is Municipal Equation, a podcast about cities and towns. Welcome to another episode of Municipal Equation from the North Carolina League of Municipalities. This is Ben Brown. And just a minute ago, I typed in the phrase cyber attack into Google just to see what's new, just to see what will come up. Just to read off some of the, results that just came up. From the BBC, Namibia ransomware, sensitive data leaked after telecoms firm hacked. That was two hours ago. The Associated Press reporting a day ago that hackers hit Rhode Island benefit system in major cyberattack. Personal data could be released soon. Trump administration wants to go on cyber offensive against China. Huge cybercrime attacks sees 390,000 WordPress websites hit, details stolen. That's from TechRadar. A website called Homeland Security today is reporting that hackers find hole in Krispy Kreme Doughnut cybersecurity. Alright. Alright. So that one has a little bit of a pun in it. News station KSBW reporting Watsonville Hospital recovers from cyberattack after nearly two weeks. So these are just random headlines that I'm reading that came up in the Google result for the search words cybersecurity. There's always something new. So even though it's a subject we've been hearing about nonstop since connected computers became a central part of our lives back when, it's always changing, always something new. And that's because the business of doing illegal stuff with the Internet and taking advantage of innocent people and businesses is itself a big business, a growing business all over the world. In some places involving full on companies with campuses, like think of a tech campus and teams of employees that exist to complete crimes on the Internet. Like, you can pay them right now to hack somebody for you, for example. Among the vulnerable are governments at all levels. And I know we know this and we're prepared to a degree. You know, we all get emails that look like obvious scams at best, and we just send those to the trash. But there are other efforts from these bad guys that aren't so obvious. In fact, our guest today said ransomware is the number one threat and that the number one method of attack upon municipalities is phishing emails, a daily occurrence. There's so much to be aware of. It changes a lot as technology changes and the new tools come in like generative AI, which we did an episode on a while back. But just to get caught up on where we are now and to understand why this is an issue we can't let go of, let's get to our guest for this episode. His name is Eric Wells. He's one of the cybersecurity experts here at the League of Municipalities. And some of the stuff he tells me in this interview surprised me as far as the degree we've gotten to on this planet with crime on the Internet and what we need to do as individuals and organizations to stay safe and whole. So, could you introduce yourself and provide a little bit of background on how you got into this area of focus?
Speaker 1
3:05 – 3:53
Yeah. So my name is Eric Wells, and I work for the North Carolina League municipalities as a cyber security, business advisor. And, I've always been in tech some technology role my entire career with exception to my military service. Started out in the late eighties, helped municipalities and school systems transition to the Internet when it was new, and came along. Managed customers through y '2 ks, naturally transitioned into cybersecurity as criminals, found ways to monetize the activity. For me, you know, I've always I've been a programmer by trade. I started out as a programmer writing software. And so when cybersecurity, criminals found ways to get into systems, I started writing software and code to protect those systems. And so it's kind of how I got into cybersecurity as a whole.
Speaker 0
3:54 – 5:07
That's cool. You mentioned cybersecurity in the nineteen eighties. One of the early nonfiction books that I read when I was maybe, like, 14, and it got me hooked on the subject. It was called The Cuckoo's Egg by a guy named Clifford Stoll, and it was he was like some, hippie working in the computer lab in Berkeley at the university, and he basically caught hackers trying to get into the Department of Defense, kind of by accident. It was just an interesting story about the early days of, you know, connectivity and who can do what with it. And it's it really drove a mistake in my in in my mind in terms of, you know, just how off guard we can often be with this stuff and what the consequences can be if we are off guard. And so, you know, this is something that, the league and other organizations have pushed for, you know, as long as I can remember as far as, computers and the Internet, you know, cybersecurity. Why is this a subject that we do need to keep a focus on? You know? So generally speaking, you know, what is the world like today in terms of cyber vulnerabilities, and, you know, how is this stuff changing over time? Just to set the stage and give us some context on this. So so like you mentioned, a lot of people don't realize that the Internet didn't didn't come about in the in the nineties.
