Government IT systems and data are attractive targets for cyber criminals, so the City of Anacortes is taking steps to make sure its systems are secure from cyberattack.

At the city’s request, internet technology experts from the State Auditor’s Office audited the city’s IT systems, completing the audit in October.

Results were shared with the city but are not being released to the public, according to auditors, because “the public distribution of tests performed and test results could increase the risk to the City.”

Michael Hjermstad, assistant audit manager of the State Auditor’s Office, reviewed the audit Monday with the City Council. Much of what he shared is in the audit report:

Auditors assessed the city’s IT security policies, procedures and practices “against selected leading practices in this area to identify any improvements that could make them stronger.”

Auditors gave city management the test results, then conducted selected follow-up testing “to determine if they had successfully mitigated weaknesses we identified.”

According to the report: “We found that, while the City’s IT policies and practices partially align with industry leading practices, there are areas where improvements can be made. The City of Anacortes has already addressed significant issues we identified, and is continuing to make improvements.”

The report recommended the city “continue remediating identified gaps.”

According to the State Auditor’s Office, municipal concerns about the potential for cyberattacks are well founded.

Since 2016, six government organizations in Washington state have reported data breaches to the state attorney general. Multiple state and local governments have reported cyber-related incidents, including frauds, to the state auditor.

Since 2017, the United Kingdom’s National Health Service, the cities of Atlanta and Baltimore, Garfield County in Utah, and 22 municipalities in Texas have been attacked with ransomware “that crippled or disrupted their operations,” according to the State Auditor’s Office.

Attacked governments are often placed in the difficult position of either failing to deliver core services or paying an expensive ransom to the attackers, the auditor said.

Hjermstad said municipalities have a support network on their side, but should be careful how they react to a hack.

“We’ve heard stories of people who have tried to track (hackers) down by hacking back,” Hjermstad said. “That is not the job of individuals or local government. It’s the job of the Department of Homeland Security and the FBI.”

Those agencies, as well as the state Attorney General’s Office, have investigative arms that can help, he said.

He recommended cities have a response plan so employees know what to do after a hack. For example, don’t turn a hacked computer off; in doing so, evidence could be lost that authorities could use “to track back to the bad actor and hopefully make an arrest.”

Hjermstad’s advice: “Leave your computer running but isolate it from the network.”

City Council members Matt Miller and Ryan Walters recommended the city have regular performance audits; Walters recommended the city explore external cybersecurity monitoring.

Load comments