The Honorable Barry R. Finegold, Senate Chair
The Honorable Linda Dean Campbell, House Chair
Joint Committee on Advanced Information Technology, the Internet and Cybersecurity
State House, Boston

Dear Chair Finegold, Chair Campbell and Distinguished Committee Members,

On behalf of the cities and towns of the Commonwealth, the Massachusetts Municipal Association appreciates this opportunity to highlight the importance of cybersecurity and cyber resilience to local governments in every corner of the state.

Background – Cities and Towns are Uniquely Vulnerable

Cyberattacks are impacting all aspects of our society, including individuals, businesses, and every level of government. While there have been a number of memorable attacks against state agencies and private entities, the unfortunate reality is that cities and towns appear to be the prime targets of many bad actors, with recent studies indicating that local governments are the subject of 45% of ransomware attacks, with a lopsided number of those targeting medium-sized and smaller communities.

This disproportionate targeting of municipalities is likely due to two central factors. First, local governments deliver essential services, including public safety and emergency response, K-12 education, drinking water and wastewater infrastructure, management of vital records, economic development and environmental permitting, and elections administration. The disruption of these services has an outsized impact on the public, increasing the pressure to immediately restore corrupted and disabled IT systems, and cybercriminals wish to capitalize on this sensitivity. Second, municipalities have very limited financial resources and thus are usually reliant on aging IT systems and equipment. With Proposition 2½ tightly capping local revenues, local leaders have a limited ability to fund the modernization of IT hardware and software that they desire. Since Proposition 2½ mandates a zero-sum budget balancing dynamic, if communities want to rapidly scale up IT investments, they must implement cuts in other valuable and prized services.

The Importance of Our State-Local Cybersecurity Partnership

Because cyberattacks present a clear threat to the quality of life in our communities and municipal funding capacity is capped by state law, local officials are deeply grateful that cybersecurity and resilience is a major priority for the Legislature and the Baker-Polito Administration. The establishment of your Committee is an example of your commitment to building a strong and cyber-secure future for the Commonwealth, and we look forward to working with you to marshal enhanced focus and action on this critical issue.

MassCyberCenter – The creation of the MassCyberCenter in 2017 was a stroke of genius, as this agency has been a vital partner with cities and towns, serving as a deeply trusted source of expertise, resources and first-rate training. The agency convenes municipal IT officials in multiple ways and settings, including next month’s statewide summit, monthly briefings, regular trainings and table-top sessions, interdisciplinary workgroups, and much more. MassCyberCenter’s toolbox includes sophisticated resource guides, recommended baseline standards for municipalities, and top-shelf advice on how to implement these standards and enhance the platforms and systems needed to protect against a growing number of attacks.

Office of Municipal and School Technology – Also working hand-in-glove with cities and towns, the Office of Municipal and School Technology (OMST) in the Executive Office of Technology Services and Security is a trusted partner as well. The OMST provides technical expertise, free cybersecurity health checks for local agencies, cyber awareness grants, and works to promote cybersecurity best practices with funding available through the Community Compact program.

Operational Services Division Statewide Contract – The Commonwealth’s statewide contract for goods and services is a powerful way to save cities and towns time and resources in identifying qualified vendors for highly technical and skilled services. The OSD’s new ITS78 Data and Cybersecurity Statewide Contract prequalifies vendors that cities and towns can contract with for vital support, including early-stage planning, risk assessments, testing and readiness services, and swift incident response actions.

An Interlocal Partnership for Cities and Towns through the MMA and MIIA – The MMA has been doing its part as well, primarily through our nonprofit member-governed affiliate, the Massachusetts Interlocal Insurance Association (MIIA). This unique local government risk management program has worked with a national firm to bring coverages and risk management expertise to Massachusetts. MIIA offers premium discounts (through our MIIA Rewards program) to communities that attend MIIA’s (and the MassCyberCenter’s) risk management training and webinars, provides grants of up to $10,000 for member communities to use in implementing the MassCyberCenter’s municipal baseline standards, provides bulletins and best-practice alerts and materials to our member communities, offers risk management assessments, incident response planning and free phishing testing for municipal employees, works with members on recovery strategies if an attack occurs, and more.