Speaker 1
5:08 – 7:03
You know, in the nineties is when it went commercial. We started seeing it at a commercial level. But the Internet has been available for governments and universities since the sixties. So, you know, and as soon as it, you know, as soon as there was a way for a criminal to take advantage, they started to do that. You know, my earliest memories was Kevin Mitnick going to prison for hacking into AT and T. So when I was a young kid, you know, the thing that was going on then was you you hacked into telephone providers to get free long distance back in the eighties. You know, long distance, you had to pay you had to pay permitted. And so that was the that's what the the criminals were doing. They were they were gaining access to these systems and then selling access to those systems to other people, and that's how they made money. So since the sixties, cyber criminals have been getting more and more advanced. I mean, as as our as we have watched technology advance with the things going on in Silicon Valley and the things, you know, when computers were large enough to fit rooms until now where they fit in our pockets, We found ways to commercialize that and technology companies have been taking advantage. Well, so the cyber criminals, and they've been getting more and more advanced. As our systems have matured, they've kept pace. People may not realize that cybercrime is a multibillion dollar industry. I mean, I'm sure they know that. They read the headlines. But I don't know that they really understand what that means. There are criminal organizations across the globe that have entire business models around cyber criminality. I mean, they have entire tech campuses like we do in Silicon Valley. They've got engineers, HR, four zero one k, health plans. They've got a cafeteria staffed. I mean, they roll up to work just like your commercial software engineer, you know, rolls up to the Cisco campus. They roll up to their campus. You know, and they would just as likely have a job at one of the commercial entities that they would at a criminal corporation.
Speaker 0
7:04 – 7:16
That's that's amazing to picture that because I think a lot of people kind of have the image in their mind of sort of the lone wolf kind of sitting in a dark room with their laptop or something. But there are actual, you know, organized big deal efforts.
Speaker 1
7:16 – 9:34
Absolutely. So and and so so there's there are nation states, which governments have entire military arms where they go into big buildings that are much like a tech campus, and they do, they do cyber hacking on behalf of their nation states. And then you've got companies that have literal corporations that are billion. They have boards of directors. They have shareholders. I mean, just if if you didn't know that they were a criminal enterprise, you would not know it if you were to visit their lobby. I mean, they, you know, you go in, you get your coffee, you know, maybe a demo on something. So, these organizations are huge billion dollar entities, and they operate as such. You know, they don't do that here in The United States, but they do it globally in places across the globe. So all that being said, as as as we have seen the automation come into all of our commercial processes, technology has pretty much infiltrated everything that we do. Just like we have, matured our automation, the cyber criminals have automated theirs. They even have what we call managed service providers. So now if you're a municipality, perhaps if you don't have an I. T. Staff, you reach out to an I. T. Support company and they provide you a managed service to, you know, maintain your equipment. Well, cyber criminals have similar organizations where they provide managed criminal services to anyone willing to pay their monthly fees. So so the the person in the don't get me wrong. The the people that are, you know, in the hoodies, in the dark basements with the, you know, with the loud music going, those those individuals still exist. They're the ones that are creating a lot of the technology and innovation that these corporations then monetize. So those hackers exist. They still do, and they exist on the white hat side, the good guys who are fighting against them and on the bad guy side. But the monetization is really, at, you know, just like just like everything else. Corporate America has figured a way to monetize, and there's a lot of money being made there. That that managed service provider really what that does now is now someone without any computer skills, but once had that has a criminal enterprise can hire these companies to do criminal criminal acts on their behalf and reap the benefits and share those rewards for a price with the corporation providing services.
Speaker 0
9:35 – 10:02
That that's amazing how buttoned up, you know, so so to speak, that this can get. And, you know, how you know, if if just like you were saying before, if you can think of the context of, like, you know, in a a legit, you know, quote, unquote, good company organization, you know, they're doing everything legally. They have, you know, the their business plan, and they know what they're doing. I mean, you could have sort of the the flip side version of that that's just as organized, but, you know,
Speaker 1
10:03 – 11:14
for dark efforts, I guess, so to speak. Well, let's let's be clear. In the some of these countries, it is not illegal to do what they're doing. Wow. So so there are countries in this in the in the world that have no laws that prevent these corporations from existing, and they thrive. You know, it's always, you know, in the early days of phishing emails, you know, you inevitably got the the email from the some foreign country prince who, you know, forgot his wallet. And he's gonna he's gonna help you get rich while you help him get his money back. You know, I think, you know, a lot of people got fooled by that. Well, it's not it's it's no longer third world countries where there are no opportunities. So enterprising individuals are creating those opportunities even if they are criminal. It's now even, metropolitan cities where, again, like I said, you if you were to visit this particular these particular areas and drive through their, you know, their their metropolitan areas and see big major buildings with sign on them, one of them may, in fact, be a criminal enterprise and you would never know
Speaker 0
11:15 – 11:55
it. Wow. Well, that that's that's amazing. And thinking about the sort of diversity of potential victims, whether it's an individual, whether it's a company, you know, just circling back into the context of government, you know, things are more sensitive there. Or I guess you you you might assume, you know, people's data and the money the governments, you know, deal in every day and then, how much we rely on sort of, I guess, kind of a digital foundation and a lot of the essential services that governments offer, and and other touchy areas too that could be exploited somehow by the bad guys. What have we seen with cybersecurity and threats in the context of of, like, local governments?
