Cybersecurity for Public-Private Partnerships
Every day we hear of more municipalities and other public agencies being hit by cyber-attacks, including ransomware attacks. The effects of these criminal attacks can range from merely annoying to devastating. A good example is the city of Baltimore, which is still struggling to recover from a ransomware attack. In my work with the city of Atlanta in responding to and recovering from attacks on its systems, I have seen first-hand the impact of the attacks.
As municipalities continue to harden their frontline defenses against these types of attacks on their IT infrastructure, one area that should not be overlooked are public-private partnerships, as these are prime targets for criminals and others. In addition, criminals might feel that the partnerships are being overlooked and are not as well protected as governments move to strengthen their main systems.
Public-private partnerships are generally regarded as cooperative arrangements between two or more public and private sector entities. They are typically long-term in nature and are primarily used for infrastructure development, such as the building and equipping of schools, transportation systems, hospitals, and water and sewer systems. In fact, they are a valuable tool for economic development and building of infrastructure.
It is the very nature of these types of development activities that make public-private partnerships ripe for attack. The ability to shut down power or water delivery, impact the delivery of healthcare or prevent the collection of revenue can have a real impact on these partnerships and their public partners. In addition, it is worth noting that attacks can affect bond ratings and perhaps the ability to pay back creditors as promised.
Security Challenges for Public-Private Partnerships
Public-private partnerships create a unique challenge from a privacy and security standpoint. Often, both the public partner and the private partner are collecting information. Additionally, a new entity is often formed that also collects information or actually runs the infrastructure or facility developed by the partnership. As to the information collected, keeping it safe and secure is often a challenge because of the number of partners involved. Moreover, the partnership or entity created may share resources from the various partners. These types of arrangements can potentially create “gaps” in cybersecurity that can be exploited by bad actors.
That said, there is some general guidance that public-private partnerships can follow that will help to keep information secure and private, thereby ensuring the continued trust of their customers and constituencies. These best practices are designed to create a culture of security that permeates throughout the partnership and the individual partners.
1. Understanding Your Information
The linchpin of good cyber hygiene is understanding your information. That includes understanding what information is being collected, who is collecting it, what they are doing with it and where it is stored. Knowing this will allow you to make good decisions about this information.
For example, toll roads are often built by the use of public-private partnerships. Understanding who is collecting toll usage information, general user data, credit card information and other sensitive information is the first step in securing it.
Next, understanding who is doing what with the information and how they are securing that information will form the basis for who has the responsibility to secure it. The same thoughts apply to any IT infrastructure created to support the partnership’s activities.
2. Policies and Procedures
The next step in cyber preparedness is understanding what you should be doing, when you should be doing it and how you should be doing it. Central to this is the development of policies, plans and procedures with respect to cyber preparedness.
As a best practice, all public-private partnerships should have a cyber preparedness assessment performed. This assessment will look at the partnership’s current state of preparedness as well as identify any potential vulnerabilities. A good assessment will also analyze the entity’s current policies and procedures, as well as its cyber incident response plan (if there is one). I note that just because the individual partners may have their own assessments, depending on the scope of the services offered, the partnership might need to have its own done.
As another best practice, all public-private partnerships should have a cyber-response plan, dictating step-by-step instructions to employees in the event of a cyber-attack. Tabletop exercises are a valuable tool to stress test your cyber preparedness plan. These exercises simulate an attack and give employees the ability to respond to a mock attack before it actually happens. The best time to figure out how you would react to live gunfire is not on the battlefield with bullets whizzing by your head.
3. Physical and Environmental Security
Public-private partnerships should always understand where their IT infrastructure is located and the security around it. Often, networks for public-private partnerships are built quickly and may be housed in various buildings and in various rooms, or they may be using shared resources from the various partners. In public-private partnerships, these IT infrastructure pieces may be miles apart and nowhere near each other. In addition, I have found that many times, not one person really knows the scope of the physical assets that are deployed on the network, let alone their architecture. As such, a map of your network infrastructure (and architecture) is essential to both securing the network and responding during an attack. This is especially critical if the various partners to the partnership are contributing IT assets or employees.
Once you know where your IT infrastructure is located, you should ensure that those locations are physically secure. Only those employees with the proper credentials should be allowed physical and virtual access to your IT infrastructure. Additionally, you should remember that vendor access should be strictly controlled and monitored.
Despite all of the external threats that occur against your network and IT infrastructure, employees are still the most used vector to attack an entity and are your biggest vulnerability. Whether it is an employee clicking on a link to a malicious website, putting an infected thumb drive into their computer or becoming a victim of more advanced phishing techniques, employees provide the quickest and most expedient route to your network. As such, public-private partnerships must make certain that all employees of either the partnership or the partners only have access to the information and network areas that are needed for them to perform their job functions. I note that these duties and responsibilities should be clearly laid out in the partnership documents.
