What Planners and Public Sector Agencies Need to Know About Cybersecurity
With millions across the country now working remotely to curb the spread of COVID-19, cybersecurity and data protection issues are top of mind for just about everyone. Phishing attacks have increased. The term "Zoom bombing" has entered the lexicon. What should planners do to make sure their agency's data and communications are safe?
Listen in as APA's Jo Peña talks with Nupur Gunjan, a public sector analyst at Cisco. Nupur is a trained planner who transitioned to the tech world after working for the City of Austin, Texas. Her experience with local planning and tech uniquely positions her to share advice with communities who are using online engagement tools. The two focus on what planners need to know about data protection and online public engagement right now, but also what they can do to protect their communities in the future.
[00:00:06.960] Jo Peña: Welcome to the APA podcast. I'm Joe Peña, research associate at APA. In response to COVID-19, a significant amount of planning-related activities have shifted into virtual space. This unprecedented change has encouraged agencies to explore different tools to connect with residents, businesses, and other entities, all while practicing social distancing. Simultaneously, planners in their communities are facing a myriad of challenges such as legal requirements related to online public engagement, data privacy, and cybersecurity while encouraging equitable access to all community members. Joining us today is Nupur Gunjan, a public sector analyst at Cisco. Nupur is a trained planner who transitioned to the tech world after working for the City of Austin, Texas. Her experience with local planning and tech uniquely positions her to share advice with communities who are using online engagement strategies. Today, we'll be focusing on what planners need to know at the intersection of data protection, online public engagement, and planning. Nupur, thank you for joining us today.
[00:01:09.880] Nupur Gunjan: Thank you for having me.
[00:01:11.810] JP: For our first question, we would like to know what are the responsibilities of a public sector analyst as they relate to online public meetings, data protection, and cybersecurity.
[00:01:22.920] NG: So as a public sector analyst, I see myself as being a bridge between the technical capabilities that Cisco has to offer and what are the needs of our customers. And most of our customers in global public sector are local and state government agencies. So making sure that what we are offering, the way we are offering, and the language that we are using is aligned to the needs and the mission of that particular agency. Now, that includes analyzing a bunch of policies, regulations — data residency, data sovereignty are a few to name. Researching cyber breach incidences that are happening around the world and making sure that my team knows what's happening in public sector and what people are talking about. And these were mostly pre-COVID. Since COVID, online public meetings is something that has become a core part of our discussion. And that's, like, the new area of research that we are starting, and we are, we are hopeful that we'll have an end-to-end solution for our public sector customers.
[00:02:31.350] JP: How does your research overlap with online engagement and data protection during COVID-19?
[00:02:37.380] NG: Yeah, so pre-COVID-19, data protection — data protection has always been a core conversation, especially in my organization. Everything has to be secure. Security is a big part of it. And before, we would talk about online engagement. We would talk about remote working. But it was not the central theme of the needs of our customer. With COVID-19, remote working is the only thing that everybody wants to talk about because without that, you can't, can't continue your government operations. So I would say mid- to late February this year, we were talking a little bit about what's going to happen if you have to shut down your offices and everything. March — first week and second week of March — it was just so rapid. We had to have conversations with our customers. We had to have conversations with our CS [customer service] representatives who have long-term relationships with these customers and come up with solutions and talk to other partners beyond just Cisco to see how we can help cities and counties around, around the country and around the world to keep their lights on. And adding to that, I think a lot — as I said, a big part of my work is to research policies and regulations. A lot of states, including California, had regulations in place like the Brown Act. That makes it really hard to have a virtual public meeting or even attend a meeting virtually. But with Governor Newsom, with his executive order, he actually allowed cities and counties to go out and purchase capabilities to have virtual meetings. And that's kind of a tricky situation because cities before COVID didn't have to think about these capabilities, and now they're being asked to just magically overnight have this capability. So a lot of my research goes into how can we help cities and counties to make the right decision and how can we offer the best technical capabilities for their specific need.
[00:04:43.680] JP: How can planners play a role in ensuring that appropriate data protection protocols are being implemented in their communities?