Speaker 1
11:56 – 15:20
The biggest threat you know, municipals have a lot of sensitive data like you mentioned. But in most cases, you know, that sensitive data is customer information that resides in their accounting systems, whether which are usually fairly secured. Their police RMS systems and those those data, those are typically fairly well secured. In in the case of the RMS data, we actually have state statutes that have to be followed. So there's a lot there those are pretty well locked down. And in a lot of cases, the accounting systems have really good security. So, and then to a lot of that sensitive data like, your your your health information or your credit card information, those are actually in completely different systems. And so they're they're fairly disparate. So there is concern you never want bad guys to get in and muck around in your systems and potentially gain information that could help them harm your organization, your city or your population, obviously. But ransomware, that's the big one. There's there's there's probably not a lot of money for your average municipality. If their data got stolen by a criminal, Probably not a lot of monetization there. Because in a lot of cases, a lot of that information has already been gleaned in other sources. For instance, I don't know if you just heard we just had the the disclosure that almost every Social Security number in in America has been garnered by a criminal organization. Right. One of our one of our recent acts. So, you know, your Social Security number is already out there. The bad guy's got it. Chances are if you've if you've used your credit card online, the bad guy has that too. So, you know, there is some damage. The biggest concern is, disruption to services because if a I mean, let's face it. Our municipalities, their number one job is to deliver services for their their population. And if you disrupt their ability to do that, well, now we've impacted, you know, more than just the municipality. We've impacted systems and people and population. And that's really what, you know, gets elected officials fired up is if if a city can't do their number one job deliver services, we have we have a problem. And so ransomware really is the number one threat. Ransomware, if they can if they get in and they encrypt your data and you do and they disrupt your ability to deliver services, well, now they have the ability to monetize that, and they don't have to do a lot of work to do that. You know, they send out a phishing email, somebody clicks on the phishing email. Next thing you know, they've encrypted your systems. I mean, it's a little more complicated that but but ultimately, that's what happens. So ransomware really is the number one threat. And the number one way that they get, systems get ransomware and they were get the ability is someone clicks on an email, phishing emails. That is the number one attack vector for municipalities. I mean, there are a lot of other ones, but that's the number one way that the bad guys of today where all this automation takes place. The bad guy doesn't know that you are a certain size municipality. They you're just a number. You're just an email. You're just a data point in a big spreadsheet. That doesn't mean that they aren't looking for, you know, targeting large metros and other types of, you know, organizations. But for all intents and purposes, when they do these phishing email campaigns, you're literally one of 800,000,000 data points in a file, and they just and the automation just sends out these phishing emails hoping someone clicks. And all it takes is one.
Speaker 0
15:21 – 15:31
Wow. Just just thinking about how often this is happening. I mean, is this something that that governments are pretty much getting hit with every day whether they know it or not, hacking attempts like this?
Speaker 1
15:32 – 16:05
Oh, yeah. Phish phishing emails is a daily occurrence. You know, talking to the we have an organization called Nicholejisa run by Shannon Tufts and her team at UNC School of Government. You know, they're a group of IT professionals that work in municipalities across that that have volunteer their time to help. And they they actually track a lot of this. And absolutely, whether you know it or not, phishing emails are hitting your email boxes in the tens of thousands. You probably get one or two a day and don't even realize it. Wow.
Speaker 0
16:06 – 16:44
Wow. So thinking about other things that are kinda happening these days, things that are kind of in the headlines, you know, generative AI is definitely one of the maybe one of the obvious points to talk about, big conversation topic, lots of potential. We've seen so many cases of it not being used in a a positive way, you know, fraudulent activity, bogus creations, things that get shared around that are made up by AI, scams, misuse, all kinds of things that can happen. People maybe even having good intentions, but making mistakes with it. I mean, what do you think the challenges are when it comes to generative AI and municipal government from, like, a security perspective?
