After computer shutdown, a Maryland county buys cyber protection. Is that enough?

Dwight A. Weingarten, The Herald-Mail
·9 min read

A holiday cyber attack threw one Western Maryland county for a loop, altering some police operations, slowing down the office of the state’s attorney, and preventing online payments. Other jurisdictions in the state could learn lessons from the holiday hack of Washington County.

“You don’t want to be in a situation where you don’t know what you’re going to do if an incident happens,” said Markus Rauschecker, cybersecurity program director at the University of Maryland’s Center for Health and Homeland Security, an academic nonprofit consulting firm that advises local governments dealing with cyber incidents.

Rauschecker, also a member of the Maryland Cybersecurity Council, a group led by the state’s Attorney General and established by law to improve cybersecurity in Maryland, said each jurisdiction should have a plan, which “outlines the exact roles and responsibilities that every entity has with respect to cyber incident response.”

Months after the Thanksgiving Day incident, Washington County officials have tried to move forward, with the commissioners purchasing a pricey cyber protection system earlier this year, but the question remains: Is the county better prepared today than it was then?

Washington County Board of Commissioners President John Barr did not consent to questions during a break in the July 11 county commissioners meeting. Questions were referred to the county’s public relations department, which responded by email to several questions, including one asking what the county is doing going forward to protect citizens' information.

"Information privacy and security are among the County’s highest priorities," said Danielle Weaver, a county spokeswoman, in an email. "We have strict security measures in place to protect information in our care.

"Upon discovery (of) this incident, we quickly took steps to investigate and respond, including reviewing and enhancing our existing policies and procedures to reduce the likelihood of a similar future event," Weaver said. "Washington County continues to review and enhance our cybersecurity posture by implementing additional safeguards."

Those safeguards were not indicated in the email response from the county's public relations department.

Maryland Gov. Wes Moore, right, attaches a lapel pin presented to him by Washington County Commissioners President John Barr, left, during the governor's visit Wednesday to Eastern Elementary School.
Maryland Gov. Wes Moore, right, attaches a lapel pin presented to him by Washington County Commissioners President John Barr, left, during the governor's visit Wednesday to Eastern Elementary School.

More: Washington County cybersecurity issue impacts some functions: What we know

Local, state, and federal entities change tactics, respond to cyber incidents

Cyber incidents are nothing new in the Old Line State. The government of Baltimore, the state’s most populous city, was hacked and data held for ransom in 2019.

(The city’s then-mayor took a stand, vowing not to pay the criminals and rallied hundreds of other mayors across the country to make the same pledge. While the city did not pay hackers, over $5 million was paid in response to remediate and secure systems, which needed upgrades.)

What is newer in the state is how multiple levels of government are starting to respond to threats. In 2020, a small Eastern Shore county got hacked, which led to bringing in the Maryland National Guard and federal support, including U.S. Department of Defense cyber experts.

More: How will Maryland get tough on cyber security? Sen. Cardin aims to help small businesses

All the while, Congress was coordinating its response to defend the nation, as was a congressionally mandated cyber-focused commission that met for months to create a plan. A piece of that coordination and plan was a $1 billion State and Local Cybersecurity Grant Program designed to help state and local governments improve defenses over four years.

In this file photo, Sen. Angus King, I-Maine, walks to the Senate chamber on Capitol Hill in Washington, Tuesday, Jan. 21, 2020. King co-chaired the Cyberspace Solarium Commission, a congressionally mandated commission designed to defend the nation against cyber attacks.
In this file photo, Sen. Angus King, I-Maine, walks to the Senate chamber on Capitol Hill in Washington, Tuesday, Jan. 21, 2020. King co-chaired the Cyberspace Solarium Commission, a congressionally mandated commission designed to defend the nation against cyber attacks.

The funds, included in the Infrastructure Investment and Jobs Act, also known as the Bipartisan Infrastructure Law of 2021, had a specific focus on improving systems in smaller settings.

“There’s a big push there to provide resources and support to more rural jurisdictions,” said Rauschecker, of the federally funded State and Local Cybersecurity Grant Program announced last September. For states and localities to receive the federal funding going forward, a plan must be submitted by the state to the U.S. Department of Homeland Security by September 30.

Maryland’s Acting Chief Information Security Officer (CISO) John Bruns, who started his role earlier this year, has a part in approving the state’s plan before its submission to the Department of Homeland Security, according to the federal website that lists a state’s CISO as an approver.

Barr, the Washington County commissioners president, did not respond to a message seeking a request for comment on whether Washington County requested the funding last year.

County government purchases cyber monitoring system. Is it enough?

In April, the county approved a more than quarter-million-dollar per year cyber intrusion detection and monitoring system. The company responsible for administering the four-year contract was not listed on the county commissioners April 18 agenda nor was it specified in the meeting.

“Now we just need to keep on top of it,” said Commissioner Randall Wagner to the county’s division director of information systems during the April meeting, “No more incidents I hope.”