[00:04:50.710] NG: Yeah, so if you are a planner, if you are a manager, if you are a supervisor and you have people reporting to you, I think the best thing you can do is educate yourself and educate your team around phishing attacks, around malware attacks, around all sorts of security threats that, that can be in your computer. Talos is a great resource that Cisco has where a bunch of researchers are specifically looking at COVID-19-related attacks. Cities and small government agencies have always been attacked by these bad actors, but with COVID-19, the attacks have just doubled and tripled in last few weeks, and we don't see anyt— we don't see them going down anytime soon. So educate yourself and your team. Second thing I would say: have a strategy. Partner with your CIO team, partner with the CTO's office, partner with the IT department and have a strategy, if not for a citywide strategy but at least for your own agencies. So, for example, if you don't have a strategy [for] what to use for remote working, people might use whatever comes on their screen. It can be a free, free subscription. It can be a free way to connect to other people. And these are the places where you are most vulnerable to an attack. Because A, government agencies were not equipped with security protocols to work remote. So you are already more vulnerable. And then you are using free applications with— without the knowledge and the suggestions of your CIO, CTO, or IT director's office. You are making yourself more vulnerable. The last thing I would say is it's less about data protection, more about public access, and that would be reaching out to your community. These are the times where, when our people, when our community want to talk to their city officials, where they want to be heard by their elected leaders. So if you are a city or a, or a county who are conducting a virtual public meeting, give them different channels to come and connect and testify, whether it's a phone number, whether via text, via email, via Facebook, or via some kind of virtual meeting, WebEx, Zoom, Google Hangout. There are a bunch of options there. So talk to your CIO's office, talk to your IT people, and come up with a strategy and just let people have that channel.
[00:07:32.820] JP: What is the most significant change that impacts public sector data protection and public access in the past few weeks?
[00:07:40.250] NG: So in Governor Newsom's executive order, he talked about, no matter what you do, make sure you are maximizing transparency and providing public access. Our cities and local governments are already doing so much to keep the communities safe. But when you are going virtual, when you are going remote without prior experience at this scale, I think it's very important to again have different channels for people to come in and be able to talk to their city officials, talk to their, talk to their elected leaders. So that's first thing about public access. Now, how do you do that? You can't just give different channels and expect that nobody is going to hack it. "Zoom bombing" has become, like, a new [term] that a lot of people are hearing about it, and it's just sad because Zoom has become a household name, but Zoom bombing has also become a household name. You don't want that in a, in a local government setting. So as I said, cities have always been targeted, so here are a few things that I would say you can do again. Talk to your IT department. Come up with a strategy. Ask them what their recommendation will be. A lot of time, cities would have already bought something from a particular vendor, and these vendors might be able to give you more security products at a lower, at a lower price. These — and these security products might work together if they come from a same vendor. There might be products that better work if they come from different vendors. Talk to your IT people. They know this — these things. But until now, they, they have not been given that platform to come and interact with them. Make IT department your friend [laughs]. That's what I would say. The next thing is talk about cyber insurance. Now, cyber insurance usually covers some kind of attacks if it happens in a government sector. For example, Baltimore and Atlanta were attacked last year and there was a ransomware attack, right. So most of the insurance will be able to talk about what kind of risk exposure that is. With COVID-19 and COVID-19-specific attacks, we don't know what the risk exposure is going to be because again, going back to my point, we have never worked remote at this scale before. We have, we have never been in a situation like this. So that will be another space, as a planner, as a city official, that you want to know. Because these are the questions that people will ask you later on. What did you do with this? What was your strategy? Another thing is, know that you are going to be a potential target. I work for Cisco. It's a company based on security, based on connectivity. I have some two or three different protocols that I go through in order to send an email or get connected. So ask about end-to-end encryption. And I'm going to go a little techie here, but ask about end-to-end encryption. Ask about dual authentication. Ask these questions because you need to know this because you might be the person or you might click something that might lead to an organization-wide attack. And the worst part of all this — there was a study done in 2018 that suggested that most organizations don't even know that they have been attacked for around 180, 190 days. And why that's bad, because, because the longer you don't know that there has been a breach, the longer the attackers have the time to go into your system and [gain] access to that information. So it's similar to coronavirus, right? If you know early, you can contain early. If you don't know, then, then it can have a really bad impact. So, yeah, so ask questions, learn stuff. Ask about end-to-end encryption. Ask about dual authentication. Learn this tech language and make IT department your new friend.
[00:11:43.490] JP: What online and data protection challenges do you anticipate communities will face as social-distancing measures remain in effect?
[00:11:50.830] NG: So we already talked about public participation and not having enough channels to let everybody participate. But there's another part of public participation [and] that is digital divide among students, among communities that has surfaced back. I personally don't work with the education industry, but I have colleagues and people in the industry who have been trying to work with cities and counties to bridge the digital-divide gap. And this has been on the agenda for almost all the cities, I would say. Any city that has a digital-divide problem, that has an Internet-access problem. But because of COVID-19, now that every school is virtual, you can see this problem surfacing and getting the, getting the attention that it needed. California recently talked about how Google is going to provide some sort of Wi-Fi hotspots in some neighborhoods and in some communities — which is great. I personally really appreciate that effort. But that's not a solution. It, it's a problem that we knew has always been there. It's only now that [it's] surfacing. And I feel like COVID-19, post-COVID-19 era, we should look at this problem and we should try to solve it at a bigger scale with the help of states, cities, and counties. I do see a silver lining though, and that silver lining is mostly around remote-working capabilities for government sector. Because before COVID-19, we didn't have the strategy or the technical capabilities and now you're getting those capabilities. So I think people should take notes and reflect back post-COVID-19 and see how we can include remote working in a regular government agency. Because what it does is it allows people to work if they're sick. It allows people to work if you have to take care of your parent or if you have to take care of the kids. And that flexibility of remote working is there in most of the private-sector world. It, it is less in the government sector, and that can be something that is an added value to all our city staff and county staff and agency staff who were — who are working tirelessly today to keep these communities safe.
