The online realm of government-run “.gov” websites is vast, confusing—and sometimes crucial to modern democracy. On this episode, we venture into that wild landscape and we discuss government cybersecurity in New Hampshire.
NOTE: This transcript was generated automatically and may contain errors.
Ben Henry: [00:00:00] So to start out, will you just tell me what happened on that morning of June 28?
Sara Ernst: [00:00:05] It was around 5:00 a.m. and an employee of the sheriff's department in Strafford County noticed they couldn't open the files on their computer. And then some other employees, they couldn't use their computers either. So they called their I.T. guy, Paul Kopreski. It was still the crack of dawn. They woke him up. And what he discovered when he got there was that the files on these computers had been encrypted.
Ben Henry: [00:00:31] And Paul probably figured out pretty quickly what was going on. Right. That this was not Windows being finicky.
Sara Ernst: [00:00:37] Yeah. Somebody had gotten into their computer system and they locked up those files. They had been hacked.
Ben Henry: [00:00:44] That was Sara Ernst. She's a reporter in NHPR's newsroom. I'm Ben Henry and this is Civics 101: New Hampshire. Strafford County is just one of the many local governments around the country that have recently been hacked. So today on the show, we're going to talk not just about hacking, but the whole digital infrastructure of governments, the often overlooked world of dot gov Web sites. And the thing is, 20 years ago, almost none of those Web sites existed. So before we get into how Strafford County dealt with their hacking incidents, I want to go back and understand that that 20 year process. I talked to a city manager named Elizabeth Dragon who was working for Franklin, New Hampshire, about a decade ago.
Elizabeth Dragon: [00:01:26] When I arrived, their Web site was very unusable. It was out of date. People were saying, you know, this isn't updated or where do I find this? And and when people can't get the answers they want, they call the city manager.
Ben Henry: [00:01:39] She said on Mondays after city council would have a meeting. She and her staff would get a bunch of calls asking for the minutes. And so they would have to photocopy the minutes for these people.
Elizabeth Dragon: [00:01:49] People would have to come in and then there's a charge per page in the whole thing. And I thought she's there's gotta be an easier way to do this.
Ben Henry: [00:01:56] And of course, there was an easier way. The easier way was to put those documents online, which would save everyone a lot of time. But also probably if the minutes are easier to find online, more people would read them.
Elizabeth Dragon: [00:02:08] So we went through a very extensive process to start from scratch. And it took months and months and months.
Ben Henry: [00:02:15] They did have to take a chunk out of the city's budget. And what they did with that is they overhauled the whole Web site. So nowadays on the new Web site, you can get those minutes emailed to you automatically and for free.
Ben Henry: [00:02:28] The reason I was interested in this is Franklin was one little part of this big national movement that was going on around the same time around the early to mid 2000s. What was happening is piece by piece. Local and state and the federal government were all moving their operations online.
Ben Henry: [00:02:55] The government tends to lag a little bit behind like the private sector and the general public when it comes to adopting technology. But by now in 2019, I have yet to find a New Hampshire town that doesn't have any online presence whatsoever. However, it's not like the state of New Hampshire ever required towns and cities to make these Web sites or told them what to put on there exactly. So you have some cities that have these really robust and functional Web sites and you have other places where not so much. But the basic set of things that you'll find on a town Web site are like a place to make payments of a town and a place to see things like minutes from public meetings. So Elizabeth is now the city manager of Keene, and Keene is one of those cities that has a much more robust Web sites. Can you give me a tour?
Elizabeth Dragon: [00:03:45] Sure. You'll see that we have at the top links to our different social media accounts, as well as a place for someone to click if they're trying to make a payment. Or you could subscribe to parking information, whatever your interests might be.
Ben Henry: [00:04:03] They have an interactive map where you can see all the parks and trails in the city. They have this app where you can take a photo of something and send it along with your location straight to public works and say, Hey, will you please fix this?
Ben Henry: [00:04:15] So Elizabeth actually pulled up a map for me of all these little issues that people had sent in.
Elizabeth Dragon: [00:04:21] Some potholes, a bike path issue, a park issue at goose pond drainage issue at Baker Street. Streetlight issue, probably there's a light out. When it's done is it's made it easy for the public to let us know of an issue.
Ben Henry: [00:04:36] One thing Elizabeth is really into is transparency. So tons of documents from any given town are technically public. But if you want to see them, usually you have to go to the town office. You have to know what to ask for. You might have to have someone physically rifle through a filing cabinet. Keene has been moving lots of records online. For example, this one was by popular demand. Restaurant inspections.