Speaker 1
16:45 – 20:05
Well, so a couple of things. So there are some concerns around generative AI, but the concerns around staff using generative AI isn't really allowing a bad guy to get in and get, you know, get access or disrupt systems. The concern is is that the using generative AI to make their jobs easier. So they're pulling, you know, they're they're pulling in generative AI into a word document or, you know, they're they're using it to help them craft something or they're helping them to understand a spreadsheet or they're using it to basically help them streamline what it is they're trying to achieve. So they're using it as a productivity tool. The concern is is that they'll they'll they'll they'll pull sensitive data out of their systems, put it into the generative AI if they're using one of the open systems like chat or, you know, Grok or there's a couple of entities out there that provided on the Internet. If you pull that sensitive data into those systems, now that sensitive information is searchable by those systems and can conceivably be, seen by other entities if they were to scour for it. But basically now your your sensitive data is now inside of a system that you have no control over. That's the fear. So what what our municipalities are doing and what they're struggling with now is, because generative AI is here. It's it's not going away. You know, it's not a fad. It's it's literally the it's it's literally just like when the steam engine was introduced to that industry. We're going to see, generative AI change, become transformative for our organizations that employ it in a positive way. Just to give you an idea, you would be surprised at just how many people are currently using it. So the the the key is is for municipalities is to not necessarily stop their staff from using it or prevent them from using because they're gonna find ways to use it. The challenge is is how can we govern their use? How can we create positive safe environments for them to access these technologies and not put our data at risk. That's really the challenges. And so policies and procedures and training, those are the things that your municipal leaders are struggling with right now in terms of generative AI. There are some some positive things. What a lot of people don't realize is that all they hear about is chat GTP or one of the other, you know, being you can go out and you can do these things. A lot of people don't realize that there are the ability Microsoft allows you to create, use this generative AI inside your systems and it's only with the data in your system and it doesn't go outside. So there's actually, secure models for utilizing generative AI in these environments, using your data and your data staying safe. So I think that's really where the the education piece comes in is how do we help municipalities learn how to leverage the technology without putting their sensitive data at risk and, and their employees going out and using the technologies out on the Internet rather than finding safe spaces and sandboxes for them to use it inside our organizations.
Speaker 0
20:07 – 20:22
So maybe a a quick takeaway from there would be just whatever you do, don't enter sensitive information into your into, say, chat GPT or some other Right. You know, AI help tool. Keep keep that keep that stuff out of there. Yeah. Prime example. You you you were,
Speaker 1
20:23 – 23:04
you're in that. Maybe you're in a small municipality and you don't have an HR director. Maybe you're the town manager and you're trying to hire some new roles. So, you know, you pull the context of what you think you want in terms of role, and you you punch it into into chat GPT to help you create that role. Well, you get used to you. It spits out and you you're able to create that that, you know, that, job rec very easily. But what if you then say, well, man, it made that so easy. So now when I'm writing the review for this employee, I want it I don't want it to sound harsh. I wanted to so you actually take your review and you punch that into GPT. You just cut and paste and put it in there and it spits you spits out a really good response. But what you may not realize is that when you cut and paste that HR, you may have just accidentally, you know, leaked some sensitive data about that individual not realizing it. You were just, you know, you just wanna you're you're doing, you know, you're writing a review, a yearly review, and you're wanting to to to make sure that the employee is, you know, the review goes well. And by doing that, you may reveal either sensitive processes or tasks that are being done that may not necessarily need to be public knowledge. Or in some cases, you may reveal the person's name and enough information that, can give a bad guy information to then take that, combine it with other things again, and actually leverage that to do harm to the person that you revealed. So that's really where the concern comes in is that, and these are these are just everyday things. Take a spreadsheet. Prime example. Police. The police use, you know, a lot of they have a lot of data points in the job that they do. They have a very hard job to do. They've got they don't have enough personnel, and they have a lot of things that they have to do. And so they they pull in a lot of data points to help them make decisions around staffing and, you know, do we have a certain type of crime going on in this area? Should we staff it more? Should we staff it less? What so they they they crunch a lot of numbers that you leverage technology to help them make their decisions. Well, if they don't use the systems that are safe and secure in sandbox, they take that spreadsheet and they dump it into a, you know, a Chatbeat GPT or one of the, you know, one of the publicly available ones, and it spits out a lot of data, they may inadvertently release data that they didn't necessarily want out there in the public domain. Once it goes in that public once you put it into that public chat GPT box, it's public domain. It could get it could end up anywhere.
