Security

Q&A: Milwaukee County Audited Local Cybersecurity Prior to 2020 DNC

CTO Tod Huber bolstered his county’s cyber defenses with an expert evaluation by CDW.

Tommy Peterson is a freelance journalist who specializes in business and technology and is a frequent contributor to the CDW family of technology magazines.

When Milwaukee was chosen to host the 2020 Democratic National Convention, Milwaukee County CTO Tod Huber sought to ensure security on the county network was locked up tight. The Democratic National Committee installs its own IT infrastructure for conventions, but Milwaukee’s heightened profile made the city a tempting target for hackers and malware. For an expert view, the county contracted with CDW for a comprehensive cybersecurity assessment.

The COVID-19 pandemic changed a lot: The delegates that were expected to crowd into a sports arena were told to stay home as the convention went remote, with a virtual hub in Milwaukee. Cyberthreats for the city and county remained, however. StateTech spoke to Huber about the security assessment and the county’s response to its findings.

STATETECH: What was the value of an outside security assessment?

HUBER: We knew we needed to do something as a sort of gap analysis since the IT department does cybersecurity work for the county at every level. We’ve made considerable strides in securing the county since we put the team together several years ago, but I knew we were going to have some specific areas that we hadn’t addressed and that an assessment would highlight. The county was not going to be perfect on a cybersecurity assessment, but we needed to make sure the basics were in place and find out if there were any big risks that we needed to address.

We met with three different companies and discussed what a comprehensive assessment for an organization our size might look like. We had the greatest comfort level with CDW. We liked what they presented and could tell they had a great deal of experience in security assessments and helping customers build a program to respond to the assessment. There is great value in having a third party come in and do the assessment. When I need to go find funding, I have my own explanation of what we’re doing and why it needs to be funded. With the assessment, I also have documentation from an objective third party that helps me substantiate my ask and show why the investment is important for securing the county.

STATETECH: What were the issues you had to address with a mitigation plan?

HUBER: On the whole, the assessment did validate our program, but we had several areas that needed to be addressed, in varying degrees of criticality. We already had several projects underway to reduce risk in the county and, the assessment allowed us to add to the list then prioritize what needed to be done in what order. The priority of work became less urgent when the convention went virtual.

STATETECH: What about your mitigation strategy?

HUBER: We received the assessment report in April. We immediately focused on critical issues, but generally you have to pick and choose your battles about where to start — resolving a specific issue quickly, or something such as deploying an enterprise tool correctly, which can take longer but gives us more bang for our buck. Then, there’s low-hanging fruit. I like to get a couple of quick wins with something like this. It demonstrates to people that we can take care of this, and usually there will be some items on the list that are not going to be that comprehensive and difficult.

STATETECH: What were the quick wins?

HUBER: Legacy system decommissions. The assessment found that we had some Windows 7 and some other outdated machines on the network, and we shut those down by the time of the convention. We’ve been working on the retirements for more than a year, but we finished them before the DNC, so that’s a win to tell everybody about.

STATETECH: Did the uncertainty about the form and venue of the convention because of the COVID-19 pandemic make it harder to address security issues?

HUBER: The county was more concerned, from a cybersecurity perspective, about the city and the county becoming targets for all the bad actors out there. We host milwaukee.gov, a joint effort that has resources for both the city and the county. Hosting the convention here made the site a prime target. The site is hosted in the cloud, but there were questions about perimeter security and issues like that.

Another concern was how we would be impacted when it comes to phishing or spear-phishing campaigns directed at either all our users or specific users within the organization. How were we going to prevent those attacks and deal with them if they happened?

If you had asked me last fall, I wouldn’t have been as relaxed as I became when the convention went virtual. At that time, I didn’t know what I didn’t know, and we hadn’t received the assessment report yet. Once we got the findings, there were some things I knew we needed to address, but nothing significant. It affirms what we’ve done for our cybersecurity within the county.

STATETECH: What lessons have you learned that will extend beyond the convention and into your day-to-day operations?

HUBER: My experience with the security assessment was really good. One of the lessons was that I’d like to do something like a comprehensive assessment on a more routine basis that would provide a complete validation of our security program. We’re always refining our security operations, but the shadow of the convention put a lot more focus on them. We expanded the use of our tools in the security operations center and we’ve refined our processes as well. We’ve been able to tweak the tools so they give us more information to rely on and enable us to do more with that information.

The assessment also changed our approach to funding. When the convention went virtual, we didn’t have as much urgency to go ask for the cash, but we had a plan in place for how we were going to come up with the funding.

Finally, I think that as a result of the assessment, people across the county organization are more in tune with and more alert to cybersecurity concerns. We’ve been communicating with our security council, which is made up of leaders and managers of 20 different departments, about the findings of the assessment, our response and other cybersecurity topics throughout the county. The assessment has allowed us to bring more awareness of security to the organization. It was an indirect result, but it was an important result. Awareness is the first step in cybersecurity.

ROYALBROIL/WIKIMEDIA COMMONS