Elizabeth Dragon: [00:05:01] I mean, hey, if you go into a place and you want to eat there, you might want to know what the inspection report says and like, OK, we have to find a way to sort of make this available to people so that they don't have to call us and say, hey, I want to go to this restaurant. When's the last time it's been inspected?
Ben Henry: [00:05:20] I guess if you're someone who reads Yelp reviews before you go out to eat. This is like one step up from that. But still, among the most popular users of the Web site is for people to see minutes from different meetings, especially when there is some kind of hot button issue in city politics. They can see the traffic on their Web site go up.
[00:05:38] There's always a hot topic or often, you know, a lot of these meetings. There's not a lot of people that show up. And I get it. You know, we understand people are working. They have families, their kids are in sports trying to find ways that they can engage with us when it's more convenient for them. So they can go back and look at it. They can actually see it unfold and hear the conversation. I think that's important.
Ben Henry: [00:06:07] So Strafford County, just like Keene and Franklin, has its own computer system. And when they were hacked, Sara, you covered it for NHPR's newsroom. So what were they worried would happen?
Sara Ernst: [00:06:21] Well, the county stores a ton of sensitive data that hackers might want. They've got bank account info for their employees. They have medical records from the nursing home and criminal records from the jail. And to keep all that stuff safe, they had to shut it all down, literally unplugging their computers from the wall. And they went back to pen and paper for a lot of the things they normally use computers for.
Ben Henry: [00:06:45] Yeah. I feel like as I've been reporting the story, I've kind of been realizing that we're in a moment now where we've kind of finished this big process to put all these local governments online. But now we're in a moment where we are realizing that that also created some vulnerabilities for us.
Sara Ernst: [00:07:04] Yeah, you have to hire security experts. You have to keep your system up to date and it takes money to do it.
Ben Henry: [00:07:13] We've been talking about these town and county governments so far, but the state of New Hampshire also runs this even larger family of Web sites, which are all kind of centered around NH dot gov.
Sara Ernst: [00:07:25] Yeah, I am a big fan of the Gen Court Web site.
Ben Henry: [00:07:28] Oh, yeah. So I went back and tried to see like the earliest archives I could find of NH.gov. And it was a fun little trip back through the history of web design. The earliest kind of stored archive I found was from 2002. And it's cool to see how this kind of branching family of Web sites just expanded and expanded over the years. I visited the state agency that oversees this little empire of Web sites. It's the Department of Information Technology or DOIT. And I talked to the director. His name is Dennis Goulet.
Ben Henry: [00:08:02] First of all, do you guys go by do-it ever?
Dennis Goulet: [00:08:05] Some people do that. Yeah. I'm not a big fan of that. But then we won't. We won't.
Ben Henry: [00:08:09] So DOIT is part of the executive branch and they're sort of like the tech support for all the other state agencies,.
Dennis Goulet: [00:08:16] Everything from the keeping the email running, making sure people have the right technology on their desks so they can get their jobs done.
Ben Henry: [00:08:23] If you go to a state liquor store and you pay with a credit card, the deal Whitey is responsible for the card reader and also for handling that banking information and sending it to a bank. So Dennis and his staff are in charge of a ton of really sensitive citizen information and they're responsible for keeping that stuff safe.
Dennis Goulet: [00:08:43] The bad guys are getting really smart at making emails look like they came from from somewhere. And the classic things we're seeing now and phishing.
Ben Henry: [00:08:51] If you picture the whole family of state Web sites and email servers as like one big government building, which is how I picture it, the DIY, he built a fence around that building to keep out unwanted visitors. It's more it's really like multiple rows of fences.
Dennis Goulet: [00:09:06] We're turning away millions of attacks per month. Are those numbers kicking around somewhere that I could see. No. OK.
Ben Henry: [00:09:14] Actually. So the answer was yes after he talked to a lawyer. The department catches anywhere between 10 and 50 million potential attacks every single month. So these can be like a scam e-mail or a suspicious logon attempt. Most of those, almost all of them are automatically blocked by those layers of fences. DOIT says that it has to manually block less than 100 attacks in a typical month. So you might think, you know, New Hampshire is a small state. Nobody's trying to hack New Hampshire. You would be wrong to think that these attempts can come from organized crime or from individual random hackers. They can come from foreign governments or from right here in the states. And, of course, if you've been watching the news, you've already heard about all of this kind of thing.