Speaker 0
23:05 – 23:17
Gosh. Yeah. So so even thinking about, yeah, efforts that have good intention behind them could lead to leaks like this. We use these new tools in a maybe a a way that we're not,
Speaker 1
23:18 – 25:51
not supposed to be doing. Well, it's not so much that we're not supposed to be doing. We're just not doing it in the right environment. We absolutely should be doing it. We should just be doing it with the right controls and in the right environment. Another prime example, and this is another one that that, still hits companies today. Company is trying to, you know, they have a small IT department. They're trying to automate some of their processes. And so they hire a programmer to help them create automation around the things that they do. Maybe there's not something off the shelf that they can buy to help them. And so this this programmer with all of the requests, he uses Chat b t GPT to help them write him write that code because you can actually tell Chat b GPT what systems you're using, what applications you're using, what code base that you're using, and ChatGPT will actually write the code for you. Now you the the the the engineer still has to, you know, provide some input. But what happens is is perhaps that the, the the software program is actually creating IP for whatever organization they're creating it for. That belongs to that company. Right? That's what the expectation is. They hired this programmer. Everything, their work product is a product of the organization. So all of this custom programming and custom code should belong to the organization. And before AI came along, you didn't have to well, you didn't really have to worry about that. I mean, maybe they they might do something nefarious and take your code and, you know, share it somewhere, but you really didn't have to worry about that. Well, now if ChatGPT writes that code for them, the company doesn't own that IP. It's it lives in the chat GPT public domain now. So, ultimately, what can happen is as a company, especially if a company says, hey. That is such a great thing. It has helped us do so much. And maybe they're in a particular industry, and now they wanna monetize that particular set of software and go out and sell it to other companies that were their software and go out and sell it to other companies that were their competitors and help them do what they do better. There's money in that. Lots of software companies have been started around, hey. We're gonna fix this problem in our industry. Man, it works so well. We should sell this to you know, we we should get out of the business of doing what we do and help other companies like ours do it better and make our money there. And they build an organization and monetize this this code. Well, if he created it in chat GPT, they can't do that, because it's in the public domain. So that's another real world example of companies that have gone to to protect their code and realize that it's actually in the public domain because someone used chat GPT to help them write it.
Speaker 0
25:52 – 26:36
Well, it's it's a lot to take in. I mean, I I'm I'm personally really excited about generative AI and, you know, all the opportunity that we have with it, you know, all kinds of things, just as a solutions tool. But, you know, like you said, it's it's not going away. And, you know, just maybe the same way I was excited about learning about the Internet and everything it could do. You know, there's all kinds of, you know, potential pitfalls. And and it may be the kind of thing where, you know, if if you're not already maybe kind of in on this stuff, it seems like it changes so quickly that learning about it might have kind of like an intimidation factor to it. Do you have any thoughts on that about sort of how people kind of warm up to to this and finding a way to kind of keep a rhythm with the changes?
Speaker 1
26:36 – 32:50
Yeah, I think I think that when people realize just how helpful it can be, so all it takes is one, and I think Microsoft is really leading the way and helping organizations, find, you know, they're they're right now, if you pull up the newest version of Word, AI is running in your Word. Now it's not the chat GPT that, you know, and it's not public domain. It's it's running in your environment. But they're they're already giving you free taste of how it can help you craft language in your documents. And so I think as people start to muse more and more that in their systems at work and in their Microsoft in their in their day to day work and they find ways to maximize their time. I think that's really where the, you know, it's just like the Internet. When the Internet first come out, everyone was like, Yeah, right. It's, you know, especially, you know, businesses business, like, what are we gonna do with this Internet? I can see why the schools want it. But what are we gonna do with the Internet? And they literally took, you know, PDF copies of their print materials and stuck them on. So it became an online billboard. Well, I mean, you know, that would that wasn't that long ago. And now