Additionally, ongoing training for employees around cybersecurity and cyber awareness are a must. You should strive to create a “culture of security.” In public private partnerships, training and understanding individual roles are especially important as employees are housed in different locations. Employees often may wear multiple hats and might not know each other well. How to interact with each other is even more critical for these employees.
At the end of the day, regardless of how much you spend on infrastructure security, if your employees “click that link” or send information to the wrong person, your investment might be for naught. It is also worth noting that special attention should be paid to vendors and to the procurement process. Cybersecurity needs to be more than a mere line item when hiring vendors as many major breaches and attacks have come through vendors.
5. Disaster Recovery and Business Continuity
Most public-private partnership partners have disaster recovery plans in place in the event of a natural disaster or a major incident, such as a terrorist attack. However, many times a separate plan is not put into place for the public private partnership. This oversight can de disastrous in the event of a problem or attack. If the public-private partnership is utilizing shared resources, without a separate plan for the public-private partnership, employees will not know how to respond, or if to respond at all.
From a disaster recovery and business continuity standpoint, responding to cyber-attacks can be dramatically different from responding to any type of natural disaster or criminal incident or attack. For example, in many cyber events, outside resources and vendors will need to be quickly called upon and put into play. If these resources have not been identified prior to an incident, you will find yourself trying to locate and retain these resources instead of actually responding to the attack.
In addition, if shared resources are utilized and a comprehensive plan is not in place, things can go from bad to worse very quickly as employees will not know who is doing what. I note that many actions, while well-intentioned but uninformed, can be counterproductive.
Like most things, the quicker you can address the problem, the better the outcome could be. Again, in the event of an attack, you do not want to spend your first precious hours trying to find the needed help versus actually deploying it.
To this end, public-private partnerships should retain the necessary guidance and experience in order to make certain that their disaster recovery and business continuity plans consider cyber preparedness. For example, I have found that many public-private partnerships fail to realize the scope and breadth of their systems, or the potential shared resources that comprise their systems. Whether it is call centers to assist customers, the operation of bridges or toll roads, delivery of water services, public works, or other services, almost all services provided by public-private partnerships are connected through their IT systems. An attack on these systems has the ability to shut down these essential services. Again, the time to understand what can be impacted (and how to respond) is not after your systems have been impacted by an attack.
Last, make certain that you understand the processes that your various departments use to deliver their services. In a catastrophic attack, you might have to implement manual processes to continue to deliver essential services until you get your systems back up and running. Again, these processes should be discussed before an attack takes place.
6. Manual processes
Manual processes are an often overlooked part of cyber preparedness. In the event of a catastrophic attack, manual processes might need to be implemented to operate a facility, collect revenue or provide other services. While these manual processes should be part of any well-developed business continuity plan, like the plan, these manual processes should be tested from time to time. Many times, paper forms or other documents will need to be created and should be done before an event happens. This is especially important for employees who have never had to use paper documents and manual processes before.
7. Back-up, Back-up, Back-up
Perhaps the greatest resilience tool a public-private partnership can have is to have adequate, safe and secure backups of its data. In the event of a major cyber-attack or ransomware attack, the ability to quickly and safely restore data will be the difference between being down for a few hours or down for weeks (or worse). Backups should be housed off-site in a secure facility.
I have seen backups that have been infected in attacks, as well as backup plans that are not comprehensive. In the event of an attack, both will severely limit your ability to continue to provide essential services to your constituents.
8. Bonding and Financing Public Private Partnerships
Many public-private partnerships are financed through some type of bonding or other public finance structure. Increasingly, bondholders and rating agencies are asking about the cybersecurity posture of public-private partnerships.
Rating agencies are increasingly aware of the severe impact that a cyber-attack or incident can have on the ability of a borrowing entity to pay back the bonds or other sums borrowed. This increased scrutiny often shows up in the due diligence process and will only get more involved and detailed, thereby making the cybersecurity posture of the partnership and the partners even more important.
9. Cyber Insurance
Last, all public private partnerships should look into cyber insurance and whether it should be a part of its risk mitigation program. Often, cyber insurance can be the difference between a faster and more complete recovery and being down for an extended period of time.
In short, the ability of a public-private partnership to respond to a cyber-attack, as well as its ability to be resilient to an attack in the first place, depends upon proper planning, execution and training.
Public-private partnerships are unique in nature and present some unique challenges. Perhaps the greatest threat is the assumption that someone else is responsible for cybersecurity. It is important for public and private partners to ensure that the services or infrastructure they are creating are properly secured and sufficiently resilient to attacks.
While this discussion is not comprehensive, it does outline basic cyber hygiene for a public-private partnership. As seen by recent events, cybersecurity touches all aspects of public-private partnership services, and should an event happen, the lack of preparedness can have devastating consequences.
As all cybersecurity experts will tell you, the question is not if an attack will hit you, but when.