The Need to Scale Existing Partnerships and Avoid Unaffordable Mandates

In spite of all these resources and excellent programs, the task ahead of local government is massive. Cyberattacks are increasing, the availability of coverage from national and international re-insurers is sharply constricting, and local resources are capped by state law. Communities have significant investments to make — our 351 cities and towns cover a broad spectrum, from tiny rural communities, to mid-sized suburbs, to large economic engines that act as regional service centers. They operate fragmented IT systems, many built to serve a specific set of activities, including public works, public safety, public education, public finance and public utilities. It is safe to say that communities cannot fund the needed investments in hardware, software and training on their own.

In preparation for this hearing, the Committee shared a series of questions for stakeholders to address and, in particular, the MMA wishes to address the first query (“How can we empower local governments to bolster their cybersecurity? Should local governments be required to adopt a minimum baseline of cyber standards and data backup processes?”).

The MMA’s response to the notion of a state mandate is clear and unequivocal. Such a mandate would be unaffordable, unenforceable, and impossible to implement as a one-size-fits-all requirement, given the limits to municipal budgets and funding capacity due to Proposition 2½, the extreme variation in municipal IT capacity, and the hundreds, if not thousands, of municipal platforms that exist.

The vastly preferred approach is a scaled-up local-state collaboration, which is the direction that the Legislature, the MassCyberCenter and the Administration are clearly following, thankfully. Here are some ideas for moving forward on that path:

The MMA recommends that the Legislature expand and scale up the successes achieved so far here in Massachusetts:

1. We recommend that the Commonwealth prepare to leverage and augment the $15.7 million for cybersecurity and resilience that may come to Massachusetts in the sweeping federal infrastructure bill passed by the U.S. Senate and pending in the House. This will be a perfect time to make significant state budget investments in IT training, planning, incident response and recovery, as well as providing bond-backed capital funding for hardware and software upgrades in municipalities.

2. As the Commonwealth examines the use of its multi-billion dollars in direct aid from the American Rescue Plan Act, the state should consider using a portion of its ARPA funding to invest in resilient IT infrastructure for water and sewer departments and other allowable areas consistent with U.S. Treasury guidelines, so that our critical infrastructure is better protected from cyberattacks.

3. We recommend that the Commonwealth significantly increase funding to the MassCyberCenter and the Office of Municipal and School Technology, so that their resources for planning, training and implementation of robust cybersecurity can meet the full need that exists among cities, towns and other local governmental districts.

4. As the Commonwealth pursues other promising initiatives, such as multi-party consortiums to offer advanced-level training and support that would benefit cities and towns, the MMA asks that you include local government in these consortiums as equal partners, instead of as mere consumers, so that municipal leaders are included in shaping the products, setting priorities and making decisions.

5. Finally, we look forward to working with you and your Committee to examine other aspects of Massachusetts public policy that will influence our cyber future and enhance our resiliency. For example, we hope to work with you to review the public records act to make certain that municipal assessments, test results, planning documents, vulnerability surveys, ransomware coverages and other sensitive information can be appropriately shielded from cybercriminals and bad actors. As communities examine their vulnerabilities and develop plans to protect public property, data and IT systems from attacks, we hope to make certain that this information is adequately protected.

Summary

We thank you for this opportunity to offer observations, input and recommendations to strengthen cybersecurity and resilience at the municipal level and for all of Massachusetts. Cities and towns have been the targets of cybercriminals, which means that cybercriminals are targeting residents and taxpayers across the Commonwealth. The MMA and local officials everywhere look forward to working with you to build on and scale up the successful initiatives and partnerships that will provide security and protection for our cities, towns, and taxpayers.

Sincerely,

Geoffrey C. Beckwith
MMA Executive Director & CEO

+
+