EXCLUSIVE - Defending the City of LA’s cyberspace through an integrated, partnership-driven approach
As cities get more and more connected, they are becoming more exposed, more vulnerable to cyberthreats. A cyberattack can cripple a city’s infrastructure, causing enormous damage. Hence, cybersecurity will be critical to successfully building the smart cities of the future.
OpenGov had the opportunity to speak to Mr. Timothy Lee, the Chief Information Security Officer (CISO) of the City of Los Angeles (LA). He is the first CISO for the city government, appointed to the post in September 2014. Previously, he was the CISO for the Port of LA for nearly 14 years.
LA is the second largest city in the United States, with a population of around 4 million and infrastructure supporting those residents. The city has world’s sixth busiest airport (LAX) and America’s largest container port, the port of LA. In addition, LA has a high-profile police department, the LAPD. Full time city employees number 48,000. Mr. Lee is responsible for ensuring cyber security of this extensive domain.
Top cybersecurity concerns for the City Mr. Lee listed four major areas of concern for the City at the moment, ransomware, targeted social engineering, coordinated attacks and advanced persistent threats (APTs). These threaten critical assets, the control systems for some of which were not always designed with cybersecurity in mind.
Human errors contribute to around 95% of cybersecurity breeches. So, human security is the most important issue. The City of LA has a layered approach for this, for tackling threats like targeted social engineering and spear phishing.
The first layer is the scanning of email for malicious content before it reaches the user. A certain percentage of ransom ware attacks breach the email scan. So, there is a second layer in the form of awareness training or education programmes to teach users not to open these malicious emails.
About 30% of users still open these malicious emails, for which there is the need to have end-point security, the third layer. In the end-point security, the City of LA follows two approaches. One is the traditional anti-virus which is signature-based. Signature-based anti-virus software is not effective for detecting zero-day threats (a zero-day threat is a threat that exploits an unknown computer security vulnerability). Around 40 ransomware attacks were stopped last year, of which around 10 were zero day. So, to deal with these there is a need for data and behaviour based end-point detection and response.
Setting up an Integrated Security Operations Centre (ISOC)
When Mr. Lee joined the city had 40 departments, and each department had its own IT and its own security teams. The entire city had four major SOCs.
The problem was silos. There was no single dashboard or metric that could provide a picture of the cybersecurity posture.
“So, if the executive office wanted to know what’s going on in the city in the cybersecurity area, there was no way we could tell right away. That was the challenge,” Mr. Lee said.
Mr. Lee proposed a design for an integrated SOC. He said that the philosophy behind it was drawn from Sun Tzu’s classic text, the Art of War, which says that to win battles, you need to know yourself and you need to know your enemies.
How can that concept be applied to cybersecurity? ‘To know yourself’ means situational awareness here. ‘Know your enemies’ is accomplished by threat intelligence sharing.
Principally funded by the FY 2013 Urban Area Security Initiative Grant, ISOC is housed in the offices of the LAPD Real Time Analysis and Critical Response (RACR) unit.
The ISOC was designed with two clear objectives. “One is to provide real-time situational awareness dashboard to our stakeholders, so that they know what’s going on in the city as a whole. The second is to share the threat intelligence among stakeholders so that we can use that intelligence for prevention and detection,” Mr. Lee explained.
So, the ISOC is a platform where the citywide security events are aggregated onto one platform and translated into two things: the real-time cybersecurity dashboard and the threat intelligence sharing. The electronic dashboards can be viewed in person at the ISOC or remotely from any computer on the City’s network.
ISOC has two major categories of stakeholders, internal and external. Internal stakeholders include the police department, LAPD. The external stakeholders are federal partners, such as FBI and Secret Service. There is also have a third-party threat intelligence that is subscribed to. All the information is collected into the ISOC platform, translated into the situational awareness dashboard and then shared.
Mr. Lee said, “The ISOC is a platform for not just collecting information. We also provide the information back to our stakeholders.”
When the ISOC was started, around 3 million citywide security events were being fed in per week. Today around 1 billion security records are added per day for correlation and extraction to the threat intelligence dashboard.
Mr. Lee gave a few examples of the effectiveness of ISOC, “Last year, we blocked about 40 ransomware attacks through ISOC. Right now, on an average, we are blocking 8 million intrusion attempts per day. In 2016, we stopped about 49,000 botnets.”
ISOC also discovered threats that were targeted at the finance sector. That information was shared with the financial institutions through our federal law enforcement partners.
Current initiatives – Cybersecurity awareness, Critical asset protection and Cyber Lab
Mr. Lee talked about three programmes, which build on the integrated SOC. The first, a short-term initiative, is to conduct a citywide security awareness campaign. All city employees will have to complete a mandatory cybersecurity awareness training.
Another initiative, a mid-term one, is critical asset protection. The critical digital assets will be identified and using the NIST cybersecurity framework, strategies will be built to Protect, Detect, Respond, and Recover from cyberattacks for each of them.
The third initiative was the launch of the LA Cyber Lab, announced on August 16, 2017. Mr. Lee described the Cyber Lab as a prevention-focused public-private partnership in the area of cybersecurity.
“From the public side, we have the city government and the federal government, law enforcement, and also institutes of higher education. From the private side, we have two major stakeholders, the LA business community and the security vendors or security solution providers,” Mr. Lee said.
The City is facilitating this collaboration. A three-phase approach is being adopted. The first phase is about threat intelligence sharing. Cybersecurity threat intelligence will be shared with LA business communities and also residents. The lab will share threat information and indicators of compromise (IOC) to members for prevention and detection of attacks. Members can also receive automated updates of IOC to their own cyber defence systems. There is no cost or obligation of membership.
We asked Mr. Lee if the City would go beyond intelligence sharing and help the business community to tackle the threats. He replied that the businesses have their own IT and security teams. But the City government can be a bridge between business and law enforcement. If a LA business suffers from a cybersecurity incident, and they need help from federal or local law enforcement, the City government can provide the required communication channel.
Earlier businesses didn’t know who to call, especially with the many different agencies dealing with cybersecurity issues. For instance, Homeland Security has a cybersecurity team, there is US-CERT, the FBI has a cyber division and so on. In this scenario, the City government can serve as a single point of contact and help the businesses to communicate with law enforcement in responding to critical cyber incidents.
In Phase 2, there will be mutual threat intelligence sharing between the security companies, federal nad local law enforcement through machine-to-machine communication.
In phase 3, the goal is to turn the cyber lab into an innovation incubator. From the private side, solution providers can use the cyber lab to introduce and test new technologies. At the same time, higher educational institutions would be able to use the cyber lab as a platform to conduct research. Student can obtain hands-on experience of cyberattacks and cyber defence, thereby helping train the next generation of cybersecurity professionals.