Marin County Civil Grand Jury Report Recommends Formation of Cybersecurity Joint Powers Authority

Marin County Civil Grand Jury Report Recommends Formation of Cybersecurity Joint Powers Authority

In a recent report titled “Cyber Preparedness: Are We There Yet?”, the Marin County Civil Grand Jury has recommended that county supervisors consider forming a cybersecurity joint powers authority. This recommendation comes as a follow-up to the panel’s 2020 report, “Cyberattacks: A Growing Threat to Marin Government.”

The 2020 report revealed that from July 2017 through August 2018, Marin County experienced at least five cyberattacks. While the first four attacks resulted in security breaches but no data theft, the fifth attack led to the county’s finance office wiring $309,000 to a hacker’s bank accounts. Despite recovering $63,000, the county suffered a loss of $246,000.

The new report indicates that Marin’s 11 municipalities have implemented or are in the process of implementing over 90% of the cybersecurity best practices recommended in the 2020 report. These practices include managing mobile devices, automated malware detection, monitoring systems, utilizing expert resources, and firewalls.

Since the previous report, none of the municipalities have reported any severe cyberattacks requiring public disclosure. However, the grand jury discovered two cyberattacks reported by other public agencies, which did not result in any significant loss of data or money.

Liza Massey, Marin County’s chief information officer, acknowledged one breach caused by an employee’s actions, emphasizing that most breaches are due to human error.

The grand jury highlighted the increasing sophistication of cyberattacks globally, citing a rise in malware attacks and ransomware incidents. It also noted that cybercriminals target public sector websites due to outdated technology and security measures.

Following the 2020 report, Marin County established the Marin Security and Privacy Council (MSPC) to provide cybersecurity information and best practices to municipalities, nonprofits, and private organizations. The MSPC, in collaboration with the county’s Department of Information Services and Technology, distributes monthly security awareness newsletters and alert notifications on active cyber threats.

Despite these efforts, the grand jury found that many municipalities and agencies were unaware of the security newsletter and the MSPC’s existence. As a result, the grand jury recommends creating a cybersecurity joint powers authority to enhance cyber preparedness and acquire perimeter defense protection systems.

Additionally, the grand jury suggests hiring three new county employees to strengthen cybersecurity, including one to assist with cybersecurity awareness and training, and two system-engineering positions to conduct security risk assessments and implement cybersecurity solutions for public agencies in Marin.

The report underscores the importance of mandating business continuity plans in contracts with third-party IT service providers to ensure quick recovery in the event of a cyberattack or natural disaster. It also highlights the lack of language related to business continuity plans in the county’s contracts with third-party service providers.

The report coincides with MarinHealth Medical Center’s recovery from a ransomware attack on one of its vendors, Change Healthcare, which affected over 5,700 U.S. hospitals. While patient care was not compromised, the attack disrupted cash flow, prompting MarinHealth to consider utilizing an interest-free loan offered by Optum, Change Healthcare’s parent company.

As cybersecurity threats continue to evolve, the grand jury’s recommendations aim to strengthen Marin County’s defenses against cyberattacks and safeguard sensitive data and resources.