City, county online security problems costly
The 2019-2 0 Marin County Civil Grand Jury has produced some surprising findings that should raise public concern.
They haven’t before now because local municipalities have chosen to keep the public in the dark about their technological mishaps, even ones that have cost taxpayers hundreds of thousands of dollars.
The largest discovered by the grand jury’s digging was at the county Civic Center, where more than $300,000 was stolen by fraudulent electronic transfers, unwittingly approved by county financial gatekeepers in 2018.
According to the grand jury, county officials did not own up publicly about the loss, but they did publicly brag about followup measures they took to prevent repeat attacks — and the professional recognition they got for those improvements.
That’s sort of like getting praise for the design of new locks for a bank after it’s already been robbed. But at least there’s no question that those new locks were needed.
In fact, the grand jury found that the county’s computer network has been hacked into and breached at least five times between July 2017 and August 2018. In addition, more than half of Marin’s cities — Corte Madera, Fairfax, Larkspur, Novato, Sausalito and Tiburon — have had their cybersecurity compromised.
The common thread is officials’ decision to keep such breaches quiet, figuring the public is better off not knowing. Only Sausalito discussed its hacking incident publicly.
We definitely don’t agree with the strategy of leaving the public in the dark. The public has every right to know the details and cost of any hacking attacks and the measures taken to tighten security.
Credit the grand jury for digging into this issue.
It also looked into the cybersecurity of the county’s elections office. Serious questions have been raised — including outrageous broadsides from President Donald Trump about elections being “rigged” — about the integrity of our elections.
What the grand jury’s research found was that Marin’s election system is safe, sound and accurate.
But not so for other parts of the county’s operations.
Despite the county’s hyperfocus on its electronic information system — especially after its estimated $28.6 million stumble with its 2005 purchase of a financial software overhaul — the county’s system fell victim to five cyberattacks, including one where wire transfers of funds were repeatedly requested and processed.
More than $300,000 in taxpayer money was wired to the hacker’s bank account. Once discovered, the county was able to recover $63,000, but nearly $250,000 was lost.
“This breach and financial loss were reported to local law enforcement and the FBI, but not disclosed to the public,” the grand jury reported in its May 11 report, “Cyberattacks: A Growing Threat to Marin Government.”
That costly attack led the county to strengthen its online protections, financial protocols and authorization hierarchies to safeguard from another attack. Those measures need to be regularly audited and updated to help make sure they are as secure as possible.
The grand jury concluded that the county’s systems are much stronger and secure, but encouraged the county to remain vigilant with ongoing efforts to bolster safeguards.
Other Marin municipalities have had similar compromises and strengthened their cybersecurity only after having their computer networks hit with ransomware or fraudulent requests for financial wire transfers. The county’s after-the-fact security steps could serve as a model for local municipalities, but the grand jury concluded that there is a lack of significant concern among local governmental leaders.
“The absence of a public discussion of these vulnerabilities is a missed opportunity to educate employees, residents and local organizations about cybersecurity risks faced by all,” the grand jury said.
The grand jury has brought this important issue to the pub-lic’s attention. Now, it’s up to local public agencies to show they are taking the grand jury’s advice and recommendations seriously. As we’ve seen locally, better late than never.