Cybersecurity for Special Districts and County Service Areas in Santa Barbara County

Conclusions 2

• CL1
  The Santa Barbara County Board of Supervisors has oversight over all dependent special districts and community service areas and their respective cybersecurity operations.
• CL2
  The Jury determined that it is important to keep this critical issue before the public; it now addresses this concern in more general terms to the County’s many special districts and service areas. It is the Jury’s hope that these agencies will become more fully aware of cyber-threats and will take all necessary measures to protect their confidential data. Like all other government and business entities, special districts and service areas are vulnerable to cyber-attacks. Given its concern over the unfortunate increase in serious intrusions by criminal groups or individuals into data systems maintained by these governmental agencies and major publicly owned companies, the 2021 Santa Barbara County Grand Jury reminds all special districts in the County that they too potentially are targets for such criminal activity. The Jury has suggested several "Best Practices" that those agencies should consider incorporating into their cyber-security programs. This would help protect them from unwanted intrusions, possible public disclosure of personal information, and having to pay ransoms. Although the Jury assumes that many districts have implemented many of these and other cyber- measures, some may not have done so, or have failed to test in a timely manner and upgrade existing protections to counter the increasingly sophisticated techniques employed by hackers. Although the Jury did not interview representatives from all special districts, it is hoped they will review and adopt, as appropriate, the “Best Practices” listed in the report for their respective special districts. It is suggested that the districts take such remedial action as may be needed to safeguard their confidential personal, financial, and operational data against cyber-attacks to the greatest extent possible within their ability to do so. 2021 Santa Barbara County Grand Jury 4 FINDINGS and RECOMMENDATIONS Finding 1 The Santa Barbara County Board of Supervisors has oversight over all dependent special districts and community service areas and their respective cybersecurity operations. Recommendation 1 That the Santa Barbara County Board of Supervisors review and adopt, as appropriate, the “Best Practices” listed in the report for its dependent special districts and community service areas. REQUEST FOR RESPONSE Pursuant to California Penal Code Section 933 and 933.05, the Santa Barbara County Grand Jury requests each entity or individual named below to respond to the enumerated findings and recommendations within the specified statutory time limit: Responses to Findings shall be either:  Agree  Disagree wholly  Disagree partially with an explanation Responses to Recommendations shall be one of the following:  Has been implemented, with brief summary of implementation actions taken  Will be implemented, with an implementation schedule  Requires further analysis, with analysis completion date of no more than six months after the issuance of the report  Will not be implemented, with an explanation of why Santa Barbara County Board of Supervisors – 90 days Findings: 1 Recommendation: 1 Note: A courtesy copy of this Report is being sent to all special districts within Santa Barbara County. 2021 Santa Barbara County Grand Jury 5 APPENDIX I Independent Special Districts Within Santa Barbara County  Cachuma Resource Conservation District  Carpinteria Cemetery District  Carpinteria Sanitary District  Carpinteria/Summerland Fire Protection District  Carpinteria Valley Water District  Casmalia Community Services District  Cuyama Basin Water District  Cuyama Community Services District  Cuyama Valley Recreation and Park District  Embarcadero Municipal Improvement District  Goleta Cemetery District  Goleta Sanitary District  Goleta Water District  Goleta West Sanitary District  Guadalupe Cemetery District  Isla Vista Recreation and Park District  Isla Vista Community Services District  Lompoc Cemetery District  Lompoc Valley Medical Center (Health Care District)  Los Alamos Cemetery District  Los Alamos Community Services District  Los Olivos Community Services District  Mission Hills Community Services District  Montecito Fire Protection District  Montecito Sanitary District  Montecito Water District  Oak Hill Cemetery District  Mosquito and Vector Management District of Santa Barbara County  San Antonio Basin Water District  Santa Barbara County Fire Protection District  Santa Maria Public Airport District  Santa Maria Cemetery District  Santa Maria Valley Water Conservation District  Santa Rita Hills Community Services District  Santa Ynez Community Services District  Santa Ynez River Water Conservation District  Santa Ynez River Water Conservation District, Improvement District #1  Summerland Sanitary District  Vandenberg Village Community Services District 2021 Santa Barbara County Grand Jury 6 APPENDIX II Dependent Special Districts Within Santa Barbara County  Guadalupe Lighting District  Laguna County Sanitation District  Mission Canyon Lighting District  North County Lighting District Santa Barbara County Flood Control & Water Conservation District  Santa Barbara County Water Agency  Santa Barbara Metropolitan Transit District 2021 Santa Barbara County Grand Jury 7 APPENDIX III County Service Areas Within Santa Barbara County  County Service Area No. 3 (Goleta Valley)  County Service Area No. 4 (North Lompoc)  County Service Area No. 5 (Orcutt)  County Service Area No. 11 (Carpinteria Valley)  County Service Area No. 12 (Mission Canyon)  County Service Area No. 31 (Isla Vista)  County Service Area No. 32 (Unincorporated police services)  County Service Area No. 41 (Rancho Santa Rita) 2021 Santa Barbara County Grand Jury 8