[00:14:17.770] JP: So what are the differences in how communities of different sizes will address data protection concerns? We have a variety of communities that look to APA for feedback, and so there might be different capabilities in smaller towns versus bigger cities.
[00:14:34.970] NG: Yeah, so I think no matter how small or big your community is, you need to ask security questions. You need to ask what kind of security products do we have. Now, usually the IT department will ask this question, but now the impact of not asking this questions or not having the right kind of security products for your community is beyond IT. It goes beyond, beyond your organization. It goes through a community. I'll take an example of Bulgaria, the country. Their tax department was hacked last year, and almost an entire nation's personal data was up for grabs. And it might be that the IT department didn't ask the question or they didn't have the right security products or didn't have the right security protocol. But the impact of not having that was, was on everybody in that country. And you don't want to be in that situation, whether you are a small city or whether you are a large city. Now, that being said, what can be done? If you're a planner, if you're a community member, talk to communities like yours in the same area. Bring together, form a coalition, and then go talk to your state. The state of Colorado is another great example. They have a smart-city alliance, where a bunch of cities came together and they said, "We will work together as an entity and work towards all the smart city solutions." And this was pre-COVID. We can do similar things when it comes to data protection and cybersecurity. The federal government has put aside some budget for their IT Modernization Act [Modernizing Government Technology Act]. More states have their own digital transformation plans. Look at those plans. See if there is something for your community. And if there is nothing, then you go talk to them. So ask the right questions, come together, build a coalition, and be aware of what's happening in the world, because cyber attacks are one thing that does not look at what the geography of your community is. The same attacker can be attacking in the UK, can be attacking in, in Wisconsin, can be attacking in, in my home city, San José, and can be attacking in India. So we need to come together no matter where you are and and build a coalition and go forward.
[00:16:58.630] JP: What are some steps that planners can take to protect community systems while using virtual meeting tools? Earlier you mentioned that "Zoom bombing" is becoming more of a household term. So surely there are some actions that we can take to prevent those sorts of intrusions on public meetings or any sort of meeting.
[00:17:17.020] NG: Yeah, so I guess — first thing will be, again, talk to your IT department. Ask them what would be the best product for your agency. If you don't have that or if you haven't done that, see if you have an existing relationship with a vendor who might have some kind of similar products for virtual meetings. If you don't have that and if you are going to use a free subscription, let's say, or, or something that's, that's easily available online, do not share your meeting links publicly. If it's not a public meeting, you don't have to share public links. For public meetings, there's a different kind of solution that will be more webinar-like, where you will have a host who will control who can come and join and who can't. But if it's just a meeting within your, within your agency, email that link. If it's password protected, better. But email that link. If you are using Office 365, if you are using Outlook, if you are using Gmail, there [is] some security built in your email that will protect that link. That way, you can, you can make sure that nobody outside your organization has that link. Now, that's something that you can do on your part. From an IT perspective, what you can do is ask them about security protocols. Ask them can you have authentication. Ask them if there is a — what we use is called AnyConnect. Ask if there is a way to have a secure connection to the server. These things, again, sound a little more techie, but we are in a virtual world, virtual workspace kind of a situation right now. And it's good to know [this] tech language because quite frankly, we are interacting with tech all day long; you better be safe and you better learn this language. And it makes you sound smart. The IT department will appreciate that you know these languages and you're talking to them in a language that they appreciate.
[00:19:15.140] JP: How do you think that these circumstances will impact planning practice moving forward?