look at what we're doing. So it's the same thing. I think generative AI, once it gets, you know, once people start to use it for the little things in in their, work lives, then they all automatically see how it can help them in their personal lives. I mean, I'm just as guilty. I mean, I try to stay on top of technology, but, as I age, you know, it's getting harder and harder. I don't have as much time as I used to to stay on top of it. But even me, I you know, up until a year or two ago, I knew what a jet chat GPT and AI was and I had, you know, met you know, I had played around with it in a, you know, demo here or there, but didn't really use it in my day to day life. Well, I can honestly tell you that in my personal life, I do a lot of automation of of cataloguing of my hobbies and things like that. And Chatbeat GPT has made that, a much easier job for me. And so, you know, my mother, you know, she actually is using ChatBT to help her with the recipes now. She she saw yeah. Her she saw this, I don't know if she she's some sort of a recipe application, and they implemented some sort of a chat, you know, some sort of AI bot inside of it. And she got so much use out of it. She said, hey. I'd love to do this, but I can't do it in this other you know, I like to search my recipes on the Internet and do this thing here. And and I said, well, mom, just pull up chat g p t. And what's that? Well and I had explained to her, well, now she'll when she does when she wants something to do something with a recipe, she will go pull up chat GPT and go, hey, I really like this chicken recipe. Here it is. But I don't like it with this. Can you help me change it so that I, you know, or, can you help me make this recipe no sugar, you know, or whatever. And Chapity helps her develop a recipe. And my mother's 76 years old. So, you know, if she can do it, and if she's using it, just imagine when people finally, you know, get a hold of it. But here's the caveat. Yeah. Here's the thing that people need to understand. And this is really where it impacts municipalities. Just like we're using AI to help our lives better. Cybercriminals are also using AI to develop criminal activities that are sharp enough and smooth enough to fool, people in ways that they they, you know, like we we talked about earlier in our conversation. You got that really bad email with the mistake, the spelling mistakes from the from the prince of some foreign country. Yeah. Well, you don't you know, now they're literally they're mimicking the emails that you get from your bank, and they're they're doing it in such a way. They're using AI to help them catch all the little nuances that typically a cyber analyst would help figure out whether it's good or bad. They're using AI to increasingly remove those barriers, And they're sending out these emails to and fooling more and more people. So the so the bad guys using AI to get better at their job too. And so, how do we how do we, you know, it's it's sort of the cat and mouse. How do we, you know, how do we we're never are we ever gonna catch the mouse? Probably not. But are we gonna continue to chase it? We have to. And so, you know, one of the things that we we need to do is we need to to, well, first off, we need to educate our users on what not to click on. Yeah. Mhmm. Very, very surprised at how many, smaller municipalities have not invested in cyber awareness training. That's the one area that they can spend money on to get the most protection. I mean, they could buy all of the security, hardware in the world, but they can't keep that one person from clicking the email that they thought was legitimate and, you know, letting a cyber criminal in the back door. Right. And and the only way that we can prevent that is to continue as as as we continue to learn what the bad guys are doing and train our users what to look for and what to question and when to raise an eyebrow. It's not as easy anymore as a spelling mistake or a grammar error error because chat GPT speaks all languages. So, now you have to really, really be smart, and the only way to do that is to get that education. So, that's really the number one thing that municipalities can do to help fight the generative AI problem in terms of how bad guys are using it, and of course, you know, help their staffs be more aware of what they're doing. You know, email is kinda like used to in your mailbox. You would get you would go to your mailbox every day, and it would be full of, you know, thousands of junk mail leaflets, and you would just literally you'd literally go through them and throw them all away. Well, our email boxes are typically, you know, the same now. It's a junk mail repository. But there is one or two good emails in there that we don't wanna lose. And so we throw out all the ones we think are bad, and then we focus on the ones we think are good. And if the one we think is good happens to be the bad guy and we click on it, it's got us. But if we can train people, you know, how to be smarter about that, you know, we can we can help prevent, you know, one more cyber ransomware attack.