Archival: [00:10:00] Columbia County, where Lake City agreed to pay nearly $500000 ransom, half a million dollars to the hacker behind this month's malware attack ... Told you how the hack shut down nearly all government e-mail systems and landlines. Baltimore was hit two weeks ago by ransomware, freezing thousands of city computers. More than 20 local governments in Texas have been hit by a coordinated ransomware attack. Atlanta is in recovery mode following one of the worst cyber attacks ever against a U.S. city that crippled the state's capitol.
Ben Henry: [00:10:32] It is still an open question as to whether cyber attacks against state and local governments are actually increasing or for just seems like they are.
Maeve Dion: [00:10:40] And what we can say right now is the media reports of ransomware for state and local governments have increased. But that doesn't mean the actual number has increased because many may not have been reported. It may not have been even recognized.
[00:10:57] So this is Maeve Dion, she is a UNH professor and she's coordinating a new cybersecurity master's degree. If you're like me, you've been typing personal information into government Web sites for years. I am sure it adds up to a lot of information about me.
Maeve Dion: [00:11:12] Well you have your Social Security number. You have your driver's license information. You may have given your passport if you had to use that, relative's information that was provided for for certain reasons. Think about every service that a local government does, right? You've got family and support services. You've probably paid your bill in lots of different financial ways with with your banking information. They may have some of your schooling information.
Ben Henry: [00:11:37] In the big picture. It empowers the government to sometimes provide services more efficiently, more effectively. On the other hand, it's a risk. It's a risk that I personally don't think about very often. There's one room inside of D.O.T.. It's a well-protected. And it's just got banks of computers, of servers. And at any given moment, they are sending and receiving this kind of personal information all over the state. Maybe all over the world.
Maeve Dion: [00:12:03] So it's not like information is in one place where we can lock the door and throw away the key, you know, fixing it. Getting it all patched up. That's that's not ever going to happen because this is an ongoing effort. We will continually have vulnerabilities being discovered.
Ben Henry: [00:12:19] Another complicating factor here is that local governments outsource their I.T. to private companies really often when they can't afford to do it themselves.
Maeve Dion: [00:12:28] And then you're trusting this private sector entity to keep it safe. You may not be thinking about that, though. You may be thinking, I'm just sending this to the government.
Ben Henry: [00:12:36] The same few companies work for lots of towns in New Hampshire. And you can tell us just by kind of paying attention to the logos on the different town Web sites. A company called Civic Plus specializes in government Web design, a company called Interware handles, online payment systems. All this to say. Not only are towns a target for hackers, all these companies that they outsource to, they are also a target. I don't want to pile on the things to be worried about here, but another target that you may not realize is a target is basic infrastructure. So the electric grid and the public water supply. I don't tend to think of these as like electronic services. But the reality is on the engineering side, we just use computers for all kinds of things, like opening a valve or like checking it temperature. And a lot of these computers are in some way connected to the Internet or connected to other computers that are connected to the Internet. So that means that someone can get in from the outside.
Maeve Dion: [00:13:34] As solutions to make our systems more efficient and more effective have risen and been developed. We have added those on in an ad hoc manner to these industrial control systems.
Ben Henry: [00:13:45] Experts I've talked to said hackers could get into these systems and then one day you turn the faucet and nothing comes out or your lights won't turn on. I should say this kind of thing has happened in other countries, but not yet in the U.S.
Maeve Dion: [00:13:58] And that's the thing. How do we know we're safe? How do we know we're safe in society?
Sara Ernst: [00:14:04] I guess the question I keep coming back to is, are we doing enough as a state to prevent hacking?
Ben Henry: [00:14:10] I do, too. And this is the question that's on the mind of like everybody who works in this field. I mean, New Hampshire is pretty robust in our cybersecurity. We definitely adopted this stuff a lot earlier than a lot of states. And one thing Dennis said to me is that every time he has asked for funding for cybersecurity, the legislature has said yes to him. Let's come back to Strafford County and just tell me, was this a ransomware incident?
Sara Ernst: [00:14:36] Well, not quite. You know, they shut everything down so quickly that they never actually received a ransom demand. But they're in the middle investigation right now to figure out what happened.
Ben Henry: [00:14:47] So what was the actual effects of the hack? And was the county ready to kind of deal with this?
Sara Ernst: [00:14:54] Well, so the sheriff's department runs dispatch for all the police departments in the county and losing access to their computers didn't prevent them from doing that. So the 9-1-1 system still worked, but it made life complicated. And overall, the county is prepared for their computers to go down like the county nursing home had a pen and paper records keeping system. And it was all ready to go and the county jail was fine. They had to do some things by hand, but their security systems are totally closed off from the rest of the world.
Ben Henry: [00:15:24] It seems like, all things considered, this could have been worse. And they actually kind of kept this under control in a way.