[00:19:21.560] NG: So I don't know if you've heard, but literally every single person who is an expert in this industry will tell you there is no going back to what was life as usual before COVID-19. Same goes for the planning profession as well. It's going to be a pre-COVID-19 era and a post-COVID-19 era. My suggestion for now will be, keep notes. If you are a supervisor, I'm sure you are having difficulty in people management because it's very different when you're managing people when they are working remotely. So keep notes. Take down what [is] working for you, what is not working for you. And once you are in the post-COVID-19 era, reflect back. That'll be super beneficial in just understanding how can we use all our learnings from these difficult times and give a positive spin and allow your employees to work remotely if they need to be. If there is a disaster that happens, how can you immediately go back into COVID-19 era and keep the business continuity of the government agencies? So those are some of the housekeeping things on a very high level. But if you have to dig deeper, I think COVID-19 is highlighting some of the gaps in our society, in our communities, that we all knew always existed. Public participation is one. Public participation has become even more difficult now. So use this opportunity to learn about technology that can help expand public participation, not just from someone coming into city hall and talking to their mayor and councilmember, but someone who is sitting at home or is at a workplace or is at school can dial in and be able to get their two minutes of time. ... We talked a little bit about digital divide. Again, another thing that has surfaced around. When you are planning, when you are writing your comprehensive or a general plan, talk about Internet as a fundamental right. Talk about Internet how we talk about transit. Because without Internet, people who don't have Internet, people who don't have a laptop right now are not able to, to do their business, are not able to do their work, are not able to do their homework. So I think Internet connectivity, security, should become part of our vocabulary as planners, as we talk about housing, transit, equality. So that will be my two cents. Definitely I think there will be so much learning that will come out of these experiences from local government, from counties, from state agencies. And I think having a game plan. How do we capture that when we get out of this COVID-19 situation and [into] that post-COVID-19 era? How can we capture that and share that? That will be another beautiful way of just sharing how one city dealt with one problem differently than the other. And there are startups who are allowing you to do that. UrbanLeap is a startup that I'm familiar with who are, who have started a platform where CIOs and city managers can come together. It's a vendor-free zone, so you don't have to worry about anybody trying to pitch you something. And all they're doing is just sharing information. And it's beautiful because this is the time where you learn from each other.
[00:22:47.020] JP: What are some data protection regulations that planners should be aware of? There are maybe more local regulations that might impact planning practice, but what are some of the broader regulations that apply to most people in the U.S.?
[00:23:03.970] NG: Yeah, so [the] U.S. in general is likely behind when it comes to data regulation than when you compare it to European countries. But in general some of the concepts that I would say we should all be aware of will be data residency, data sovereignty. Data residency, simply put, talks about if you and I are talking right now and if you are recording this, this has to go through a server. Now, if you have a data residency law in your state or in your country, it would say that you cannot take this information to a server in Asia. You have to keep all this information and all this bandwidth and data traffic that's happening in our call right now within the geographic location of the country. So that's data residency. Simply put, it is so that nobody else can breach your data in a different country, and then it's difficult to regulate that. The next concept is data sovereignty. What it means is information that have been converted and stored in a digital form in a particular country is subject to the laws and regulation of the country that it's located in. So if you and I are talking here and say someone stored this data traffic in [the] UK, the UK laws might apply to that stored data. Now, it might be a little confusing between residency and sovereignty. So the reason why these data exists because we all talk about moving to [the] cloud. Federal government and state governments have new laws where they are moving to [the] cloud. But you also have data centers. So all the data that is collected moves through different data centers, and data centers can be placed anywhere in the world. And that's why data residency and data sovereignty laws are so important to know, because if something happens in the future, who is going to regulate that? Who is — who are you going to blame? Because that's something that we see a lot, right. It's, it's a new world. Internet is new. We don't know how to regulate. We don't know how to work around it. So these concepts will help you at minimum to understand who can be blamed and what laws can be applied to.
[00:25:37.880] JP: Where can listeners go to learn more about your work?
[00:25:41.420] NG: So if you want to learn about all things cybersecurity and what are the new cyber threats, I would go to Talos. That is t-a-l-o-s. It's a group of highly intelligent people who are keeping track of new, new malware attacks, new cyber threats, what are the new ways people are, are attacking different agencies. And it's not limited to government agencies. If you run a small planning firm and if you are in any way connected to the government, you can also be possible, you can also be at a possible risk. So it's just a great, a great place to look for what's new. Currently, they have some blog posts that talk about COVID-19-specific cyber breaches. Other than that, if you want to learn more about Cisco and what Cisco is doing in COVID-19 pandemic and some of the products that we have related to collaboration, security, you can go to Cisco dot com slash COVID-19 [www.cisco.com/c/m/en_us/covid19.html]. Chuck Robbins, our CEO, talked about privacy as a fundamental human right and how we need security and transparency to protect it. And I think that talks about the organization that I'm part of and what we're trying to achieve here, specially for public sector. There's, there's a ton of information on Cisco's public sector blog. You can look for hashtag one public sector [#onepublicsector] on LinkedIn, and there are different blogs that we talked about, what we're doing for state government, for local, for transportation, different governments pre-COVID-19 and now and what, what are some of our plans for post-COVID-19 as we move forward.
[00:27:30.640] JP: Nupur, thank you so much for joining us and sharing your expertise with us. It's been really helpful to listen to your perspectives on what planners can do in order to promote data protection, online engagement. And so thank you so much.
[00:27:45.280] NG: Thank you for having me. It was great to share my acquired knowledge of the last few years with the planning community. I think as planners we are so versatile, and learning a little bit about cybersecurity and laws and regulations around data privacy can empower us, and only then we can empower our communities that we work for. So I'm happy to share what I know.