Speaker 0
32:51 – 33:06
So how does the League of Municipalities help out with this? If there's a municipality listening and they they've they've developed a a concern about maybe some cyber training that they need to do or or catch up on things, I mean, how do they come to the league for that kinda help? Yeah. Well,
Speaker 1
33:07 – 35:28
they can certainly ask any one of their reps. If if they participate in our insurance polls, they can certainly ask one of the reps. We, we have, ARP reps that are in the field, so they can certainly anyone that they know that works really say, hey, I heard something about cybersecurity. You know, can you give me some information? They can email me, ewells@nclm.org, and I can send them out information. We have an entire service line funded by ARP that helps provide service line, activities that will help prepare them for cyber, incidents. And, we're not the only organization that does it. There's some great ones. Shannon Tufts and her school of government, they actually have some resources available. The National Guard, CISA. We all have free resources available for municipalities. We try not to, overstep. So basically, the school of government, they have a series of offerings. National Guard has offerings and CESA has offers and the league has offerings and we all have different offerings. We do have some similarities and things we do. But one of the things that that we've tried to do, what I tried to do creating this program was I didn't want to do duplicative efforts. I wanted to to create something that would be addition to all of the other things that were out there. And so one of the things that we do and it's something that, the National Guard is helping do as well and CISA does a little bit, but I do assessments for municipalities, part of my sir our service line. I'll go out and I will assess their organization for risk. Now the National Guard actually test their, they do an assessment, and they actually test how well they're doing in terms of the the risk that I uncover in my assessments. So it's a little different there. But we do an assessment, and then I provide monthly or, you know, quarterly or daily or whatever consultation to the municipality that participates in their service line just like a CSO would. So even if they don't have an IT staff, they can utilize the league and my services to ask questions, to get help on information. Perhaps they have something going on that they don't understand. Maybe they think they clicked on an email and they just want to talk about it. Obviously, there's only so much that we can do from a consultative role, but we can certainly point them in the right directions and at least help move them in the right direction and get them towards the resources that can actually help them, you know, one on one.
Speaker 0
35:29 – 35:49
That's, the you mentioned the, the assessments. I mean, that that's a really cool thing to think about. Maybe, if I'm thinking of it the right way, it's it's basically where a municipality can learn more about where they're specifically vulnerable. Is that how that works? Yeah. So what I do is I actually, I'm using the Center for Internet Security,
Speaker 1
35:49 – 39:21
which is basically an organization. It's a a governmental it's an NGO, a nongovernmental organization. But they work very, very closely with government industry. And they've established best practices for organizations in terms of what should you be doing in terms of security controls to protect against the threats that we see today as being the most prevalent. And so they have there's 18 domains. There's probably, I don't know, a 125 sort of checks. And we talk about everything from policies and procedures to password policies to finding out how they, how they utilize the technology in their systems, how they're, how they have do they have controls around how people access those systems? How do they document the things they do? So my assessment delves into all of the areas and the best practices where the the municipality can and should be doing things to protect themselves. And then, there are other assessments like what the National Guard does. They actually come in and they actually get on your network, and they test to see how well you're actually doing the things that you said you did. In my case, we go through and I do an initial sort of a baseline. We wanna find out where a municipality is in their maturity, and then we'll point out things that they should be working on. And they'll and I work with their IT provider to make sure that, you know, that they understand exactly what the the best practice is. And if the municipality thinks it's important, you know, they can, of course, engage their IT support or their internal support. And in some cases, a lot of the assessment, entries that I do or the gaps that I find are things that the municipality can do on their own. I provide a lot of resources that they can download in the case of policies and procedures. In some cases, this is as easy as downloading the resource that I provide, filling it out and making sure that it, you know, meets obviously the needs of the municipality because every municipality is different. And then having that information available such that when something happens, they have a plan or they have, you know, or or they have a control. One of the assessment, number, 14 control number 14 is, do you you utilize cyber awareness training? In a lot of cases, they haven't invested in that for for their, their staff. I mean, it's not that it's expensive. It does have a cost and it can be, it can be a cost that, you know, shows up and is, you know, you have to really think about and plan if you have a lot of people in your organization. But in the grand scheme of things, it's really not a large cost per user to get that training. So in places where we can, the ARP fund, the ARP funding that we have allows for some targeted investment monies. And so in some cases, the league is able to utilize those funds to fund awareness training for a particular municipality for up to three years. And so what I do is I've I've contracted with, someone the a company that has a state contract for doing cyber awareness training, Arctic Wolf, and I will provide three years of that service. I'll go out and purchase that from the distributor for the, municipality on their behalf, and then we we we sign that over to the, municipality. So we'll we'll pay for it for three years. The municipality gets to train all their users, and it's a win win. So but we identify that in the assessment. So I do the assessment to identify the gaps, and then we do have some capabilities to help them meet those gaps over time. Well, this is great to hear that I mean, there there are a variety of ways to, you know, at least get your foot in the door when it comes to,
Speaker 0
39:22 – 40:45
becoming more prepared, more aware when it comes to cyber vulnerabilities and the diversity of them and all that. And, of course, the league is is here to help. And so I I appreciate the ways you've, you've explained what the issue is and how it does affect, local governments or how it could and how we need to stay on top of this. You know, it's, again, we we've been saying it throughout the episode. This is, you know, something just it's not gonna get solved and go away. It's, you know I know a lot of us think about, like, that that old, that old video that goes around social media sometimes of Al Roker saying, you know, like, what's the Internet? You know, like, in the early nineties when it's you know, there was a time period where it was kind of like this sort of maybe loose kind of fleeting kinda like, is the Internet really gonna be a like, maybe it's not gonna be the big deal everybody thinks it is and you know? But if something like that has has the potential it has, it's probably gonna stick around. And, just thinking about all the potential for generative AI and, you know, and all the potential on the the the dark side of things, you know, with cybersecurity in general, I mean, yeah, there's a lot to pay attention to here, but I'm glad we offer a sort of a a diversity of avenues for, for people to discover what they need to know. So, Eric, thank you so much, really, for the expertise and the the time you took today to talk with us. Yeah. No problem. And and if I could just leave you with a takeaway.
