State spends over $100,000 each year bolstering local governments’ cybersecurity

One employee clicked a scam link in an email, causing Brown County — the state’s fourth largest county — to shut down most of its computer network for over a week during the summer of 2021.

While 911 services were able to continue operating, offices were stalled for months because the county’s computer network had to restore lost information over the next three months — ceasing email communications or database access for many departments. Residents couldn’t close on houses or order new tags for their vehicles for weeks, said Pat Wolberg, Brown County IT director.

The northeastern South Dakota county, which includes Aberdeen, was a victim of a cybersecurity attack, which is an attempt from a third party to steal, expose, alter, disable or destroy information in a system without authorized access.

While no sensitive information was revealed to the hacker, such as financial information or personnel social security numbers, some information, while not vital, was never recovered, said County Commissioner Duane Sutton.

Cybersecurity efforts that could have prevented the cyberattack didn’t have proper funding, Wolberg said. When he first started about a year before the county’s cyberattack, servers were antiquated and hadn’t been updated in years. Several computers didn’t have adequate antivirus software.

“When I started putting antivirus on stuff, we had so many computers flagged with malware,” Wolberg said. “It’s amazing we didn’t get hacked before this.”

Brown County isn’t the only local South Dakota government to be cyberattacked in recent years.

The city of Sioux Falls sent two electronic payments to someone impersonating a vendor in 2018. No one has been charged for the fraud. Hutchinson County was hit by a ransomware attack in 2019, which shut down accounts that contained receipts and records for $4 million in county business, according to the Yankton Daily Press & Dakotan.

The state attorney general’s Consumer Protection branch has recorded 385 data breaches for businesses and governments since 2018, based on a state law that requires entities to report a data breach if it affects more than 250 consumers.

South Dakota local governments have paid “thousands or even hundreds of thousands of dollars to remediate the risk” to their IT networks, according to the South Dakota Public Assurance Alliance. Institutions that hold valuable personal information are usually the largest targets for cybersecurity threats — hospitals, financial institutions and local governments.

“Unfortunately, the local governments are the ones with the least amount of resources,” said Dave Pfeifle, the alliance’s executive director.

The South Dakota Legislature approved funding for Project Boundary Fence in 2020, which assists county and city governments to secure their network security through a partnership with Dakota State University. The assessments are free for local governments. Consumer settlement funds are used to fund the project.

Wolberg connected with DSU shortly after the 2021 Brown County cyberattack. The county has not been reassessed since.

The Consumer Protection branch spent about $468,000 in the program’s first three years, according to Tony Mangan, spokesman for the Attorney General’s Office. The cost was renewed in 2022 for another three years at just over $156,000 each year.

The program has served over 100 South Dakota cities and counties, said Ashley Podhradsky, vice president of research and economic development at DSU. South Dakota has over 500 local governments.

“We’ve helped mitigate what could have been some serious cybersecurity incidents in South Dakota. I’m proud of that,” Podhradsky said.

Project Boundary Fence is led by Arica Kulm, director of digital forensics services, with several DSU students working on assessments as well. The lab runs three-week assessments for local governments through the state partnership.

External assessments include lab workers attempting to infiltrate the government’s network from the outside. DSU students will even impersonate IT interns to check the physical building security. Often, students are able to “get pretty high access to things they probably shouldn’t,” Kulm said.

“User training is the biggest part of security,” Kulm said, “Just being aware of not clicking on emails you’re not supposed to, not accepting downloads you’re not supposed to, and not letting people into your building you’re not supposed to.”

Internal assessments include lab workers testing a network’s security from the inside, searching “as if someone fell for a phishing email” to see what hackers have access to once they’re in the network.

Insecure passwords are one of the biggest risks for clients, Kulm added. Employees sometimes use default passwords that are easily found online or use simple passwords that are easy to crack. During one assessment, Kulm said workers found a file labeled “passwords” in the system, and another assessment found that a system was sending out massive amounts of spam unknown to the system users.

“On one, there was a default password used, so we were able to get in and watch recorded videos that were law enforcement sensitive and should not have been able to be accessed,” Kulm said.

Email is the most common way bad actors gain access to a network, and comprises 90% of the overall risk, according to Pfeifle.

Each county selects its own email platform and server — ranging from Yahoo to state email addresses. Pfeifle hopes to see the Legislature approve funding for a centralized email system for all South Dakota local governments during the 2023 session, which would “eliminate most of the risk.”

The centralized email system would mirror the state’s K-12 Data Center. The 1999 centralized email system gave local school districts and their teachers, administrators and students a standardized email with data backup. The annual operating cost for the system is slightly over $1 million for the center’s 130,000 users, Pfeifle said.

As for DSU, Kulm said Project Boundary Fence requires continued support in the coming years.

“You don’t just do an assessment and think you’re done and secure,” Kulm said. “We need to just keep testing and checking. It’s no different than your house; you don’t keep your garage door open when you leave, you lock your door and windows. You lock things and protect yourself.”