Commissioner Wayne Keefer seconded Wagner’s approval of the contract, and the five county commissioners passed the item unanimously. No additional questions were asked at the public meeting about the $227,512.75 per year cyber contract paid for from reserve funding.

Weaver said in an email, the county "cannot disclose its security measures." She did indicate the county had cyber insurance at the time of the November incident and costs for "the full economic impact for remediation is still to be determined as certain ancillary remediation efforts remain ongoing."

Two of the commissioners, including Derek Harvey and the commissioners' president, Barr, were sworn in less than two weeks after the cyber incident. Both were elected in November, two weeks before the cyber incident occurred.

But while the purchase of a cyber monitoring system may be necessary, the member of the Maryland Cybersecurity Council indicates that it is not in and of itself sufficient for security and safety.

“The key really is planning,” Rauschecker said. “Cybersecurity is not just a technical issue.”

How the sheriff’s department kept operation continuing, sans computers

Nearly eight months after the cyber incident, the county sheriff’s department is still not fully recovered from what happened in November.

Emergency services used some creativity to keep operations continuing.

Washington County Sheriff Brian Albert estimated his department has recovered about 90% from cybersecurity issues. It’s hard to say how much of what’s left is tied to last November's incident and how much is related to recent issues Microsoft is having, said Albert, in a phone interview on Thursday.

Weaver, the county spokeswoman, said, "As of December 12, 2022, the vast majority of internal and public systems were operational. The last affected online service was restored by January 18, 2023."

When the cybersecurity incident happened in November, Albert was still in charge of the county’s 911 dispatch center and not yet sworn in as sheriff.

For a few weeks, dispatchers reverted to an old-school system involving cards on a board to keep track of which units, such as ambulances and firetrucks, were already out on a call, Albert said. At most it added seconds, as dispatchers would normally click a button on the computer. But soon it became as quick as using the computers, he said.

U.S. Rep. David Trone, D-6th, left, and Washington County Sheriff Brian Albert walk through the atrium of the Washington County Public Safety Training Center during Trone's visit to the facility on Thursday.
U.S. Rep. David Trone, D-6th, left, and Washington County Sheriff Brian Albert walk through the atrium of the Washington County Public Safety Training Center during Trone's visit to the facility on Thursday.

This workaround is an example of continuity of operations planning, Rauschecker said. It should take place at all agencies in advance, whether it’s directed from an elected official or not, he said.

As for the sheriff’s department, Albert said the incident didn’t slow responses to active calls but it slowed some paperwork. If it typically took a deputy 30 minutes to do a report, instead it might have taken an hour because deputies were learning a different process, he said.

The county’s only city had a quicker return to its normal police operations after the incident.

Hagerstown Police Chief Paul Kifer said the affected systems returned to working in about two weeks.

The incident prevented dispatch messages from popping up on computer screens in police vehicles, but that information was available via the unaffected radio system, said Kifer in a phone interview Thursday.

Officers temporarily used a workaround to write reports. It took a little extra work when the regular report system came back online as officers had to enter information from reports during the workaround period, Kifer said.

The Hagerstown city administrator said at the time no “functionality” was lost and communications continued despite the county’s systems being impaired and unavailable.

More: State’s ‘top cop’ receives recognition from law enforcement leaders, governor

Moving forward and the state's Information Sharing and Analysis Center

Last year, one month before the Washington County hack, the state’s Department of Information Technology and then-Chief Information Security Officer Charles Stewart approved guidance for local governments responding to a cyber incident. Mandated reporting to the state for local governments is laid out in the document with specific scenarios where reporting is required.

“Depending on the nature and severity of the incident the (state's) Department of Information Technology’s Office of Security Management will work with the county government to address the incident,” said the department’s Chief of Staff Patrick Mulford in an email.

Over three quarters (18) of the state’s 24 jurisdictions are now a part of the Maryland Information Sharing and Analysis Center, a cyber-focused center started in 2021, designed to deter attacks, he said.

No indication was given which of the state’s five counties do not participate in the center, strengthened by a state law in 2022. Washington County did not indicate its participation either and a request for comment to Weaver, the county spokeswoman, was unanswered.

Rauschecker said governments should be “as transparent about (an) incident as they can be.”

“At some point once (an) investigation has been concluded by the government,” he said, “hopefully there’ll be even more details in terms of what exactly happened, what data may or may not have been affected, and then citizens can take a more specific look at whatever information of theirs might have been affected.”

This way, residents can monitor their accounts, ensuring protection against fraud, he said.

“Citizens could kind of demand of their governments,” said the softspoken Rauschecker, “or ask, at least, their governments to do everything that they can do to protect sensitive information.”

More: Maryland Department of Human Services, Johns Hopkins University affected by data breach

Dwight A. Weingarten is an investigative reporter, covering the Maryland State House and state issues. He can be reached at dweingarten@gannett.com or on Twitter at @DwightWeingart2.

Julie E. Greene, a news reporter for The Herald-Mail, contributed reporting to this article.

This article originally appeared on The Herald-Mail: Western Maryland county buys cyber protection. Is that enough?