Speaker 1
40:45 – 42:35
So, you know, we're funded on this through ARP through 2026. So we have a couple of years. And if we can, you know, if we can do one thing for an organization, in in most cases, an organization, they don't know what they don't know. They don't, you know, they really don't know how vulnerable they are. So we can come in and provide this initial assessment, and we can help them figure out what they don't know and help them chart a path forward. And if we can do that in the next three years, you know, then we we've done what we we set out to do, and we've we've, spent that money in good faith and and done a good job doing it. But municipalities have to step up to the plate and say, hey. May they have to make the time. It doesn't take a lot of time. It only takes, you know, a couple of hours to do the assessment and then a couple of hours to talk about the results. Obviously, if we find gaps, it takes a lot longer to to to fill the gaps, but you've gotta know where your gaps are. And not knowing where your gaps are, you know, actually is probably just as criminal as the acts that are being tried against them. So, you know, so I think if if if they don't do anything other than reach out and get an initial assessment, I think that goes a long way to helping an organization be more prepared for the future. So people can just reach out to their reps. Is is that how that works? Absolutely. Or they can just email the league. They can there's there's a link on our web page. There's there's they can go to the web page and they can fill out the I want more information on, and it comes straight to me if they choose cybersecurity. They can email me at my email address, ewells@nclm.org. They can pick up the phone. They can call me. There are millions of ways to get a hold of us. The website being the primary entryway, if they just wanna go to the website and go into the information box and say, I want more information on, that'll come straight to me and I'll, send send a quick email out. And that, you know, that can start the conversation.
Speaker 0
42:36 – 42:58
Well, Eric, thanks. And because this is an issue that's, that's that's not gonna diminish with time. This is something I'm sure we can check-in on, again, maybe someday down the road if something new comes up, you know, maybe we can cover that. But, you know, I'm sure we have plenty of opportunities in the future to talk about this again. Yeah. That's one great well, I say it's one great thing, but that's one good thing about my role is that,
Speaker 1
42:59 – 43:07
cybersecurity is is continually evolving and changing, and there's something new tomorrow. So, be glad to to join and talk about it.
Speaker 0
43:07 – 43:08
Thank you so
Speaker 1
43:08 – 43:10
much. Yeah, no problem.
Speaker 0
43:14 – 44:44
Thanks for listening. I would love to hear what you learned from this conversation, or if you have any cybersecurity stories that you think are worth sharing, any pieces of advice, you can reach me, Ben Brown, at bbrown@nclm.org. NCLM stands for North Carolina League of Municipalities. We're based in Raleigh, North Carolina and online at nclm.org, where you can find more information from us on cybersecurity. You can even just type the words cybersecurity into the search field up top at nclm.org, and you'll find our online safety training and cybersecurity training. I'm sure some of you listening have already attended classes that we've offered on this subject, or maybe you've talked with Eric Wells, who we just heard from on this episode. Just remember this is a subject that's always evolving. And so as you continue to pay attention to it, we'll continue to do what we do to help with with education and safety for Mercedes and towns. You can also find on the website under the member services menu, you'll see cybersecurity and IT services. Just click on that and you'll find info about our longtime consulting partner here at The League. They're a company called VC3. So you can see all the things in that area that they cover, cybersecurity and IT and so on. Again, nclm.org, visit us, reach out, and please feel encouraged to suggest topics for future episodes of this podcast. Anything about cities and towns and how things are changing, what the challenges are, what the new ideas are. My email address one more time is bbrown@nclm.org. I'd love to hear from you. In the meantime, I'll be in touch. This is Ben Brown.