“A lot of smaller communities are resource-constrained. If you have a million dollars, are you going to fix the potholes constituents have been calling about, open parks and swimming pools for the summer? Or buy new servers and do all the things that are going to make you more secure?”“When Ransomware Cripples a City, Who’s to Blame? This I.T. Chief Is Fighting Back“
New York Times, August 22, 2019
Yes. The answer is yes.
Municipal leadership, like the leaders of any organization, are tasked with balancing the seemingly endless number of competing priorities. That’s why they get paid the big bucks.
Crumbling physical infrastructure or reductions in municipal service offerings are always sure to elicit strong reactions from residents and constituencies. Technology assets and infrastructure are not as visible to their end customers. As a result, software updates and hardware refresh cycles often take a back seat because “well it still works” or “but we only bought that server 5 years ago and it’s not broken.”
But in today’s operating environment, proper maintenance and risk management of a municipality’s technology infrastructure, endpoints, and systems are as just as critical as the maintenance and risk management of its roads and bridges.
When faced with audit findings and risk assessments, far too often management takes what is viewed as the “easy” way out: just accept the risk. I mean, it’s just a checkbox or your initials, as opposed to thousands of dollars and person hours that could be used for other things, right? Quick election cycles and the tendency to kick the can down the road for the next administration makes accepting the risk even easier…let the “next guy” deal with it in the “next budget.”
But the crucial caveat that management is failing to remember in these situations is that when you accept the risk, you accept the risk.
In the case of Lake City’s ransomware attack, I look forward to seeing what comes out through public records requests and the legal process. It should be relatively easy to determine what decisions were documented and what actions were or were not taken.
It is crucial that this incident be a lesson to better understand that day-to-day actions and decisions do have consequences:
- For management and “the Business,” ensure that you have an appropriate level of understanding about your environment. Understand its functions, life cycle and risks; look to your technical leaders and individual contributors to help educate you so that you can make informed decisions. Don’t just check a box and move on…the ass you save might just be your own.
- For technical leaders and individual contributors, as the subject matter experts for your environment, you need to ensure your management chain, auditors, and Boards / Committees have the right information make good decisions.
Regardless of how management chooses to act, remember this invaluable advice from SANS NewsBites Editorial Board Member William Hugh Murray in reference to the Lake City incident:
Any such risk acceptance, and its acknowledgement by the leadership, must be documented. If that was done in this instance, Hawkins will have a good case. In the absence of such documentation, his case may turn upon the honest recollection of that leadership of a decision made months ago. The three rules of risk management are document, document, document.