Observations 1

• OB1
  While there appear to have been no known successful cyberattacks of special districts within Santa Barbara County, the Jury learned that an extensive number of cyber incursions have been 4 https://www.comparitech.com/blog/information-security/ransomware-attacks-hospitals-data/ 5 Medicis v. Ally Bank, Case No.7:27-CV-06799 (U.S.D.C., So. Dist. N.Y., 2021 2021 Santa Barbara County Grand Jury 2 attempted in the United States, often with success. These intrusions severely disrupted governmental and private company operations, costing billions of dollars in ransom payments, system repairs, and additional defensive measures. Following a 2021 White House meeting6 on the problem and in an effort to meet the challenge, Microsoft announced it is allocating $150 million for cybersecurity technical services to assist Federal, State, and local government agencies. In addition, it has committed to invest $20 billion over a period of five years to develop improved cybersecurity programs. Google has committed to spend $10 billion for that same purpose, and major corporations like Amazon and IBM will be greatly increasing their investment in employee training programs. How Can Special Districts Protect Themselves? The Jury has neither the staff nor the technical expertise to analyze the cyber-readiness of the special districts or to suggest specific defenses to cyberattacks. That work should be done by expert consultants and security firms devoted to such activities. The Jury offers a list of “Best Practices” based upon the sources consulted: BEST PRACTICES  Create "strong" passwords and change them often, or at least periodically  Install and regularly update "encryption" software  Install and regularly update "firewall" software (intrusion detection systems)  Update computer systems as necessary  Install and regularly update virus protection software  Secure data by limiting access  Safely dispose of all unwanted documents  Limit remote internet access to the extent possible  Limit physical access to system equipment (access cards, ID cards, etc.)  Wipe data from equipment to be disposed of  Monitor employee use of all systems  Periodically test security measures and immediately remediate weaknesses  Report to the appropriate internal security all malfunctions, anomalies or any other “out- of-ordinary" events no matter how insignificant they may appear to be  Conduct training for all employees periodically on security policies and procedures, certify attendance, and teach staff how to prevent, detect, contain, and eliminate breaches  Hire an outside security consulting firm to conduct a "risk analysis" at least annually and consider the possibility of pooling resources with other special districts to hire such expertise 6 "Biden Presses CEO'S to Boost Cyber Security," Wall Street Journal, August 28, 2021, p.4A. 2021 Santa Barbara County Grand Jury 3  Consider adequate cybersecurity insurance and the possibility of creating or joining an existing insurance pool to reduce premium cost  Create and securely maintain back-up data separate from the “live” system  Create a comprehensive Security Policy Manual to centralize information in one place and make it accessible to all staff  Classify and prioritize all district hardware, software, devices, data, etc. in accordance with their critical nature  Adopt easy to follow protocols for detecting and reporting known or suspected incursions and explain the exact duties and responsibilities of different staff levels in case an incident occurs. Create and maintain a current incident log designed to immediately document, analyze, and catalog incursions and explain how best to respond  Immediately eliminate all access to data systems and emails upon an employee’s departure

Agency Responses 1

Government agencies' official responses to this report's findings and recommendations. Click on a response to see the structured breakdown.